# CLAUDE.md This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository. ## Overview This is a **Claude Code skills repository**. Skills are reusable tools that extend Claude Code's capabilities. Each skill lives in its own top-level directory. ## Skill Structure Each skill follows this convention: - **`/SKILL.md`** — Required. YAML frontmatter (`name`, `description`, optionally `version`, `allowed-tools`) MUST start on line 1. This is the entry point Claude Code reads when invoking the skill. - **`/CLAUDE.md`** — Optional. Maintainer / implementation notes kept out of the user-facing SKILL.md to reduce per-invocation token cost. - **`/scripts/`** — Optional. Implementation scripts (typically bash). Scripts use `set -euo pipefail` and the `die()` pattern for error handling. Invoke scripts via `bash scripts/.sh` so they work even when the executable bit did not survive deployment — but also `chmod +x` them on commit. - **`/references/`** — Optional. Supporting files such as YAML templates or long-form reference documentation. ## Parent / child skill pattern A skill may act as a router that delegates to siblings. The `gitea` skill is the canonical example: its `SKILL.md` describes the overall domain and dispatches to `gitea-tea` (CLI) and `gitea-wiki` (wiki) child skills. When adding a child skill, reference the parent in the child's `description` and keep the parent's routing table current. ## Current Skills - **`agent-setup`** — Validates `AGENT_HOME`, derives `GH_CONFIG_DIR=$AGENT_HOME/.github`, and exports both to a session dotfile (`~/.env`) for child shells / sibling skills. - **`github-app-token`** — Generates a short-lived GitHub App installation access token, writes it to `.gh-token` under `$GH_CONFIG_DIR` (preferred) or `$AGENT_HOME` (fallback), and authenticates the `gh` CLI. Requires `GITHUB_APP_ID`, `GITHUB_APP_INSTALLATION_ID`, and one of `GITHUB_APP_PEM` (inline PEM) or `GITHUB_APP_PEM_FILE` (path). Depends on `openssl`, `curl`, `jq`, `gh`. - **`gitea`** — Parent skill for Gitea SCM (repos, issues, PRs, releases, Actions, wiki). Routes to `gitea-tea` and `gitea-wiki`. Prefer this — and the `gitea` MCP server wired up in `.mcp.json` — over `gh`/GitHub for repos hosted on the team's Gitea instance. - **`gitea-tea`** — Terminal operations via the `tea` CLI. Always invoke non-interactively with `--output` and explicit args. - **`gitea-wiki`** — Wiki page CRUD via the `gitea-mcp` server (preferred) or REST API. `tea` has no wiki subcommands. - **`kubernetes-reflector`** — Documents Kubernetes Reflector annotations for mirroring secrets and configmaps across namespaces. Documentation only — no scripts. - **`minimax-image-generation`** — Generates images from MiniMax's `image-01` model via `/v1/image_generation`. Requires `MINIMAX_API_KEY`; `MINIMAX_API_BASE_URL` is optional. Depends on `curl`, `jq`, `base64`. - **`trebuchet`** — Drive the Trebuchet pentest API (start scans, poll status, retrieve findings). Scans run as K8s Jobs orchestrated by Temporal; typical duration ~36 min. ## MCP `.mcp.json` registers the `gitea` MCP server (`https://git-mcp.farh.net/mcp`) using `${GITEA_TOKEN}` as a bearer. Skills that work against Gitea should prefer MCP tools over shelling out where an equivalent MCP call exists. ## Key Patterns - Standard Unix tools only (`openssl`, `curl`, `jq`, `base64`). Any skill-specific runtime requirement (e.g. `gh`, `tea`) is declared in that skill's `SKILL.md`. - `die()` prints errors to stderr and exits non-zero. - Scripts validate required env vars up front and fail loudly rather than defaulting to `mktemp`/`/tmp` for anything secret. - `AGENT_HOME` / `GH_CONFIG_DIR` are the shared conventions for where session state (tokens, config) lives — new skills that persist credentials should write under one of these, not `$HOME`. ## No Build/Test/Lint System There is no centralized build, test, or lint tooling. Each skill is self-contained.