paulund/dev-implement
dev-implement/SKILL.md
Use when the user wants to implement a single AFK GitHub issue end-to-end with TDD. Stops after the implementation lands on the branch — does NOT open a PR or run the quality gate. Trigger phrases - "/dev-implement", "implement this issue", "ship issue N".
$ install --global
skillsauthnpx skillsauth add paulund/ai dev-implementInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 10, 2026, 5:08 AM148.8s1 file scanned
SKILL.md
- name:
- dev-implement
- description:
- Use when the user wants to implement a single AFK GitHub issue end-to-end with TDD. Stops after the implementation lands on the branch — does NOT open a PR or run the quality gate. Trigger phrases - "/dev-implement", "implement this issue", "ship issue N".
- category:
- dev
Dev Implement
Implement one issue with TDD on a branch and push the result. Scope ends at the push — opening the PR and verifying the build are separate jobs.
Inputs
When invoked with arguments, the first line of the prompt may carry a context envelope as JSON:
{ "issue": 582, "branch": "agent/issue-582-foo" }
issue— when set, work on this specific issue. When omitted, pick the next ready one (Step 1).branch— when set, the worktree is already on this branch andnode_modulesis ready. When omitted, set up a new branch frommain(Step 2).
Workflow
Step 1 — Pick the next issue (when issue is omitted)
gh issue list --label "planned,afk" --state open --json number,title,labels,body
Then verify blockers:
gh issue view <N> --json state
Rules:
- Skip any issue labelled
hitlorblocked. - Skip any issue whose
Blocked by #Nreferences resolve to an OPEN issue. - Pick highest priority (
p1>p2>p3). - If no issues match, stop cleanly and report the empty backlog.
Step 2 — Set up the branch (when branch is omitted)
- Check out the base branch (usually
main), pull latest. - Create a new branch:
agent/issue-<N>-<slug>. - Transition the issue: remove
planned, addin-progress.
Step 3 — Read the issue
gh issue view <N> --json number,title,body,labels
Read the body fully. The acceptance criteria drive the TDD cycles. If acceptance criteria are ambiguous, stop and add the hitl label — do not guess.
Step 4 — Implement with TDD
Write one TodoWrite covering all RED→GREEN→REFACTOR cycles you plan. Don't churn TodoWrite entries before the first test.
For each acceptance criterion:
- RED — write a test that captures the behaviour. Watch it fail for the right reason.
- GREEN — write the minimum code to pass. No extras.
- REFACTOR — clean up only if needed. Don't scope-creep.
Tests verify behaviour through public interfaces, not implementation details.
Step 5 — Commit and push (mandatory clean-tree gate)
Stage in logical groups. Commit messages should describe the why, not the what:
git add <files for one logical change>
git commit -m "<imperative summary>"
git push origin HEAD
Repeat per logical change. Anything you touched — including files modified during exploration that you decided to keep — must end up in a commit.
Pre-report verification — run this exact check before reporting Step 6:
git status --porcelain
The output must be empty. If it isn't:
- The branch is dirty. You have un-committed work.
- Decide for each path: keep it (commit it) or revert it (
git checkout -- <path>). - Re-run
git status --porcelain— repeat until empty. - Push:
git push origin HEAD.
Do not report success while git status --porcelain is non-empty. The next skill in the workflow (pr-open) will refuse to act on a dirty tree, and any orchestrator wrapping these skills will treat that refusal as a chain failure.
If you genuinely cannot decide what to do with a leftover modification (e.g. an unrelated drive-by edit), revert it. Drive-by edits don't belong in this issue's commits.
Step 6 — Report
Output a JSON summary so any caller can pick up the result:
{ "issue": <N>, "branch": "<branch>", "commits": <count>, "filesChanged": <count> }
Constraints
MUST DO
- Trust the input envelope when
issueandbranchare provided — never re-pick or re-checkout in that case. - Read the issue body fully before writing the first test.
- Write tests through public interfaces.
- Run
git status --porcelainbefore reporting and refuse to report success unless the output is empty. - Push before reporting completion.
- Keep commits scoped to the current issue — revert drive-by edits rather than smuggling them into the PR.
MUST NOT DO
- Open a PR — that is
pr-open's job. - Run
gh issue listorgit checkout main && git pullwhen bothissueandbranchare provided. - Pick
hitlorblockedissues when picking manually. - Add
hitlto the current issue without stopping the run — surface ambiguity, don't paper over it. - Run the quality gate — that's
quality-gate's job. - Spawn sub-agents for review — review skills are separate skills.
- Report success while the tree has uncommitted changes. Ever.
Related Skills
paulund/quality-gate
development
VerifiedTrustedCommunity
Use when the user wants to run the project's lint + types + build sequence as a gate before pushing, opening a PR, or merging. Invoked by chained dev skills between phases. Trigger phrases - "/quality-gate", "run the quality gate", "check it builds".
2SKILL.mdUpdated May 10, 2026
paulund/pr-verify
tools
VerifiedTrustedCommunity
Use when the user wants to verify a PR's feature works at runtime by booting the dev server, exercising the affected UI via Chrome DevTools MCP, and posting a screenshot summary back to the PR. Idempotent — skips if `verified` or `verify-failed` is already on the PR. Trigger phrases - "/pr-verify", "verify this PR", "runtime check the pr".
2SKILL.mdUpdated May 10, 2026
paulund/pr-security-review
testing
VerifiedTrustedCommunity
Use when the user wants a security-focused review pass on a PR with findings actioned as commits on the same branch. Trigger phrases - "/pr-security-review", "security review and fix".
2SKILL.mdUpdated May 10, 2026
paulund/pr-open
testing
VerifiedTrustedCommunity
Use when the user wants to open a pull request for an already-pushed branch that implements a specific issue. Idempotent — returns the existing PR if one is already open for the branch. Trigger phrases - "/pr-open", "open the pr", "create pr for this branch".
2SKILL.mdUpdated May 10, 2026