Merge branch 'main' of github.com:NethermindEth/pluto into createdkg

Author: mskrzypkows

.claude/skills/review-pr/SKILL.md

@@ -0,0 +1,134 @@
+---
+name: review-pr
+description: >
+  Full multi-agent code review for a Pluto PR. Spawns parallel agents covering
+  functional correctness, security, Rust style, and code quality, then posts
+  all findings as isolated GitHub review comments and submits a final
+  approve/request-changes verdict. Invoke as `/review-pr <PR-number>` or
+  `/review-pr <GitHub-PR-URL>`.
+---
+
+# Review PR
+
+You are orchestrating a thorough code review for a Pluto pull request.
+
+## Input
+
+The argument is either a PR number (e.g. `311`) or a full GitHub PR URL. The
+repository is always `NethermindEth/pluto`.
+
+Resolve the PR number if a URL was given:
+```bash
+# From URL like https://github.com/NethermindEth/pluto/pull/311
+PR=311
+```
+
+## Step 1 — Gather context
+
+Run these in parallel:
+```bash
+gh pr view $PR --repo NethermindEth/pluto \
+  --json title,body,files,additions,deletions,headRefName,commits
+gh pr diff $PR --repo NethermindEth/pluto
+```
+
+Read every changed file from disk (the branch may already be checked out).
+If a file is not available locally, use the raw diff.
+
+Also note the head commit SHA — you will need it for the review API call.
+
+## Step 2 — Parallel agent review
+
+Spawn **four agents in a single message** so they run concurrently.  Give each
+agent the full diff and relevant file contents in its prompt.
+
+| Agent | Skill | Focus |
+|---|---|---|
+| **pluto-review** | `/pluto-review` | Functional equivalence with Charon Go; parity matrix; test coverage gaps |
+| **security-review** | — | Auth bypass, resource exhaustion, key-material handling, DoS vectors |
+| **rust-style** | `/rust-style` | Idiomatic Rust; memory orderings; error handling patterns; naming |
+| **code-quality** | — | Concurrency correctness; state-machine completeness; resource lifecycle |
+
+Each agent must return findings as JSON objects:
+```json
+{
+  "file": "crates/foo/src/bar.rs",
+  "line": 42,
+  "severity": "bug|major|minor|nit",
+  "title": "short title",
+  "body": "detailed explanation with code snippets if helpful"
+}
+```
+
+## Step 3 — Deduplicate and assess
+
+Merge the four finding lists. For each finding:
+
+- If the same issue is raised by multiple agents, merge into one finding
+  (use the most detailed body).
+- Assign a final severity: `bug` → `major` → `minor` → `nit`.
+- Prefix the comment body with **`nit:`** if severity is `nit`.
+- Verify every `file` path and `line` number against the actual diff before
+  posting — do not guess.
+
+## Step 4 — Post inline comments via GitHub review API
+
+Build a single JSON payload and post it in **one** API call:
+
+```bash
+gh api repos/NethermindEth/pluto/pulls/$PR/reviews \
+  --method POST \
+  --input /tmp/review_payload.json \
+  --jq '{id:.id, state:.state, url:.html_url}'
+```
+
+Payload shape:
+```json
+{
+  "commit_id": "<head-sha>",
+  "body": "<overall-assessment — see Step 5>",
+  "event": "APPROVE | REQUEST_CHANGES | COMMENT",
+  "comments": [
+    {
+      "path": "crates/foo/src/bar.rs",
+      "line": 42,
+      "side": "RIGHT",
+      "body": "comment text"
+    }
+  ]
+}
+```
+
+Rules for comments:
+- One comment per finding. Do not batch multiple issues into one comment.
+- Use `line` + `side: "RIGHT"` for new/modified lines (additions).
+- Use `side: "LEFT"` only for deleted lines.
+- If `line` is unavailable or ambiguous, omit it — the comment lands at the
+  file level, which is still useful.
+- nit-level findings must start with **`nit:`** in the comment body.
+
+## Step 5 — Overall assessment
+
+Write a 3–5 sentence overall body for the review covering:
+1. What the PR does and overall quality signal.
+2. A numbered list of **bugs** (must-fix before merge).
+3. Summary of major/minor findings.
+4. Verdict rationale.
+
+**Verdict rules:**
+
+| Condition | Event |
+|---|---|
+| Any `bug` severity finding | `REQUEST_CHANGES` |
+| Any `major` severity finding | `REQUEST_CHANGES` |
+| Only `minor` / `nit` findings | `COMMENT` (leave open for author discretion) |
+| No findings or only `nit` | `APPROVE` |
+
+## Output
+
+After the API call succeeds, print:
+```
+Review posted: <html_url>
+Verdict: <APPROVE|REQUEST_CHANGES|COMMENT>
+Findings: <N bugs, M major, P minor, Q nits>
+```

.claude/skills/rust-style/SKILL.md

@@ -61,16 +61,25 @@ let x = a.checked_add(b).ok_or(Error::Overflow)?;
 
 ## Casts
 
-No lossy or unchecked casts — use fallible conversions:
+**Never use `as` for numeric type conversions** — use fallible conversions with `try_from`:
 
 ```rust
-// Bad
+// Bad - will cause clippy errors
 let x = value as u32;
+let y = some_usize as u64;
 
-// Good
+// Good - use try_from with proper error handling
 let x = u32::try_from(value)?;
+let y = u64::try_from(some_usize).expect("message explaining why this is safe");
 ```
 
+Rules:
+
+- Always use `TryFrom`/`try_from` for numeric conversions between different types
+- Handle conversion failures explicitly (either with `?` or `expect` with justification)
+- The only acceptable use of `expect` is when the conversion is guaranteed to succeed (e.g., `usize` to `u64` on 64-bit platforms)
+- Clippy will error on unchecked `as` casts: `cast_possible_truncation`, `cast_possible_wrap`, `cast_sign_loss`
+
 ---
 
 ## Async / Tokio
@@ -158,3 +167,22 @@ mod tests {
 ```
 
 - For hashing/serialization parity, generate Go-derived test vectors and hardcode them as Rust fixtures.
+
+---
+
+## Pluto-Specific Checklist
+
+Apply when reviewing or porting code:
+
+- [ ] `Ordering::SeqCst` is justified; prefer `Relaxed`/`AcqRel` for
+      standalone flags.
+- [ ] `Error::Io` wraps `std::io::Error` (not `String`) to preserve
+      `ErrorKind`.
+- [ ] New public functions accept `impl AsRef<[u8]>` / `impl AsRef<str>`
+      rather than concrete slice refs where appropriate.
+- [ ] No `unwrap()` / `expect()` / `panic!()` outside test code.
+- [ ] All arithmetic uses checked ops (`checked_add`, `checked_mul`, …).
+- [ ] Tests mirror the Go test names and shapes where applicable.
+- [ ] `use` declarations appear before all other items in each file.
+- [ ] No dead payload in error variants (every captured field appears in the
+      `#[error("...")]` string).

.github/workflows/claude-code-review.yml

@@ -1,27 +1,20 @@
 name: Claude Code Review
 
 on:
-  pull_request:
-    types: [review_requested]
-    # Optional: Only run on specific file changes
-    # paths:
-    #   - "src/**/*.ts"
-    #   - "src/**/*.tsx"
-    #   - "src/**/*.js"
-    #   - "src/**/*.jsx"
+  issue_comment:
+    types: [created]
 
 jobs:
   claude-review:
-    # Only run when a specific reviewer is requested (e.g., "claude-code" or specific team)
     if: |
-      contains(github.event.pull_request.requested_reviewers.*.login, 'claude-code') ||
-      contains(github.event.pull_request.requested_teams.*.slug, 'claude-code')
+      github.event.issue.pull_request != null &&
+      contains(github.event.comment.body, '/claude-review')
 
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      pull-requests: read
-      issues: read
+      pull-requests: write
+      issues: write
       id-token: write
 
     steps:
@@ -49,9 +42,6 @@ jobs:
         uses: anthropics/claude-code-action@v1
         with:
           anthropic_api_key: ${{ secrets.CLAUDE_CODE_API_KEY }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
           track_progress: true
-          plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
-          plugins: 'code-review@claude-code-plugins'
-          prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}'
-          # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
-          # or https://code.claude.com/docs/en/cli-reference for available options
+          prompt: '/review-pr ${{ github.event.pull_request.number || github.event.issue.number }}'