Sync commands, rules: add push-env-key.sh, workflow-halt-on-error rule, update pr-address, pr-create, fix-workflow-first, answer-questions-first

Author: j0ntz

.cursor/commands/pr-address.md

@@ -12,23 +12,33 @@
 <rule id="resolution-source-of-truth">Only explicitly resolved threads (`isResolved: true`) or `<!-- addressed:... -->` markers count as resolved. Recency (commits after a comment) does NOT mean resolved.</rule>
 </rules>
 
-<step id="1" name="Fetch all unresolved feedback">
-Always fetch live from GitHub. The script returns all unresolved feedback — no recency filtering.
+<step id="1" name="Fetch all unresolved feedback and PR body">
+Always fetch live from GitHub. Run both in parallel:
 
 ```bash
+# Fetch unresolved feedback
 ~/.cursor/commands/pr-address.sh fetch --owner <OWNER> --repo <REPO> --pr <NUMBER>
+
+# Populate /tmp/pr-body.md from the live PR body (source of truth)
+~/.cursor/commands/pr-address.sh fetch-pr-body --owner <OWNER> --repo <REPO> --pr <NUMBER>
 ```
 
-If the script exits code 2 with `PROMPT_GH_AUTH`, prompt: "`gh` CLI is not authenticated. Please run: `gh auth login`"
+If either script exits code 2 with `PROMPT_GH_AUTH`, prompt: "`gh` CLI is not authenticated. Please run: `gh auth login`"
 
-The output contains:
+The `fetch` output contains:
 - **prAuthor**: The PR author's GitHub username
 - **currentUser**: Your GitHub username (the authenticated `gh` user)
 - **hasHumanReviewers**: `true` if any external human reviewer (not `currentUser`, not bots) has commented — used for autosquash decision
 - **humanReviewers**: List of external human reviewer usernames
 - **threads**: All unresolved inline review threads (includes comments from `currentUser` for context)
 - **reviewBodies**: Latest review body per non-author reviewer (excludes `prAuthor` and bots)
 - **topLevel**: Top-level comments (excludes `prAuthor` and bots)
+
+The `fetch-pr-body` call writes the current PR body to `/tmp/pr-body.md`. This file is available for editing throughout the session. If you need to update the PR body (e.g. to revise the description after addressing feedback), edit `/tmp/pr-body.md` via the Write tool and push it back:
+
+```bash
+gh pr edit <NUMBER> --body-file /tmp/pr-body.md
+```
 </step>
 
 <step id="2" name="Process all unresolved feedback">

.cursor/commands/pr-address.sh

@@ -10,6 +10,7 @@
 #   mark-addressed --owner <o> --repo <r> --pr <n> --type <review|comment> --target-id <id> --body <text>
 #   resolve-id     --owner <o> --repo <r> --pr <n> --node-id <id>
 #   headline       --owner <o> --repo <r> --sha <sha>
+#   fetch-pr-body  --owner <o> --repo <r> --pr <n>         Fetch current PR body → /tmp/pr-body.md
 #   autosquash                                             Rebase --autosquash from merge-base
 #
 # Exit codes: 0 = success, 1 = error, 2 = needs user input (e.g. gh not authenticated)
@@ -249,6 +250,16 @@ case "$CMD" in
     gh api "repos/$OWNER/$REPO/commits/$SHA" --jq '.commit.message | split("\n") | .[0]'
     ;;
 
+  fetch-pr-body)
+    require_gh
+    if [[ -z "$OWNER" || -z "$REPO" || -z "$PR" ]]; then
+      echo "Error: --owner, --repo, --pr required" >&2; exit 1
+    fi
+    BODY=$(gh api "repos/$OWNER/$REPO/pulls/$PR" --jq '.body // ""')
+    echo "$BODY" > /tmp/pr-body.md
+    echo ">> Wrote PR body to /tmp/pr-body.md ($(wc -c < /tmp/pr-body.md | tr -d ' ') bytes)"
+    ;;
+
   autosquash)
     DEFAULT_UPSTREAM=$(git symbolic-ref --quiet --short refs/remotes/origin/HEAD 2>/dev/null \
       || echo "origin/$(git remote show origin | sed -n '/HEAD branch/s/.*: //p')")
@@ -258,7 +269,7 @@ case "$CMD" in
     ;;
 
   *)
-    echo "Usage: pr-address.sh {fetch|reply|resolve-thread|mark-addressed|resolve-id|headline|autosquash} [args]" >&2
+    echo "Usage: pr-address.sh {fetch|reply|resolve-thread|mark-addressed|resolve-id|headline|fetch-pr-body|autosquash} [args]" >&2
     exit 1
     ;;
 esac

.cursor/commands/pr-create.md

@@ -72,7 +72,7 @@ Run full verification before creating the PR:
 
 Where `<upstream-ref>` is `origin/develop` for `edge-react-gui` or `origin/master` for other repos. Set `block_until_ms: 120000`.
 
-**CHANGELOG check:** Before running verification, confirm a CHANGELOG entry exists on this branch: `git diff origin/$DEFAULT_BRANCH..HEAD -- CHANGELOG.md`. If empty, add one now (see `im.md` CHANGELOG placement rules).
+**CHANGELOG check:** Before running verification, read the top ~50 lines of `CHANGELOG.md` and confirm that entries exist which reflect the branch's changes. If no matching entries exist, add them now (see `im.md` CHANGELOG placement rules).
 
 If verification fails, fix the issue, amend or fixup the relevant commit, push again, then continue.
 </step>
@@ -86,9 +86,6 @@ DEFAULT_BRANCH=$(git symbolic-ref --quiet --short refs/remotes/origin/HEAD 2>/de
 
 # All commit messages on this branch
 git log origin/$DEFAULT_BRANCH..HEAD --format=%B---
-
-# CHANGELOG diff
-git diff origin/$DEFAULT_BRANCH..HEAD -- CHANGELOG.md
 ```
 
 <sub-step name="PR title">
@@ -142,14 +139,14 @@ If Asana context was fetched:
 
 - **Title**: Align the PR title with the task name if it's descriptive.
 - **Dependencies**: Cross-reference with linked PRs mentioned in task comments.
-- **Context subsection**: Add a `#### Context` subsection at the **beginning** of the Description section — what the task is, why it matters, key decisions from comments. Wrap file paths, function names, and code references in backticks.
+- **Context subsection**: Add a `#### Context` subsection at the **beginning** of the Description section — what the task is, why it matters, key decisions from comments. Wrap file paths, function names, and code references in backticks. The Asana link itself is injected by `pr-create.sh` via `--asana-task` — do not duplicate it here.
 
 Example:
 
 ```markdown
 #### Context
 
-Asana: "gui: Token list not updating after add" (P2). The `useTokenList` hook
+"gui: Token list not updating after add" (P2). The `useTokenList` hook
 caches stale data because `useSyncEffect` doesn't re-trigger on `currencyConfig` changes.
 
 #### Changes
@@ -167,13 +164,16 @@ caches stale data because `useSyncEffect` doesn't re-trigger on `currencyConfig`
 <step id="7" name="Create PR">
 Create the PR immediately — do not ask for confirmation.
 
-1. **Write the body to a temp file** using the Write tool (NOT a shell command):
+1. **Write the body to a temp file** using the **Write tool** (NOT ApplyPatch, NOT a shell command):
    - Path: `/tmp/pr-body.md`
    - Content: the full PR body built in step 6
+   - The Write tool **overwrites** the file. ApplyPatch `Add File` may append to an existing file, causing stale content from a prior PR to bleed through. **Always use Write.**
 2. **Run the script**:
    ```bash
-   ~/.cursor/commands/pr-create.sh --title "<title>" --body-file /tmp/pr-body.md
+   ~/.cursor/commands/pr-create.sh --title "<title>" --body-file /tmp/pr-body.md --asana-task <task_gid>
    ```
+   - Pass `--asana-task <task_gid>` when an Asana task is available. The script injects a clickable Asana link into the PR body if one isn't already present. This is **required** for downstream `/pr-land` to extract the task GID.
+   - The script cleans up `/tmp/pr-body.md` after use to prevent cross-PR contamination. It will be re-populated from GitHub if needed during `/pr-address`.
 
 Using `--body-file` avoids shell escaping issues with multi-line content. Do NOT use `--body` with inline content.
 

.cursor/commands/pr-create.sh

@@ -14,10 +14,12 @@ const args = process.argv.slice(2);
 let title = null;
 let bodyFile = null;
 let draft = false;
+let asanaTask = null;
 
 for (let i = 0; i < args.length; i++) {
   if (args[i] === "--title" && args[i + 1]) title = args[++i];
   else if (args[i] === "--body-file" && args[i + 1]) bodyFile = args[++i];
+  else if (args[i] === "--asana-task" && args[i + 1]) asanaTask = args[++i];
   else if (args[i] === "--draft") draft = true;
 }
 
@@ -139,6 +141,23 @@ if (!body) {
   }
 }
 
+// Inject Asana link if provided and not already present
+if (asanaTask) {
+  const asanaUrl = `https://app.asana.com/0/0/${asanaTask}/f`;
+  const asanaRegex = new RegExp(`https://app\\.asana\\.com/\\d+/\\d+/(?:task/)?${asanaTask}`, "i");
+  if (!asanaRegex.test(body)) {
+    const link = `[Asana task](${asanaUrl})`;
+    const descIdx = body.indexOf("### Description\n");
+    if (descIdx !== -1) {
+      const afterHeader = descIdx + "### Description\n".length;
+      const rest = body.slice(afterHeader).replace(/^\n*/, "");
+      body = body.slice(0, afterHeader) + `\n${link}\n\n` + rest;
+    } else {
+      body = `${link}\n\n` + body;
+    }
+  }
+}
+
 // Create PR via gh CLI — write body to a temp file to avoid arg length issues
 const tmpBody = path.join(os.tmpdir(), `pr-body-${process.pid}.md`);
 fs.writeFileSync(tmpBody, body, "utf8");
@@ -147,6 +166,11 @@ if (draft) ghArgs.push("--draft");
 
 const result = spawnSync("gh", ghArgs, { encoding: "utf8" });
 try { fs.unlinkSync(tmpBody); } catch {}
+if (bodyFile && bodyFile.startsWith(os.tmpdir())) {
+  try {
+    fs.unlinkSync(bodyFile);
+  } catch {}
+}
 if (result.status !== 0) {
   console.error("ERROR:", (result.stderr || "").trim());
   process.exit(1);

.cursor/commands/push-env-key.sh

@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+# push-env-key.sh — Update a single key in the server's env.json and push
+#
+# Usage: push-env-key.sh <KEY> <VALUE> [-m "commit message"]
+#
+# Examples:
+#   push-env-key.sh EDGE_API_KEY abc123
+#   push-env-key.sh EDGE_API_KEY abc123 -m "Rotate Edge API key"
+
+set -euo pipefail
+
+SERVER="jack"
+REMOTE_REPO="/home/jon/jenkins-files/master"
+
+KEY=""
+VALUE=""
+COMMIT_MSG=""
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    -m) COMMIT_MSG="$2"; shift 2 ;;
+    *)
+      if [[ -z "$KEY" ]]; then KEY="$1"
+      elif [[ -z "$VALUE" ]]; then VALUE="$1"
+      else echo "Unexpected argument: $1" >&2; exit 1
+      fi
+      shift ;;
+  esac
+done
+
+if [[ -z "$KEY" || -z "$VALUE" ]]; then
+  echo "Usage: push-env-key.sh <KEY> <VALUE> [-m \"commit message\"]" >&2
+  exit 1
+fi
+
+if [[ -z "$COMMIT_MSG" ]]; then
+  COMMIT_MSG="Update $KEY in env.json"
+fi
+
+ssh "$SERVER" bash -s -- "$KEY" "$VALUE" "$COMMIT_MSG" "$REMOTE_REPO" <<'REMOTE'
+  set -euo pipefail
+  KEY="$1"
+  VALUE="$2"
+  MSG="$3"
+  REPO="$4"
+
+  cd "$REPO"
+  git pull --ff-only
+
+  CURRENT=$(jq -r --arg k "$KEY" '.[$k] // empty' env.json)
+  if [[ "$CURRENT" == "$VALUE" ]]; then
+    echo "No change: $KEY is already set to that value."
+    exit 0
+  fi
+
+  jq --arg k "$KEY" --arg v "$VALUE" '.[$k] = $v' env.json > env.json.tmp
+  mv env.json.tmp env.json
+
+  git add env.json
+  git commit -m "$MSG"
+  git push
+  echo "Done: $KEY updated and pushed."
+REMOTE

.cursor/rules/answer-questions-first.mdc

@@ -5,10 +5,10 @@ alwaysApply: true
 
 # Answer Questions Before Acting
 
-Before using any code editing tools, scan the user's message for `?` characters.
+Before using any code editing tools, scan the user's message for `?` characters and determine if it's a question.
 
-- **Ignore** `?` inside URLs or query parameters (e.g. `?param=x`, `?key=value`)
-- **Treat all other `?`** as question statements
+- **Ignore** `?` inside code, URLs or query parameters (e.g. `?param=x`, `?key=value` , `const x = ifTrue ? 'yes' : 'no'`)
+- **Treat all other `?`** as question statements, if they appear to be questions.
 
 If questions are detected:
 

.cursor/rules/fix-workflow-first.mdc

@@ -1,6 +1,6 @@
 ---
 description: When a workflow issue is identified in a command or skill, fix the command/skill definition first before fixing the downstream misbehavior.
-alwaysApply: true
+alwaysApply: false
 ---
 
 <goal>Ensure workflow definitions are fixed at the source before any workarounds are applied.</goal>
@@ -19,4 +19,4 @@ alwaysApply: true
 5. **Resume the original task** only after the command/skill is updated.
 </sequence>
 
-<scope>This applies to all workflow issues — missed steps, incorrect output, wrong tool usage, formatting problems, etc. The command/skill is the source of truth; patching around it creates drift.</scope>
+<scope>This applies to all workflow issues — missed steps, incorrect output, wrong tool usage, shell failures, formatting problems, etc. The command/skill is the source of truth; patching around it creates drift.</scope>

.cursor/rules/workflow-halt-on-error.mdc

@@ -0,0 +1,33 @@
+---
+description: Halt on workflow errors and detect slash-command invocations in user messages
+alwaysApply: true
+---
+
+<rules description="Non-negotiable constraints.">
+
+<rule id="halt-on-error">When ANY shell command fails (non-zero exit code) during a workflow:
+1. **STOP** — do not retry, work around, substitute, or continue the workflow.
+2. **Report** — show the user the exact command, exit code, and error output.
+3. **Diagnose** — classify the failure: missing tool (`command not found`), wrong path, permissions, or logic error.
+4. **Evaluate workflow** — if the failure reveals a gap in a command/skill definition, read `~/.cursor/rules/fix-workflow-first.mdc` and follow it.
+5. **Wait** — do not resume until the user responds.
+</rule>
+
+<rule id="no-silent-substitution">Do NOT silently substitute an alternative tool or approach when a command fails. If `rg` is not found, do not fall back to `grep`. If a script exits non-zero, do not manually replicate what the script does. The failure is the signal — report it.</rule>
+
+</rules>
+
+<slash-command-detection description="Detect /command invocations in user messages, analogous to answer-questions-first.mdc for '?' characters.">
+
+Scan the user's message for `/word` tokens. A token is a **command invocation** when ALL of:
+- `/word` is preceded by whitespace, a newline, or is at the start of the message
+- `word` contains only lowercase letters and hyphens (e.g., `/im`, `/pr-create`, `/author`)
+- `/word` is NOT inside a file path, URL, or code block
+
+When detected:
+1. Read `~/.cursor/commands/<word>.md` and follow it immediately.
+2. If the file does not exist, inform the user: "Command `/<word>` not found in `~/.cursor/commands/`."
+
+**Ignore `/`** in: file paths (`/Users/...`, `~/...`), URLs (`https://...`), mid-word (`and/or`), backticks/code blocks.
+
+</slash-command-detection>