docs(fix-vulnerability skill): codify branch-per-advisory workflow

patriksimek · patriksimek · commit 64f354795a73 · 2026-05-13T01:13:57.000+09:00
Adds a pre-step-1 callout and restructures step 8 into 8a-8e covering:
- Isolation rationale (one branch per advisory; main is the integration line)
- Fork creation via the advisory endpoint
- Branch creation (new advisory vs follow-up on existing fork)
- Commit/push hygiene
- Integration into main at release time

Branch-per-advisory keeps embargoed fixes off main until publication and
makes conflicts surface deliberately at integration rather than hide
inside a stack of fix commits.
diff --git a/.claude/skills/fix-vulnerability/SKILL.md b/.claude/skills/fix-vulnerability/SKILL.md
@@ -51,6 +51,8 @@ Wear three hats simultaneously:
 
 ## Workflow
 
+> **Before step 1**: this skill assumes you are working **on a dedicated per-advisory branch**, not on `main`. See step 8a for why and step 8c for the setup commands. If the user invoked `/fix-vulnerability` while `git branch --show-current` returns `main`, your first action is to create and check out a fresh branch (`git checkout -b ghsa-<short-id> main`). Every subsequent step — repro test, multi-angle agents, instrumentation, doc updates, commits — happens on that branch. Local `main` stays clean and never carries an embargoed fix commit.
+
 ### 1. Orient
 
 Re-read `CLAUDE.md` and `docs/ATTACKS.md` cover-to-cover. CLAUDE.md has the file roles and architectural map; ATTACKS.md has the attack catalog, the [Defense Invariants](../../../docs/ATTACKS.md#defense-invariants), and the [Category Entry Format](../../../docs/ATTACKS.md#category-entry-format) you'll use later.
@@ -166,6 +168,21 @@ Apply the fix with minimal, self-contained diff. Comment every security-critical
 
 Each advisory gets its own **temporary private fork** at `patriksimek/vm2-ghsa-<short-id>`. This fork is what the reporter (added as a collaborator on the advisory) sees and reviews; **never** push the embargoed fix to `origin` (`patriksimek/vm2`) until the advisory is published.
 
+#### 8a. Isolation: one branch per advisory
+
+**Local `main` stays at the last public release commit** (`origin/main` tip) — it is the integration line, not a scratch branch. Every embargoed fix lives on its own branch tracking its own private fork. This is the load-bearing invariant of the multi-advisory workflow:
+
+- **Two open reports never see each other's commits** until the maintainer chooses to integrate them. No accidental cross-contamination in tests, comments, or commit messages.
+- **`/hacker`, `npm test`, and the multi-angle agents** for advisory A run against advisory A's checked-out branch only — they cannot stumble into an advisory-B mitigation that incidentally also blocks the bypass they were looking for.
+- **Conflict surfaces at integration time, not at commit time.** When two advisories both touched `lib/bridge.js`, the conflict is resolved deliberately in front of `npm test`, not hidden inside a stack of `fix(GHSA-…)` commits on `main`.
+- **Rollback is trivial.** If a reporter rejects the structural direction, `git checkout main && git branch -D ghsa-<short-id>` plus a force-push to the private fork undoes everything without disturbing `main` or other open advisories.
+
+**Switching between advisories** is `git checkout ghsa-<other-short-id>`. Commit or stash anything in flight first — uncommitted changes carry across branches in a single working directory.
+
+**Multi-angle exploration agents** (the three Generators spawned in step 5) still use `isolation: "worktree"` — each spawns its own temporary worktree off the current branch tip so it can edit and test in parallel without disturbing your work. Those worktrees are scratch space owned by the agents; clean them up after you've synthesized.
+
+#### 8b. Create the temporary private fork
+
 **Check whether a fork already exists** as a git remote pointing at the GHSA-specific repo:
 
 ```bash
@@ -185,19 +202,58 @@ git remote add ghsa-<short-id> git@github.com:patriksimek/vm2-ghsa-<GHSA-id>.git
 
 If the API call returns 202/Accepted, the fork is being created asynchronously — poll `gh api repos/patriksimek/vm2-ghsa-<GHSA-id>` until it returns 200 before pushing.
 
-**If the fork DOES exist** — this is a follow-up commit (e.g. reporter found a bypass, requested a tweak). Add an additional commit to the existing branch on that fork. Do not force-push or rebase prior commits the reporter has already reviewed.
+#### 8c. Create the per-advisory branch
 
-**Push the fix**:
+For a **new advisory** (fork is fresh, no commits beyond `main`):
 
 ```bash
-git push ghsa-<short-id> HEAD:main          # or a dedicated fix branch
+# From main, branch off and check out.
+git checkout main
+git checkout -b ghsa-<short-id>
 ```
 
+For a **follow-up on an advisory you've already pushed** (reporter found a bypass, asked for a tweak, or you're resuming after a context switch and deleted the local branch):
+
+```bash
+git fetch ghsa-<short-id>
+git checkout -b ghsa-<short-id> ghsa-<short-id>/main
+```
+
+The branch lives only locally and on the private fork's `main`. It is your working branch where you accumulate commits before pushing.
+
+#### 8d. Commit and push
+
+All edits, multi-angle agent worktrees spawned with `isolation: "worktree"` (those spawn off the current branch tip and stay isolated), repro tests, `npm test`, `/hacker` runs, ATTACKS.md updates, and CHANGELOG.md entries happen **on this branch**. Local `main` is never touched during embargoed work.
+
+When ready:
+
+```bash
+# From the advisory branch
+git push ghsa-<short-id> HEAD:main
+```
+
+**If the fork already has commits** (follow-up commit on a previously reviewed fix) — add a new commit on top. Do not force-push or rebase commits the reporter has already reviewed.
+
 **Disclosure hygiene**:
 - Do not push to `origin` or open a public PR.
 - Commit messages MAY reference the GHSA ID — the fork is private and visible only to maintainers + reporter.
 - Never reference reporter names or embargo dates in commits, code comments, or `CHANGELOG.md`.
 
+#### 8e. Integration into `main` (at release time, not during embargo)
+
+When the advisory is published and the next release is being cut, merge each ready advisory's branch into `main` in a deliberate integration pass:
+
+```bash
+git checkout main
+git merge --no-ff ghsa-<short-id>
+# Resolve any cross-advisory conflicts in lib/bridge.js etc.
+npm test
+# Run /hacker once more against the integrated tree.
+# Bump version in package.json, write CHANGELOG release header, then push origin.
+```
+
+Only after the public push do you delete the per-advisory branch (`git branch -d ghsa-<short-id>`) and (optionally) archive the private fork.
+
 ### 9. Post-commit summary
 
 After every commit (initial fix or follow-up), produce a **short** summary of what changed and post it to the advisory thread / share with the user. Keep it terse — the details live in the diff, the tests, and `ATTACKS.md`.
