Stabilize Anchor checks and workspace tooling

[posaune0423]

This PR stabilizes the Anchor workspace and formalizes local and CI quality gates.
It wires anchor-spl/idl-build and solana-program so cargo clippy --all-features and rust-analyzer stop failing on macro expansion, and removes the unused initialize instruction.
It adds Bun-based formatting, lint, and test scripts, lefthook, a GitHub Actions CI workflow, a Makefile, and a pinned Rust toolchain.
It also consolidates agent and project guidance under .agents, exposes it through symlinked .claude/.codex/.cursor entrypoints, and adds the initial product doc.

Summary by CodeRabbit

• New Features

  • Added automated CI/CD pipeline for code quality checks
  • Introduced comprehensive agent-driven development workflow with skills for bug fixes, code reviews, and PR management

• Documentation

  • Added product documentation and development guides
  • Comprehensive Solana development resources including testing, security, and payment guidance

• Chores

  • Updated build tooling and package manager configuration
  • Added formatting and linting pre-commit hooks
  • Configured Rust toolchain with common utilities
  • Removed unused program initialization instruction

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR establishes an agent-driven development workflow by migrating configuration from .cursor/ to a new .agents/ structure, introduces comprehensive skills for Solana development, testing, code review, and CI/CD, adds GitHub Actions workflows and Lefthook hooks, updates tooling to Bun, and removes obsolete Cursor-specific guidance.

Changes

Cohort / File(s)	Summary
Agent Configuration Centralization .agents/commands/bug-fix.md, check-simirality.md, commit.md, final-check.md, refactor.md, worktree-pr.md	Minor text/formatting updates to command guides and added final-check workflow. Refactored documentation without functional changes.
Agent Rules & Standards .agents/rules/coderabbit.mdc, commit-style.mdc, dotenvx.mdc, mermaid.mdc, proactive-subagent-and-skills.mdc, test.mdc, typescript.mdc	New comprehensive ruleset for commit style (emoji-labeled), environment variable management, subagent usage, Bun testing best practices, and TypeScript typing guidance (shifted from prohibition to guidance on any/unknown).
Task Management & Memory .agents/memory/todo.md	New task plan document tracking reproduction, wiring fixes, instruction removal, and verification steps.
Development Skills — Core Practices .agents/skills/bug-fix/SKILL.md, code-review/SKILL.md, final-check/SKILL.md, test-driven-development/SKILL.md	New skill documentation for systematic bug fixing, CodeRabbit code review, final-check workflow, and TDD methodology with anti-patterns guidance.
Development Skills — Solana Ecosystem .agents/skills/solana-dev/SKILL.md, frontend-framework-kit.md, idl-codegen.md, kit-web3-interop.md, payments.md, programs-anchor.md, programs-pinocchio.md, resources.md, security.md, testing.md	Comprehensive Solana development guidance covering framework setup, IDL-driven codegen, Anchor/Pinocchio program development, security checklist, testing strategies (LiteSVM/Mollusk), and curated learning resources.
Development Skills — Supplementary .agents/skills/create-pr/SKILL.md, find-skills/SKILL.md, mermaid-er-diagram/SKILL.md, update-pr/SKILL.md	Workflow documentation for PR creation/updates, skills discovery, ER diagram generation, and database pattern examples (advanced-patterns.md).
PR Helper Scripts .agents/skills/create-pr/scripts/poll-pr.sh, pr-body-update.sh, triage-pr.sh	New Bash scripts for CI polling, PR body updates via GraphQL, and PR triage summarization.
IDE Configuration Symlinks .claude/commands, .claude/rules, .claude/skills, .codex/commands, .codex/rules, .codex/skills, .cursor/commands, .cursor/rules, .cursor/skills	Single-line symlinks (../.agents/*) enabling IDE-agnostic agent configuration sharing across editors.
Deprecated Cursor Configuration .cursor/commands/anchor-*.md, check-script.md, final-check.md, kiro/*, linear.md, solana-*.md, understand.md, .cursor/rules/anchor.mdc, drawio.mdc, general.mdc, git.mdc, github.mdc, rust.mdc, solana.mdc, test.mdc	Removed obsolete Cursor-specific guides including Kiro spec system (init/design/impl/requirements/status/tasks/gap/validate), Linear integration, Solana CLI basics, and detailed tool rules now consolidated into .agents/.
CI/CD & Build Infrastructure .github/workflows/ci.yml, Makefile, lefthook.yml, rust-toolchain.toml	New GitHub Actions workflow (lint/format/test on push/PR), Makefile targets (install/build/test/lint/format), and Lefthook pre-commit/pre-push hooks with Rust and TS checks.
Project Tooling Updates package.json, Anchor.toml, .vscode/settings.json, .prettierignore	Package manager switched to Bun (1.3.10), extended npm scripts for Rust/TS formatting, removed VSCode clippy checkOnSave config, added Prettier ignore list for build/config/doc files.
Program & Workspace Config programs/doom-nft-program/Cargo.toml, programs/doom-nft-program/src/lib.rs	Added features (anchor-debug, custom-heap, custom-panic), extended idl-build, added solana-program dependency; removed initialize entry point and associated accounts struct from program.
Project Documentation AGENTS.md, CLAUDE.md, docs/PRODUCT.md	New AGENTS.md with project memory, workflow phases (plan/verify/track), subagent usage, and core principles; CLAUDE.md reference file; PRODUCT.md describing DOOM INDEX art generator.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 New pathways woven through the agent's den,
Skills bundled, rules aligned, workflows zen—
From cursor's nest to agents' unified call,
Solana, testing, reviews, and all!
With CI/CD hooks and Bun's swift pace,
This burrow's now a builder's perfect place. 🌟

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Stabilize Anchor checks and workspace tooling' directly and accurately summarizes the main change: formalizing quality gates and tooling for the Anchor workspace. It is concise, clear, and specific enough for a teammate to understand the primary focus.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/agent-tooling-anchor-fixes

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 6

Note

Due to the large number of review comments, Critical, Major severity comments were prioritized as inline comments.

🟡 Minor comments (15)

.agents/rules/commit-style.mdc-58-58 (1)

58-58: ⚠️ Potential issue | 🟡 Minor

Update reference to reflect new .agents/ structure.

The staging rules mention .cursor/**, but this PR migrates configuration from .cursor/ to .agents/. The exception should likely reference .agents/** instead to align with the new structure.

📝 Proposed fix

-- Follow `.gitignore` strictly. Never stage `.env`, `.cursor/**` (except commands), credentials
+- Follow `.gitignore` strictly. Never stage `.env`, `.agents/**` (except rules/skills/commands), credentials

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/rules/commit-style.mdc at line 58, The staging rule text currently
references ".cursor/**" which is outdated after migrating config to ".agents/";
update the rule in commit-style.mdc to replace the ".cursor/**" exception with
".agents/**" (and ensure the same "except commands" caveat is preserved) so the
guidance accurately reflects the new directory structure.

.agents/rules/coderabbit.mdc-7-7 (1)

7-7: ⚠️ Potential issue | 🟡 Minor

Fix typo in documentation.

The word "comands" should be "commands".

📝 Proposed fix

-CodeRabbit is already installed in the terminal. Run it as a way to review your code. Run the command: cr -h for details on comands available. In general, I want you to run coderabbit with the `--prompt-only` flag. To review uncommitted changes (this is what we'll use most of the time) run: `coderabbit --prompt-only -t uncommitted`.
+CodeRabbit is already installed in the terminal. Run it as a way to review your code. Run the command: cr -h for details on commands available. In general, I want you to run coderabbit with the `--prompt-only` flag. To review uncommitted changes (this is what we'll use most of the time) run: `coderabbit --prompt-only -t uncommitted`.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/rules/coderabbit.mdc at line 7, Replace the misspelled word
"comands" with "commands" in the documentation line that reads "cr -h for
details on comands available" so it correctly reads "cr -h for details on
commands available"; search for the literal string "comands" in
.agents/rules/coderabbit.mdc (the sentence that starts "CodeRabbit is already
installed...") and update it.

.agents/rules/proactive-subagent-and-skills.mdc-10-10 (1)

10-10: ⚠️ Potential issue | 🟡 Minor

Fix the invalid URL format for SKILL.md reference.

The reference http://SKILL.md uses an incorrect protocol prefix. This should be a relative file path to the actual SKILL.md files in the skills directory, not an HTTP URL.

📝 Suggested fix

-- **Skill**: 専門知識が必要なタスク → 作業開始前に `http://SKILL.md` を読み、手順/制約をそのまま適用する。宣言だけで終わらせない。
+- **Skill**: 専門知識が必要なタスク → 作業開始前に `SKILL.md` を読み、手順/制約をそのまま適用する。宣言だけで終わらせない。

Alternatively, if you want to be more explicit about the path:

-- **Skill**: 専門知識が必要なタスク → 作業開始前に `http://SKILL.md` を読み、手順/制約をそのまま適用する。宣言だけで終わらせない。
+- **Skill**: 専門知識が必要なタスク → 作業開始前に `../skills/SKILL.md` を読み、手順/制約をそのまま適用する。宣言だけで終わらせない。

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/rules/proactive-subagent-and-skills.mdc at line 10, Replace the
invalid HTTP URL string "http://SKILL.md" in the rule sentence with a relative
file path to the actual SKILL.md in your skills directory (e.g.,
"skills/SKILL.md" or "./skills/SKILL.md") so the rule references the local file
rather than using an incorrect protocol; update the phrase in
.agents/rules/proactive-subagent-and-skills.mdc where "http://SKILL.md" appears
to use that relative path.

.agents/rules/dotenvx.mdc-56-57 (1)

56-57: ⚠️ Potential issue | 🟡 Minor

Make the grep pattern more precise.

The pattern .env.keys treats dots as regex metacharacters that match any character. Use a literal match to avoid false positives.

🔍 Proposed fix for literal pattern matching

 # Verify .env.keys is NOT staged
-git diff --cached --name-only | grep -q '.env.keys' && echo "ERROR: Remove .env.keys from staging" && exit 1
+git diff --cached --name-only | grep -Fq '.env.keys' && echo "ERROR: Remove .env.keys from staging" && exit 1

The -F flag treats the pattern as a fixed string rather than a regex.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/rules/dotenvx.mdc around lines 56 - 57, The grep pattern in the
staged check uses a regex-style pattern ('.env.keys') so dots match any
character; update the check in the command that currently runs "git diff
--cached --name-only | grep -q '.env.keys' ..." to use a literal match (for
example by adding grep's -F flag or escaping dots) so only the exact filename
".env.keys" is detected and false positives are avoided.

.agents/commands/check-simirality.md-1-1 (1)

1-1: ⚠️ Potential issue | 🟡 Minor

Typo in filename: "simirality" should be "similarity".

The file is named check-simirality.md but should be check-similarity.md to match the tool name similarity-ts referenced throughout the document.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/commands/check-simirality.md at line 1, The markdown filename
contains a typo: rename check-simirality.md to check-similarity.md and update
any references/imports to that file (search for "check-simirality.md" and
replace) so it matches the tool name similarity-ts; ensure related references in
README, scripts, CI config, and any tooling that expects check-similarity.md are
updated accordingly to avoid broken links.

docs/PRODUCT.md-7-7 (1)

7-7: ⚠️ Potential issue | 🟡 Minor

Minor typo: "分散がストレージ" should be "分散ストレージ".

The phrase "分散がストレージ" appears to be a typo. It should likely be "分散ストレージ" (distributed storage).

Proposed fix

-DOOM INDEXで生成したAI生成絵画をipfsなどの分散がストレージにuploadしそのmetadataを使いsolanaの規格に準拠したNFTをmintできるようにします。
+DOOM INDEXで生成したAI生成絵画をipfsなどの分散ストレージにuploadしそのmetadataを使いsolanaの規格に準拠したNFTをmintできるようにします。

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/PRODUCT.md` at line 7, Fix the typo in the sentence "DOOM
INDEXで生成したAI生成絵画をipfsなどの分散がストレージにuploadしそのmetadataを使いsolanaの規格に準拠したNFTをmintできるようにします。"
by replacing "分散がストレージ" with "分散ストレージ" so the sentence reads
"...ipfsなどの分散ストレージにuploadしそのmetadataを使い..." to correct the phrasing.

AGENTS.md-72-75 (1)

72-75: ⚠️ Potential issue | 🟡 Minor

This conflicts with the migration-shim guidance elsewhere.

Here we forbid backward-compat shims, but .agents/commands/refactor.md requires a shim plus deprecation note when an API break is unavoidable. Please unify these rules so agents don’t make opposite choices for the same refactor.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@AGENTS.md` around lines 72 - 75, The "Core Principles" statement in AGENTS.md
forbids backward-compat shims which conflicts with the guidance in
.agents/commands/refactor.md that requires a migration shim plus a deprecation
note for unavoidable API breaks; reconcile by updating AGENTS.md's "Simplicity
First"/"No Laziness"/"Minimal Impact" language to explicitly allow a short-lived
backward-compat shim with a deprecation notice and a removal timeline when an
API break is unavoidable (or alternatively update .agents/commands/refactor.md
to match AGENTS.md), and reference the policy in both places (AGENTS.md and
.agents/commands/refactor.md) so agents follow the same rule set for refactors
and migration shims.

Makefile-7-9 (1)

7-9: ⚠️ Potential issue | 🟡 Minor

Remove the redundant prepare invocation.

bun install automatically executes lifecycle scripts for the root project, including prepare. Line 9 runs it again, duplicating the Lefthook install.

Suggested change

 install:
 	$(BUN) install
-	$(BUN) run prepare

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Makefile` around lines 7 - 9, The Makefile's install target redundantly calls
prepare after running $(BUN) install, causing duplicate Lefthook installation;
remove the extra '$(BUN) run prepare' command from the install recipe so the
install target only runs '$(BUN) install' (leave the install target and $(BUN)
variable intact).

.agents/commands/worktree-pr.md-136-136 (1)

136-136: ⚠️ Potential issue | 🟡 Minor

Update stale path reference to migrated commit style rules.

Line 136 references .cursor/rules/commit-style.mdc, but the file has been migrated to .agents/rules/commit-style.mdc. Update the path to point to the new location.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/commands/worktree-pr.md at line 136, Update the stale file path
referenced in the documentation: change the mention of
".cursor/rules/commit-style.mdc" to the migrated location
".agents/rules/commit-style.mdc" in the file .agents/commands/worktree-pr.md
(update the single occurrence on the line that currently points to the old path
so all readers point to the new commit-style rules).

.agents/skills/test-driven-development/SKILL.md-103-117 (1)

103-117: ⚠️ Potential issue | 🟡 Minor

Incorrect import in "Bad" example — jest is not exported from bun:test.

The example imports jest from bun:test, but Bun's test module doesn't export a jest object. Use mock from bun:test instead. This is a "Bad" example, but the invalid syntax can confuse readers about what exactly makes it problematic.

Suggested fix

-import { test, expect, jest } from "bun:test";
+import { test, expect, mock } from "bun:test";

 test("retry works", async () => {
-  const mock = jest
-    .fn()
+  const mockFn = mock()
     .mockRejectedValueOnce(new Error())
     .mockRejectedValueOnce(new Error())
     .mockResolvedValueOnce("success");
-  await retryOperation(mock);
-  expect(mock).toHaveBeenCalledTimes(3);
+  await retryOperation(mockFn);
+  expect(mockFn).toHaveBeenCalledTimes(3);
 });

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/skills/test-driven-development/SKILL.md around lines 103 - 117,
Replace the incorrect import and mock usage in the "Bad" example: change the
import from `import { test, expect, jest } from "bun:test"` to `import { test,
expect, mock } from "bun:test"` and update the mock creation from `jest.fn()` to
`mock.fn()` (the test still exercises `retryOperation` so keep the call to
`retryOperation(mock)` and the `expect(mock).toHaveBeenCalledTimes(3)`
assertion); also consider renaming the example or adding a short note clarifying
that the issue shown is the invalid import, not the retry test itself.

.agents/skills/solana-dev/security.md-216-230 (1)

216-230: ⚠️ Potential issue | 🟡 Minor

Update to use resize() instead of deprecated realloc().

The closure pattern is correct, but account.realloc(1, true) has been deprecated since pinocchio 0.9.0. Use account.resize(1) instead (newly-extended bytes are automatically zeroed). The overall pattern—write sentinel byte, transfer lamports, shrink account, then close—properly prevents "unbalanced instruction" errors.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/skills/solana-dev/security.md around lines 216 - 230, The close
function uses the deprecated AccountInfo::realloc; replace the realloc call in
close (currently account.realloc(1, true)?) with the new account.resize(1) API:
remove the boolean argument and call resize(1) to shrink the account to one byte
(new bytes are zeroed automatically), keeping the preceding sentinel write,
lamports transfer, and final account.close() call unchanged; update any imports
or error handling if the resize method returns a different error type.

.agents/rules/test.mdc-22-22 (1)

22-22: ⚠️ Potential issue | 🟡 Minor

Verify Bun documentation URLs.

The URLs https://bun.com/docs/test/mocks and https://bun.com/docs/guides/test/mock-functions should be verified. The canonical Bun documentation domain is bun.sh, not bun.com (e.g., https://bun.sh/docs/test/mocks).

🔗 Proposed fix

-参考: [Bun Test Mocks](https://bun.com/docs/test/mocks), [Mock Functions Guide](https://bun.com/docs/guides/test/mock-functions)
+参考: [Bun Test Mocks](https://bun.sh/docs/test/mocks), [Mock Functions Guide](https://bun.sh/docs/guides/test/mock-functions)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/rules/test.mdc at line 22, Update the two Bun documentation links in
.agents/rules/test.mdc to use the canonical bun.sh domain: replace
"https://bun.com/docs/test/mocks" with "https://bun.sh/docs/test/mocks" and
"https://bun.com/docs/guides/test/mock-functions" with
"https://bun.sh/docs/guides/test/mock-functions" so the reference lines (the
text containing "Bun Test Mocks" and "Mock Functions Guide") point to the
correct canonical URLs.

.agents/skills/solana-dev/programs-pinocchio.md-83-84 (1)

83-84: ⚠️ Potential issue | 🟡 Minor

Stray comment outside code block.

Line 83 has a Rust-style comment (// Note: ...) that appears outside any code fence. This should either be converted to Markdown prose or moved inside a code block.

📝 Proposed fix

-// Note: Use `Address::new_from_array()` not `Address::new()`
+> **Note:** Use `Address::new_from_array()` not `Address::new()`

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/skills/solana-dev/programs-pinocchio.md around lines 83 - 84, The
stray Rust-style comment "// Note: Use `Address::new_from_array()` not
`Address::new()`" is outside a code fence; either convert it into normal
Markdown prose (e.g., "Note: Use Address::new_from_array() instead of
Address::new().") or move it inside the appropriate Rust code block where
Address::new_from_array() and Address::new() are shown (look for the code block
referencing Address). Ensure the comment formatting matches the surrounding
Markdown (plain sentence in text or a comment inside a fenced ```rust block) so
it is no longer a stray line.

.agents/skills/solana-dev/programs-pinocchio.md-137-186 (1)

137-186: ⚠️ Potential issue | 🟡 Minor

Duplicate code block with inconsistent method name.

Lines 137-169 define DepositAccounts::try_from with owned_by() method (line 158), but lines 171-185 appear to be a duplicate/leftover block using is_owned_by() (line 174). This creates confusion about the correct API. Remove the duplicate block starting at line 171.

🔧 Proposed fix: Remove duplicate code block

         Ok(Self { owner, vault, system_program })
     }
 }
-
-
-
-        // Owner check
-        if !vault.is_owned_by(&pinocchio_system::ID) {
-            return Err(ProgramError::InvalidAccountOwner);
-        }
-
-        // Program ID check (prevents arbitrary CPI)
-        if system_program.address() != &pinocchio_system::ID {
-            return Err(ProgramError::IncorrectProgramId);
-        }
-
-        Ok(Self { owner, vault, system_program })
-    }
-}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/skills/solana-dev/programs-pinocchio.md around lines 137 - 186, The
impl TryFrom for DepositAccounts contains a duplicated tail block using the
wrong method name; remove the duplicated block that repeats the owner and
program-id checks (the second occurrence that uses is_owned_by()) so the impl
TryFrom for DepositAccounts only includes the single correct owner check using
vault.owned_by(&pinocchio_system::ID) and the program id check comparing
system_program.address() to &pinocchio_system::ID, leaving Ok(Self { owner,
vault, system_program }) as the final return.

.agents/rules/test.mdc-296-297 (1)

296-297: ⚠️ Potential issue | 🟡 Minor

Consistent URL domain needed.

Same issue as line 22—these URLs use bun.com but should use bun.sh.

🔗 Proposed fix

-- [Bun Test Mocks Documentation](https://bun.com/docs/test/mocks)
-- [Bun Mock Functions Guide](https://bun.com/docs/guides/test/mock-functions)
+- [Bun Test Mocks Documentation](https://bun.sh/docs/test/mocks)
+- [Bun Mock Functions Guide](https://bun.sh/docs/guides/test/mock-functions)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/rules/test.mdc around lines 296 - 297, Replace the inconsistent
bun.com domain in the two markdown links ("Bun Test Mocks Documentation" and
"Bun Mock Functions Guide") with bun.sh so both URLs match the project's
canonical domain; update the links that currently point to
https://bun.com/docs/test/mocks and
https://bun.com/docs/guides/test/mock-functions to use
https://bun.sh/docs/test/mocks and
https://bun.sh/docs/guides/test/mock-functions respectively.

🧹 Nitpick comments (17)

.agents/memory/todo.md (1)

31-35: Consider minor style improvements for readability.

While this is internal documentation, varying sentence structures would improve flow:

• Lines 31-35: Four consecutive sentences begin with "Confirmed"
• Lines 48, 51-53: Multiple sentences begin with "Added"
• Line 52: Use "GitHub" (capital H) for the proper noun

Also applies to: 48-53

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/memory/todo.md around lines 31 - 35, The noted style issues are
repeated sentence openings and a capitalization error; edit the todo.md content
where several consecutive lines start with "Confirmed" (the block referencing
anchor commands) to vary sentence structure — e.g., combine some confirmations
into a single sentence, use passive voice, or start with the command name
(anchor test/anchor shell/anchor build) — and similarly rewrite the lines that
begin with "Added" (the later changelog-style lines) to avoid repetitive
openings; also correct the proper noun "GitHub" (capitalize the H) wherever it
appears (line referencing GitHub/line 52). Keep meaning unchanged and aim for
clearer flow and parallel structure in the rewritten sentences.

.agents/rules/dotenvx.mdc (2)

63-71: Consider adding production key management guidance.

The documentation shows how to use DOTENV_PRIVATE_KEY_PRODUCTION but doesn't explain how teams should securely manage and distribute these keys (e.g., via CI/CD secrets, AWS Secrets Manager, etc.).

Consider adding a subsection explaining:

• How to securely store production keys (CI/CD environment variables, secret managers)
• How to grant access to new team members
• Key rotation procedures

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/rules/dotenvx.mdc around lines 63 - 71, Add a short "Production key
management" subsection under "Runtime Decryption" that expands on
DOTENV_PRIVATE_KEY_PRODUCTION and dotenvx run: describe storing the private key
in CI/CD secret stores (e.g., GitHub Actions secrets, GitLab CI variables), or
managed secret services (AWS Secrets Manager, HashiCorp Vault), granting access
via role-based IAM or team membership onboarding procedures, and a recommended
key rotation process (regular rotation schedule, revoke old keys, update CI
secrets, and test rollout). Reference DOTENV_PRIVATE_KEY_PRODUCTION and dotenvx
run in the text so readers know these practices apply to the production private
key used at runtime.

---

1-77: Consider adding initial setup guidance.

The document covers day-to-day workflows but lacks initial setup instructions. New team members will need to know how to:

• Generate or obtain the .env.keys file for the first time
• Decrypt the committed .env files on a fresh clone
• Request access to decryption keys from the team

Consider adding a "Initial Setup" or "Getting Started" section near the beginning that covers the bootstrap process for new developers.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/rules/dotenvx.mdc around lines 1 - 77, Add an "Initial Setup" (or
"Getting Started") section near the top that tells new developers how to
obtain/generate the private key, decrypt committed env files, and request
access: explain that .env.keys must be provided by an authorized maintainer (or
generated locally with the dotenvx key generation workflow), show the minimal
steps to decrypt committed .env files on a fresh clone (using dotenvx run with
the DOTENV_PRIVATE_KEY or by placing .env.keys locally), and include guidance on
who/how to request the .env.keys from the team and verification steps (e.g., run
dotenvx encrypt/decrypt checks) so new contributors can bootstrap their
environment securely.

.prettierignore (1)

13-15: Redundant patterns: specific .md files before wildcard.

Lines 13-14 (AGENTS.md, CLAUDE.md) are redundant since line 15 (*.md) already ignores all markdown files.

♻️ Suggested cleanup

 .codex
-AGENTS.md
-CLAUDE.md
 *.md

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.prettierignore around lines 13 - 15, Remove the redundant specific markdown
ignore entries by deleting the lines "AGENTS.md" and "CLAUDE.md" from
.prettierignore since the existing "*.md" pattern already covers all .md files;
keep the "*.md" entry and ensure no other specific .md patterns remain that are
subsumed by it.

.agents/skills/mermaid-er-diagram/SKILL.md (1)

43-45: Add language identifier to fenced code block.

The static analysis tool flagged this code block as missing a language identifier. While this is a format template, adding a language (e.g., text or plaintext) improves rendering consistency.

♻️ Suggested fix

-```
+```text
 type column_name [PK|FK|UK] ["comment"]

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @.agents/skills/mermaid-er-diagram/SKILL.md around lines 43 - 45, Update the
fenced code block containing the template line type column_name [PK|FK|UK] ["comment"] to include a language identifier (e.g., add text or plaintext
after the opening ```), so the block becomes a labeled code fence for proper
syntax/formatting rendering; locate the block in SKILL.md and modify the opening
fence accordingly.

</details>

</blockquote></details>
<details>
<summary>package.json (1)</summary><blockquote>

`7-7`: **Consider skipping `lefthook install` in CI environments.**

The `prepare` lifecycle hook runs automatically after `bun install`. In CI environments (per `.github/workflows/ci.yml` line 30-31), this will unnecessarily install git hooks. While not harmful, it's wasteful.

Consider updating the CI workflow to skip the prepare script:

```yaml
- name: Install JavaScript dependencies
  run: bun install --frozen-lockfile --ignore-scripts
```

Or set the environment variable in CI:

```yaml
env:
  LEFTHOOK: 0
```

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 7, The package.json "prepare" script currently runs
"lefthook install" which triggers during bun install in CI and wastes time;
update the CI to skip running prepare by either adding --ignore-scripts to the
bun install command in your CI job (so bun install --frozen-lockfile
--ignore-scripts is used) or set the LEFTHOOK environment variable to 0 in the
CI environment, or alternately conditionally disable the prepare hook in CI, so
the "prepare" / "lefthook install" step is not executed during automated runs.
```

</details>

</blockquote></details>
<details>
<summary>.agents/skills/find-skills/SKILL.md (1)</summary><blockquote>

`60-65`: **Optional: Add language identifier to fenced code blocks.**

The markdownlint tool flags code blocks without language specifiers. For plain text output examples, you can use `text` or leave as-is since the content is clearly illustrative output.


<details>
<summary>Proposed fix (optional)</summary>

```diff
-```
+```text
 Install with npx skills add <owner/repo@skill>

 vercel-labs/agent-skills@vercel-react-best-practices
 └ https://skills.sh/vercel-labs/agent-skills/vercel-react-best-practices
 ```
```

Similar change can be applied to code blocks at lines 77 and 127.
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @.agents/skills/find-skills/SKILL.md around lines 60 - 65, Add a language
identifier to the fenced code blocks in SKILL.md so markdownlint stops flagging
them: change the opening fences for the example blocks (the install example
shown and the other blocks referenced around lines 77 and 127) from ``` to

text.

.agents/commands/worktree-pr.md (1)

208-208: Inconsistent directory reference in exclusion rule.

The note excludes .cursor/** but this PR migrates configuration to .agents/. Consider updating to reflect the new structure, or clarify if both directories should be excluded.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/commands/worktree-pr.md at line 208, Update the exclusion note to
reference the new configuration path: replace or augment the `.cursor/**`
pattern with the migrated `.agents/cursor/**` (or explicitly list both
`.cursor/**` and `.agents/cursor/**` if both may exist) so the rule matches the
current repository layout; ensure the line that currently contains `.cursor/**`
is edited to reflect `.agents/` (preserve the exception about commands).

.agents/skills/test-driven-development/testing-anti-patterns.md (1)

15-19: Add language specifier to fenced code blocks.

Static analysis flags these pseudocode blocks as missing a language specifier. Adding text or plaintext would satisfy the linter while indicating these are not executable code.

Example fix for line 15

-```
+```text
 1. NEVER test mock behavior
 2. NEVER add test-only methods to production classes
 3. NEVER mock without understanding dependencies

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @.agents/skills/test-driven-development/testing-anti-patterns.md around lines
15 - 19, Update the fenced code block containing the three anti-pattern lines to
include a language specifier (e.g., "text" or "plaintext") so the linter stops
flagging it; locate the fenced block (the triple-backtick block that starts
before "1. NEVER test mock behavior") and change the opening fence to text (or plaintext) while leaving the content unchanged.

</details>

</blockquote></details>
<details>
<summary>.agents/commands/final-check.md (1)</summary><blockquote>

`5-8`: **Language inconsistency with corresponding SKILL.md.**

This command file is in Japanese while `.agents/skills/final-check/SKILL.md` covers the same workflow in English. Consider aligning the language across related documentation for consistency, or explicitly noting this is the Japanese localization.

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In @.agents/commands/final-check.md around lines 5 - 8, The Japanese text in
.agents/commands/final-check.md conflicts with the English description in
.agents/skills/final-check/SKILL.md; either translate
.agents/commands/final-check.md into English to match SKILL.md or mark it
explicitly as the Japanese localization (e.g., add a header like "Localization:
Japanese" and a brief note linking to the English SKILL.md). Update the file
.agents/commands/final-check.md accordingly and ensure the content and intent
remain identical to the workflow in .agents/skills/final-check/SKILL.md.
```

</details>

</blockquote></details>
<details>
<summary>programs/doom-nft-program/Cargo.toml (1)</summary><blockquote>

`28-28`: **Remove the explicit `solana-program` dependency; use Anchor's transitive dependency instead.**

`solana-program = "1.18.26"` is semver-compatible with Anchor 0.29.0 (which requires `^1.16`), but explicitly declaring it is unnecessary and can cause type mismatch issues. Rely on Anchor's transitive dependency and import from `anchor_lang::solana_program` to avoid version conflicts across the codebase.

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In `@programs/doom-nft-program/Cargo.toml` at line 28, Remove the explicit
solana-program dependency declaration (the line solana-program = "1.18.26") from
Cargo.toml so the crate uses Anchor’s transitive solana-program version, and
update any code that imports solana_program directly to import via
anchor_lang::solana_program (e.g., replace uses of
solana_program::pubkey::Pubkey, system_program, etc. with
anchor_lang::solana_program::... or re-exported types) to prevent version/type
mismatches with Anchor 0.29.0.
```

</details>

</blockquote></details>
<details>
<summary>.agents/skills/create-pr/scripts/poll-pr.sh (2)</summary><blockquote>

`233-235`: **Consider logging triage failures instead of silent suppression.**

The `|| true` suppresses all failures from `triage-pr.sh`, including unexpected errors. Since `$pr` and `$repo` are validated earlier in the script, failures here would indicate a real problem. Consider logging when triage fails:



<details>
<summary>♻️ Log triage failures</summary>

```diff
   if [[ "$triage_on_change" == "1" && "$changed" == "1" ]]; then
-    bash "$script_dir/triage-pr.sh" --pr "$pr" --repo "$repo" || true
+    bash "$script_dir/triage-pr.sh" --pr "$pr" --repo "$repo" || echo "Warning: triage-pr.sh failed" >&2
   fi
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In @.agents/skills/create-pr/scripts/poll-pr.sh around lines 233 - 235, The
silent suppression via "|| true" after invoking bash "$script_dir/triage-pr.sh"
hides real triage errors; change the invocation so failures are detected and
logged instead: call bash "$script_dir/triage-pr.sh" --pr "$pr" --repo "$repo"
and on non-zero exit capture the status ($?) and write a clear error via the
existing logger (or echo) that includes the exit code and context
(triage_on_change, pr, repo, script_dir) so triage failures are visible for
triage_pr.sh invocation when triage_on_change and changed are set.
```

</details>

---

`237-242`: **Redundant variable check.**

The condition `-n "${pending:-}"` at line 237 is unnecessary since `pending` is always initialized to `0` at line 127. The `:-` fallback is defensive but slightly misleading. Consider simplifying to just check the numeric condition.



<details>
<summary>♻️ Simplified condition</summary>

```diff
-  if [[ "$exit_when_green" == "1" && -n "${pending:-}" ]]; then
+  if [[ "$exit_when_green" == "1" ]]; then
     if (( pending == 0 && failed == 0 && total > 0 )); then
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In @.agents/skills/create-pr/scripts/poll-pr.sh around lines 237 - 242, The
check uses a redundant string test -n "${pending:-}" even though the variable
pending is initialized to 0 earlier; update the condition around exit_when_green
to remove the unnecessary test and simply rely on the numeric check: keep the
outer check for exit_when_green (exit_when_green) and inside use the arithmetic
test (( pending == 0 && failed == 0 && total > 0 )) to decide to echo and break,
removing the -n "${pending:-}" portion.
```

</details>

</blockquote></details>
<details>
<summary>.agents/skills/create-pr/scripts/triage-pr.sh (1)</summary><blockquote>

`78-79`: **Skipped checks not counted in total.**

The `skip|skipped|neutral` case increments `total` (line 69) but doesn't add to any category counter. This is technically correct but may cause confusion since `total != pending + failed + success`. Consider either excluding skipped from total or adding a `skipped` counter for clarity.

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In @.agents/skills/create-pr/scripts/triage-pr.sh around lines 78 - 79, The case
branch for "skip|skipped|neutral" currently leaves `total` incremented but
doesn't update any category counter, causing `total != pending + failed +
success`; fix by adding a `skipped` counter (e.g., initialize `skipped=0`
alongside `pending`, `failed`, `success`) and increment `skipped` inside the
`skip|skipped|neutral)` branch, or alternatively stop incrementing `total` for
skipped checks (adjust where `total` is incremented) so `total` equals the sum
of category counters; update any final summary output to include the new
`skipped` counter if you choose that option.
```

</details>

</blockquote></details>
<details>
<summary>.agents/skills/solana-dev/programs-pinocchio.md (1)</summary><blockquote>

`470-490`: **Verify ProgramError import path.**

The import at line 473 uses `pinocchio::program_error::ProgramError`, but earlier examples (line 34) use `pinocchio::error::ProgramError`. Ensure consistency across the document—if both paths are valid re-exports, a note clarifying this would help.

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In @.agents/skills/solana-dev/programs-pinocchio.md around lines 470 - 490, The
import path for ProgramError is inconsistent: change the import in the
VaultError snippet to the canonical path used elsewhere (use
pinocchio::error::ProgramError to match earlier examples) or, if
pinocchio::program_error::ProgramError is a valid re-export, add a short
clarifying comment above the import noting it’s a re-export; update the
VaultError impl (From<VaultError> for ProgramError) to use the same ProgramError
symbol as the rest of the document so all references to ProgramError and the
VaultError -> ProgramError conversion are consistent.
```

</details>

</blockquote></details>
<details>
<summary>.agents/skills/create-pr/SKILL.md (1)</summary><blockquote>

`82-84`: **Clarify `wt` command dependency.**

Line 83 references `wt remove --yes --force`, which appears to be a custom worktree management tool rather than standard git. Consider adding a note about this dependency or providing the full git worktree command as an alternative for environments without `wt`.

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In @.agents/skills/create-pr/SKILL.md around lines 82 - 84, Clarify that the `wt
remove --yes --force` command is an external/custom worktree utility and offer
the standard Git alternative: explain that the worktree check uses `git
rev-parse --git-common-dir` vs `git rev-parse --git-dir`, then when in a
worktree use `request_user_input` to prompt the user and, if confirmed, either
run the `wt remove --yes --force` command (documenting it as a non-standard
dependency) or use the equivalent Git sequence (e.g., use `git worktree remove
<worktree-path>` to remove the worktree and `git branch -D <branch>` to remove
the local branch), then switch back to main with `git checkout main && git
pull`; mention `wt remove --yes --force`, `request_user_input`, `git worktree
remove`, and `git branch -D` by name so reviewers can find and update the lines.
```

</details>

</blockquote></details>
<details>
<summary>.agents/skills/create-pr/scripts/pr-body-update.sh (1)</summary><blockquote>

`81-85`: **Consider handling GraphQL mutation errors.**

The GraphQL mutation output is redirected to `/dev/null`, which suppresses both success and error responses. If the mutation fails (e.g., permission denied, invalid PR ID), the script continues to verification, which will then fail with a confusing "mismatch" message. Consider capturing and checking the response.



<details>
<summary>🛡️ Proposed fix to handle mutation errors</summary>

```diff
-gh api graphql \
+response=$(gh api graphql \
   -f query='mutation($id:ID!,$body:String!){updatePullRequest(input:{pullRequestId:$id, body:$body}){pullRequest{id}}}' \
   -f id="$pr_id" \
-  -f body="$(cat "$body_file")" \
-  >/dev/null
+  -f body="$(cat "$body_file")" 2>&1) || {
+  echo "GraphQL mutation failed: $response" >&2
+  exit 1
+}
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In @.agents/skills/create-pr/scripts/pr-body-update.sh around lines 81 - 85, The
GraphQL mutation call using "gh api graphql" (the gh api graphql invocation that
posts variables id="$pr_id" and body="$(cat "$body_file")") currently redirects
output to /dev/null so errors are lost; change it to capture the command output
into a variable, parse the JSON for an "errors" field or non-success response,
and if any error is present print the response to stderr (including the error
details) and exit non-zero before proceeding to verification so
permission/ID/validation failures are detected early.
```

</details>

</blockquote></details>

</blockquote></details>

<details>
<summary>🤖 Prompt for all review comments with AI agents</summary>

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.agents/rules/dotenvx.mdc:

• Around line 28-51: The examples currently imply automatic encryption for the
  command "dotenvx set SECRET_KEY "value"" but the CLI requires the explicit
  --encrypt flag or a subsequent "dotenvx encrypt" run; update the examples to
  show the correct usage by adding the --encrypt flag to the set commands (e.g.,
  reference the command symbol dotenvx set and the flag --encrypt) or add an
  inline note clarifying that values set without --encrypt remain plaintext until
  you run the dotenvx encrypt command (reference the command symbol dotenvx
  encrypt) so the docs accurately reflect required behavior.

In @.agents/skills/create-pr/scripts/poll-pr.sh:

• Around line 164-166: The check on failed_signature_lines can trigger an
  "unbound variable" under set -u when the array was never initialized; initialize
  failed_signature_lines=() before the loop that populates it, or change the
  existence check to use a safe expansion like ${#failed_signature_lines[@]:-0}
  before computing failed_signature and assigning failed_signature=$(printf ...);
  ensure the fix targets the failed_signature_lines usage and the subsequent
  failed_signature assignment in the script.

In @.agents/skills/solana-dev/programs-pinocchio.md:

• Around line 497-511: The close function calls account.realloc(1, true)? but
  AccountView does not have realloc; either change the parameter type to the
  account type that supports resizing (e.g., AccountInfo) or remove the realloc
  call and rely on account.close() alone. Locate pub fn close(account:
  &AccountView, destination: &AccountView) -> ProgramResult and either (A) change
  the signature to accept pinocchio::account_info::AccountInfo (or the correct
  AccountInfo wrapper) and use the newer resize() API if targeting v0.9.0+, or (B)
  delete the account.realloc(1, true)? line so the function only marks data and
  transfers lamports before calling account.close(). Ensure all call sites are
  updated to match the chosen type change if you pick option A.

In @.agents/skills/update-pr/SKILL.md:

• Around line 72-99: The "Handling Common Review Requests" section in
  .agents/skills/update-pr/SKILL.md currently references pnpm, packages/* paths
  and Storybook snapshot commands; replace those examples with this repo's actual
  Bun + Cargo workflow by updating the listed commands and paths (e.g., swap pnpm test, pnpm build, pnpm format, pnpm lint, and the Storybook snapshot
  steps) to the equivalent Bun/Cargo commands used by this repo, adjust
  test/snapshot paths from packages/*/src/__tests__/ and
  packages/*/__image_snapshots__/ to the repository's test and artifact
  locations, and ensure the steps under the "Please add tests", "Update types",
  "Fix lint issues", and "Update snapshots" bullets reference the correct
  build/test/lint/update commands and directories used in this repository.
• Around line 38-44: The staged commit instruction currently uses the git add -u
  command which omits untracked files; update the SKILL.md snippet to use a
  staging command that includes untracked files (for example use git add -A or git
  add . instead of git add -u) so new tests, docs, or snapshots added during
  review fixes are included in the commit; replace the git add -u line in the
  snippet accordingly and keep the rest of the commit guidance the same.

In @.github/workflows/ci.yml:

• Around line 22-25: Replace the dtolnay/rust-toolchain@stable step so CI
  respects the checked-in rust-toolchain.toml: either switch the action to one
  that reads the toolchain file (e.g., use moonrepo/setup-rust) or explicitly pin
  the toolchain version in the workflow instead of dtolnay/rust-toolchain@stable;
  update the workflow step that currently uses dtolnay/rust-toolchain@stable and
  ensure it reads or matches rust-toolchain.toml's channel/version so future
  changes to rust-toolchain.toml are honored.

---

Minor comments:
In @.agents/commands/check-simirality.md:

• Line 1: The markdown filename contains a typo: rename check-simirality.md to
  check-similarity.md and update any references/imports to that file (search for
  "check-simirality.md" and replace) so it matches the tool name similarity-ts;
  ensure related references in README, scripts, CI config, and any tooling that
  expects check-similarity.md are updated accordingly to avoid broken links.

In @.agents/commands/worktree-pr.md:

• Line 136: Update the stale file path referenced in the documentation: change
  the mention of ".cursor/rules/commit-style.mdc" to the migrated location
  ".agents/rules/commit-style.mdc" in the file .agents/commands/worktree-pr.md
  (update the single occurrence on the line that currently points to the old path
  so all readers point to the new commit-style rules).

In @.agents/rules/coderabbit.mdc:

• Line 7: Replace the misspelled word "comands" with "commands" in the
  documentation line that reads "cr -h for details on comands available" so it
  correctly reads "cr -h for details on commands available"; search for the
  literal string "comands" in .agents/rules/coderabbit.mdc (the sentence that
  starts "CodeRabbit is already installed...") and update it.

In @.agents/rules/commit-style.mdc:

• Line 58: The staging rule text currently references ".cursor/" which is
  outdated after migrating config to ".agents/"; update the rule in
  commit-style.mdc to replace the ".cursor/" exception with ".agents/**" (and
  ensure the same "except commands" caveat is preserved) so the guidance
  accurately reflects the new directory structure.

In @.agents/rules/dotenvx.mdc:

• Around line 56-57: The grep pattern in the staged check uses a regex-style
  pattern ('.env.keys') so dots match any character; update the check in the
  command that currently runs "git diff --cached --name-only | grep -q '.env.keys'
  ..." to use a literal match (for example by adding grep's -F flag or escaping
  dots) so only the exact filename ".env.keys" is detected and false positives are
  avoided.

In @.agents/rules/proactive-subagent-and-skills.mdc:

• Line 10: Replace the invalid HTTP URL string "http://SKILL.md" in the rule
  sentence with a relative file path to the actual SKILL.md in your skills
  directory (e.g., "skills/SKILL.md" or "./skills/SKILL.md") so the rule
  references the local file rather than using an incorrect protocol; update the
  phrase in .agents/rules/proactive-subagent-and-skills.mdc where
  "http://SKILL.md" appears to use that relative path.

In @.agents/rules/test.mdc:

• Line 22: Update the two Bun documentation links in .agents/rules/test.mdc to
  use the canonical bun.sh domain: replace "https://bun.com/docs/test/mocks" with
  "https://bun.sh/docs/test/mocks" and
  "https://bun.com/docs/guides/test/mock-functions" with
  "https://bun.sh/docs/guides/test/mock-functions" so the reference lines (the
  text containing "Bun Test Mocks" and "Mock Functions Guide") point to the
  correct canonical URLs.
• Around line 296-297: Replace the inconsistent bun.com domain in the two
  markdown links ("Bun Test Mocks Documentation" and "Bun Mock Functions Guide")
  with bun.sh so both URLs match the project's canonical domain; update the links
  that currently point to https://bun.com/docs/test/mocks and
  https://bun.com/docs/guides/test/mock-functions to use
  https://bun.sh/docs/test/mocks and
  https://bun.sh/docs/guides/test/mock-functions respectively.

In @.agents/skills/solana-dev/programs-pinocchio.md:

• Around line 83-84: The stray Rust-style comment "// Note: Use
  Address::new_from_array() not Address::new()" is outside a code fence;
  either convert it into normal Markdown prose (e.g., "Note: Use
  Address::new_from_array() instead of Address::new().") or move it inside the
  appropriate Rust code block where Address::new_from_array() and Address::new()
  are shown (look for the code block referencing Address). Ensure the comment
  formatting matches the surrounding Markdown (plain sentence in text or a comment
  inside a fenced ```rust block) so it is no longer a stray line.
• Around line 137-186: The impl TryFrom for DepositAccounts contains a
  duplicated tail block using the wrong method name; remove the duplicated block
  that repeats the owner and program-id checks (the second occurrence that uses
  is_owned_by()) so the impl TryFrom for DepositAccounts only includes the single
  correct owner check using vault.owned_by(&pinocchio_system::ID) and the program
  id check comparing system_program.address() to &pinocchio_system::ID, leaving
  Ok(Self { owner, vault, system_program }) as the final return.

In @.agents/skills/solana-dev/security.md:

• Around line 216-230: The close function uses the deprecated
  AccountInfo::realloc; replace the realloc call in close (currently
  account.realloc(1, true)?) with the new account.resize(1) API: remove the
  boolean argument and call resize(1) to shrink the account to one byte (new bytes
  are zeroed automatically), keeping the preceding sentinel write, lamports
  transfer, and final account.close() call unchanged; update any imports or error
  handling if the resize method returns a different error type.

In @.agents/skills/test-driven-development/SKILL.md:

• Around line 103-117: Replace the incorrect import and mock usage in the "Bad"
  example: change the import from import { test, expect, jest } from "bun:test"
  to import { test, expect, mock } from "bun:test" and update the mock creation
  from jest.fn() to mock.fn() (the test still exercises retryOperation so
  keep the call to retryOperation(mock) and the
  expect(mock).toHaveBeenCalledTimes(3) assertion); also consider renaming the
  example or adding a short note clarifying that the issue shown is the invalid
  import, not the retry test itself.

In @AGENTS.md:

• Around line 72-75: The "Core Principles" statement in AGENTS.md forbids
  backward-compat shims which conflicts with the guidance in
  .agents/commands/refactor.md that requires a migration shim plus a deprecation
  note for unavoidable API breaks; reconcile by updating AGENTS.md's "Simplicity
  First"/"No Laziness"/"Minimal Impact" language to explicitly allow a short-lived
  backward-compat shim with a deprecation notice and a removal timeline when an
  API break is unavoidable (or alternatively update .agents/commands/refactor.md
  to match AGENTS.md), and reference the policy in both places (AGENTS.md and
  .agents/commands/refactor.md) so agents follow the same rule set for refactors
  and migration shims.

In @docs/PRODUCT.md:

• Line 7: Fix the typo in the sentence "DOOM
  INDEXで生成したAI生成絵画をipfsなどの分散がストレージにuploadしそのmetadataを使いsolanaの規格に準拠したNFTをmintできるようにします。"
  by replacing "分散がストレージ" with "分散ストレージ" so the sentence reads
  "...ipfsなどの分散ストレージにuploadしそのmetadataを使い..." to correct the phrasing.

In @Makefile:

• Around line 7-9: The Makefile's install target redundantly calls prepare after
  running $(BUN) install, causing duplicate Lefthook installation; remove the
  extra '$(BUN) run prepare' command from the install recipe so the install target
  only runs '$(BUN) install' (leave the install target and $(BUN) variable
  intact).

---

Nitpick comments:
In @.agents/commands/final-check.md:

• Around line 5-8: The Japanese text in .agents/commands/final-check.md
  conflicts with the English description in .agents/skills/final-check/SKILL.md;
  either translate .agents/commands/final-check.md into English to match SKILL.md
  or mark it explicitly as the Japanese localization (e.g., add a header like
  "Localization: Japanese" and a brief note linking to the English SKILL.md).
  Update the file .agents/commands/final-check.md accordingly and ensure the
  content and intent remain identical to the workflow in
  .agents/skills/final-check/SKILL.md.

In @.agents/commands/worktree-pr.md:

• Line 208: Update the exclusion note to reference the new configuration path:
  replace or augment the .cursor/** pattern with the migrated
  .agents/cursor/** (or explicitly list both .cursor/** and
  .agents/cursor/** if both may exist) so the rule matches the current
  repository layout; ensure the line that currently contains .cursor/** is
  edited to reflect .agents/ (preserve the exception about commands).

In @.agents/memory/todo.md:

• Around line 31-35: The noted style issues are repeated sentence openings and a
  capitalization error; edit the todo.md content where several consecutive lines
  start with "Confirmed" (the block referencing anchor commands) to vary sentence
  structure — e.g., combine some confirmations into a single sentence, use passive
  voice, or start with the command name (anchor test/anchor shell/anchor build) —
  and similarly rewrite the lines that begin with "Added" (the later
  changelog-style lines) to avoid repetitive openings; also correct the proper
  noun "GitHub" (capitalize the H) wherever it appears (line referencing
  GitHub/line 52). Keep meaning unchanged and aim for clearer flow and parallel
  structure in the rewritten sentences.

In @.agents/rules/dotenvx.mdc:

• Around line 63-71: Add a short "Production key management" subsection under
  "Runtime Decryption" that expands on DOTENV_PRIVATE_KEY_PRODUCTION and dotenvx
  run: describe storing the private key in CI/CD secret stores (e.g., GitHub
  Actions secrets, GitLab CI variables), or managed secret services (AWS Secrets
  Manager, HashiCorp Vault), granting access via role-based IAM or team membership
  onboarding procedures, and a recommended key rotation process (regular rotation
  schedule, revoke old keys, update CI secrets, and test rollout). Reference
  DOTENV_PRIVATE_KEY_PRODUCTION and dotenvx run in the text so readers know these
  practices apply to the production private key used at runtime.
• Around line 1-77: Add an "Initial Setup" (or "Getting Started") section near
  the top that tells new developers how to obtain/generate the private key,
  decrypt committed env files, and request access: explain that .env.keys must be
  provided by an authorized maintainer (or generated locally with the dotenvx key
  generation workflow), show the minimal steps to decrypt committed .env files on
  a fresh clone (using dotenvx run with the DOTENV_PRIVATE_KEY or by placing
  .env.keys locally), and include guidance on who/how to request the .env.keys
  from the team and verification steps (e.g., run dotenvx encrypt/decrypt checks)
  so new contributors can bootstrap their environment securely.

In @.agents/skills/create-pr/scripts/poll-pr.sh:

• Around line 233-235: The silent suppression via "|| true" after invoking bash
  "$script_dir/triage-pr.sh" hides real triage errors; change the invocation so
  failures are detected and logged instead: call bash "$script_dir/triage-pr.sh"
  --pr "$pr" --repo "$repo" and on non-zero exit capture the status ($?) and write
  a clear error via the existing logger (or echo) that includes the exit code and
  context (triage_on_change, pr, repo, script_dir) so triage failures are visible
  for triage_pr.sh invocation when triage_on_change and changed are set.
• Around line 237-242: The check uses a redundant string test -n "${pending:-}"
  even though the variable pending is initialized to 0 earlier; update the
  condition around exit_when_green to remove the unnecessary test and simply rely
  on the numeric check: keep the outer check for exit_when_green (exit_when_green)
  and inside use the arithmetic test (( pending == 0 && failed == 0 && total > 0
  )) to decide to echo and break, removing the -n "${pending:-}" portion.

In @.agents/skills/create-pr/scripts/pr-body-update.sh:

• Around line 81-85: The GraphQL mutation call using "gh api graphql" (the gh
  api graphql invocation that posts variables id="$pr_id" and body="$(cat
  "$body_file")") currently redirects output to /dev/null so errors are lost;
  change it to capture the command output into a variable, parse the JSON for an
  "errors" field or non-success response, and if any error is present print the
  response to stderr (including the error details) and exit non-zero before
  proceeding to verification so permission/ID/validation failures are detected
  early.

In @.agents/skills/create-pr/scripts/triage-pr.sh:

• Around line 78-79: The case branch for "skip|skipped|neutral" currently leaves
  total incremented but doesn't update any category counter, causing total != pending + failed + success; fix by adding a skipped counter (e.g., initialize
  skipped=0 alongside pending, failed, success) and increment skipped
  inside the skip|skipped|neutral) branch, or alternatively stop incrementing
  total for skipped checks (adjust where total is incremented) so total
  equals the sum of category counters; update any final summary output to include
  the new skipped counter if you choose that option.

In @.agents/skills/create-pr/SKILL.md:

• Around line 82-84: Clarify that the wt remove --yes --force command is an
  external/custom worktree utility and offer the standard Git alternative: explain
  that the worktree check uses git rev-parse --git-common-dir vs git rev-parse --git-dir, then when in a worktree use request_user_input to prompt the user
  and, if confirmed, either run the wt remove --yes --force command (documenting
  it as a non-standard dependency) or use the equivalent Git sequence (e.g., use
  git worktree remove <worktree-path> to remove the worktree and git branch -D <branch> to remove the local branch), then switch back to main with git checkout main && git pull; mention wt remove --yes --force,
  request_user_input, git worktree remove, and git branch -D by name so
  reviewers can find and update the lines.

In @.agents/skills/find-skills/SKILL.md:

• Around line 60-65: Add a language identifier to the fenced code blocks in
  SKILL.md so markdownlint stops flagging them: change the opening fences for the
  example blocks (the install example shown and the other blocks referenced around
  lines 77 and 127) from totext, leaving the contents unchanged so they
  are explicitly marked as plain text.

In @.agents/skills/mermaid-er-diagram/SKILL.md:

• Around line 43-45: Update the fenced code block containing the template line
  type column_name [PK|FK|UK] ["comment"] to include a language identifier
  (e.g., add text or plaintext after the opening ```), so the block becomes a
  labeled code fence for proper syntax/formatting rendering; locate the block in
  SKILL.md and modify the opening fence accordingly.

In @.agents/skills/solana-dev/programs-pinocchio.md:

• Around line 470-490: The import path for ProgramError is inconsistent: change
  the import in the VaultError snippet to the canonical path used elsewhere (use
  pinocchio::error::ProgramError to match earlier examples) or, if
  pinocchio::program_error::ProgramError is a valid re-export, add a short
  clarifying comment above the import noting it’s a re-export; update the
  VaultError impl (From for ProgramError) to use the same ProgramError
  symbol as the rest of the document so all references to ProgramError and the
  VaultError -> ProgramError conversion are consistent.

In @.agents/skills/test-driven-development/testing-anti-patterns.md:

• Around line 15-19: Update the fenced code block containing the three
  anti-pattern lines to include a language specifier (e.g., "text" or "plaintext")
  so the linter stops flagging it; locate the fenced block (the triple-backtick
  block that starts before "1. NEVER test mock behavior") and change the opening
  fence to text (or plaintext) while leaving the content unchanged.

In @.prettierignore:

• Around line 13-15: Remove the redundant specific markdown ignore entries by
  deleting the lines "AGENTS.md" and "CLAUDE.md" from .prettierignore since the
  existing ".md" pattern already covers all .md files; keep the ".md" entry and
  ensure no other specific .md patterns remain that are subsumed by it.

In @package.json:

• Line 7: The package.json "prepare" script currently runs "lefthook install"
  which triggers during bun install in CI and wastes time; update the CI to skip
  running prepare by either adding --ignore-scripts to the bun install command in
  your CI job (so bun install --frozen-lockfile --ignore-scripts is used) or set
  the LEFTHOOK environment variable to 0 in the CI environment, or alternately
  conditionally disable the prepare hook in CI, so the "prepare" / "lefthook
  install" step is not executed during automated runs.

In @programs/doom-nft-program/Cargo.toml:

• Line 28: Remove the explicit solana-program dependency declaration (the line
  solana-program = "1.18.26") from Cargo.toml so the crate uses Anchor’s
  transitive solana-program version, and update any code that imports
  solana_program directly to import via anchor_lang::solana_program (e.g., replace
  uses of solana_program::pubkey::Pubkey, system_program, etc. with
  anchor_lang::solana_program::... or re-exported types) to prevent version/type
  mismatches with Anchor 0.29.0.

</details>

<!-- This is an auto-generated comment by CodeRabbit for review status -->

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

What is the correct command syntax for dotenvx set and dotenvx encrypt commands?

💡 Result:

dotenvx set syntax

dotenvx set <KEY> <value> [--encrypt] [-f <path-to-env-file>]

Examples:

dotenvx set HELLO World --encrypt          # writes encrypted value to .env

[1]

dotenvx set HELLO "production (encrypted)" -f .env.production

[2]

(If you want to force no encryption, use --plain.) [3]

---

dotenvx encrypt syntax

dotenvx encrypt [-f <path-to-env-file>]

Example:

dotenvx encrypt -f .env.production

[4]

Sources: [1] https://dotenvx.com/docs/advanced/set-key-value-encrypt.html, [2] https://dotenvx.com/docs/quickstart.html, [3] https://dotenvx.com/docs/advanced.html, [4] https://dotenvx.com/docs/advanced/encrypt-f

---

Add --encrypt flag to dotenvx set commands or clarify encryption behavior.

The examples show dotenvx set SECRET_KEY "value" with a comment stating "automatically encrypted," but the dotenvx CLI requires an explicit --encrypt flag for encryption. Without it, values are stored in plaintext. Update the examples to either include --encrypt (e.g., dotenvx set SECRET_KEY "value" --encrypt) or clarify that the dotenvx encrypt command must be run afterward to encrypt existing values.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/rules/dotenvx.mdc around lines 28 - 51, The examples currently imply
automatic encryption for the command "dotenvx set SECRET_KEY \"value\"" but the
CLI requires the explicit --encrypt flag or a subsequent "dotenvx encrypt" run;
update the examples to show the correct usage by adding the --encrypt flag to
the set commands (e.g., reference the command symbol dotenvx set and the flag
--encrypt) or add an inline note clarifying that values set without --encrypt
remain plaintext until you run the dotenvx encrypt command (reference the
command symbol dotenvx encrypt) so the docs accurately reflect required
behavior.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Empty array causes unbound variable error with set -u.

Line 164 checks ${#failed_signature_lines[@]}, but if no checks failed, failed_signature_lines array may be uninitialized, causing an "unbound variable" error under set -u. Initialize the array before the loop or use ${#failed_signature_lines[@]:-0}.

🐛 Proposed fix

   if [[ -n "$checks_output" ]]; then
-    failed_signature_lines=()
+    declare -a failed_signature_lines=()
     while IFS=$'\t' read -r check_name check_state _check_age check_url _rest; do

Or alternatively, guard the check:

-    if [[ ${`#failed_signature_lines`[@]} -gt 0 ]]; then
+    if [[ ${`#failed_signature_lines`[@]:-0} -gt 0 ]]; then

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/skills/create-pr/scripts/poll-pr.sh around lines 164 - 166, The
check on failed_signature_lines can trigger an "unbound variable" under set -u
when the array was never initialized; initialize failed_signature_lines=()
before the loop that populates it, or change the existence check to use a safe
expansion like ${`#failed_signature_lines`[@]:-0} before computing
failed_signature and assigning failed_signature=$(printf ...); ensure the fix
targets the failed_signature_lines usage and the subsequent failed_signature
assignment in the script.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

pinocchio solana account close method 2025

💡 Result:

In Pinocchio’s SPL Token CPI helpers (pinocchio-token), the “close account” method is the CloseAccount instruction wrapper, which exposes:

• CloseAccount::invoke() (no PDA signing)
• CloseAccount::invoke_signed(signers: &[Signer]) (for PDA authorities)

Accounts (in order):
0. account — writable token account to close

1. destination — writable account that receives the reclaimed SOL (rent)
2. authority — signer owner/close authority of the token account [1]

Example (typical):

use pinocchio_token::instructions::CloseAccount;

CloseAccount {
    account: token_account,
    destination: refund_destination,
    authority: owner_authority,
}.invoke()?;

Example (PDA authority):

CloseAccount {
    account: token_account,
    destination: refund_destination,
    authority: pda_authority_account,
}.invoke_signed(&[/* seeds */])?;

This is part of pinocchio-token, which provides invoke / invoke_signed CPI helpers for SPL Token instructions. [2]

Sources: [1] [2]

---

🌐 Web query:

Pinocchio AccountView close realloc method documentation

💡 Result:

• AccountView::close (Pinocchio “AccountView” type) is documented on the solana_account_view::AccountView rustdoc page (methods: close, close_unchecked). It “zeros out the account’s data length, lamports and owner fields” (but does not zero the underlying data bytes immediately), and notes you must move lamports out first to avoid an unbalanced-instruction error. [1]

• There is no AccountView::realloc in solana_account_view::AccountView (so if you’re looking for “realloc” docs, you’re likely on the wrong type). [1]

• Pinocchio’s resizing/realloc API is on pinocchio::account_info::AccountInfo:

  • AccountInfo::realloc(new_len, zero_init) exists but is deprecated since 0.9.0 in favor of AccountInfo::resize(new_len); the docs say zero_init is deprecated/ignored and the method always zero-initializes newly-added bytes when growing. [2]
  • AccountInfo::resize(new_len) is the recommended replacement; both mention the per-instruction growth cap (MAX_PERMITTED_DATA_INCREASE). [2]
  • AccountInfo::close / close_unchecked are documented there as well (same “zero out data_len/lamports/owner; runtime zeroes data later” model). [3]

Sources: [1] [2] [3]

---

🏁 Script executed:

# Search for Pinocchio documentation or source code about AccountView
fd -e md -e rs pinocchio | head -20

Repository: doom-protocol/doom-nft-program

Length of output: 56

---

🏁 Script executed:

cat -n ".agents/skills/solana-dev/programs-pinocchio.md" | sed -n '490,520p'

Repository: doom-protocol/doom-nft-program

Length of output: 896

---

Remove invalid realloc() call—AccountView lacks this method.

The code calls account.realloc(1, true)? where account is &AccountView, but AccountView does not expose a realloc() method. The realloc() method exists only on pinocchio::account_info::AccountInfo (and is deprecated in favor of resize() since v0.9.0). Either the type should be AccountInfo or the realloc call should be removed. If the intent is to shrink the account before closing, clarify the correct API or use the appropriate type.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/skills/solana-dev/programs-pinocchio.md around lines 497 - 511, The
close function calls account.realloc(1, true)? but AccountView does not have
realloc; either change the parameter type to the account type that supports
resizing (e.g., AccountInfo) or remove the realloc call and rely on
account.close() alone. Locate pub fn close(account: &AccountView, destination:
&AccountView) -> ProgramResult and either (A) change the signature to accept
pinocchio::account_info::AccountInfo (or the correct AccountInfo wrapper) and
use the newer resize() API if targeting v0.9.0+, or (B) delete the
account.realloc(1, true)? line so the function only marks data and transfers
lamports before calling account.close(). Ensure all call sites are updated to
match the chosen type change if you pick option A.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Don’t use git add -u as the default staging command.

That skips untracked files, so new tests, docs, or snapshots added during review fixes won’t make it into the commit.

Suggested change

-# Stage changes
-git add -u
+# Stage changes
+git add -A

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	```bash
	# Stage changes
	git add -u
	# Commit with reference to what was addressed
	git commit -m "address review: <brief description>"
	```

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/skills/update-pr/SKILL.md around lines 38 - 44, The staged commit
instruction currently uses the git add -u command which omits untracked files;
update the SKILL.md snippet to use a staging command that includes untracked
files (for example use git add -A or git add . instead of git add -u) so new
tests, docs, or snapshots added during review fixes are included in the commit;
replace the git add -u line in the snippet accordingly and keep the rest of the
commit guidance the same.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Replace the copied pnpm/Storybook guidance with this repo’s actual workflow.

This section doesn’t match the tooling introduced in the rest of the PR: it assumes packages/*, pnpm, and Storybook snapshots, while the repository is being standardized around Bun + Cargo. As written, the skill will direct PR updates to nonexistent commands and paths.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/skills/update-pr/SKILL.md around lines 72 - 99, The "Handling Common
Review Requests" section in .agents/skills/update-pr/SKILL.md currently
references pnpm, packages/* paths and Storybook snapshot commands; replace those
examples with this repo's actual Bun + Cargo workflow by updating the listed
commands and paths (e.g., swap `pnpm test`, `pnpm build`, `pnpm format`, `pnpm
lint`, and the Storybook snapshot steps) to the equivalent Bun/Cargo commands
used by this repo, adjust test/snapshot paths from `packages/*/src/__tests__/`
and `packages/*/__image_snapshots__/` to the repository's test and artifact
locations, and ensure the steps under the "Please add tests", "Update types",
"Fix lint issues", and "Update snapshots" bullets reference the correct
build/test/lint/update commands and directories used in this repository.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Search for Rust toolchain files
fd -t f "rust-toolchain" .

Repository: doom-protocol/doom-nft-program

Length of output: 95

---

🏁 Script executed:

# Read the CI workflow file to see the complete context
cat -n .github/workflows/ci.yml

Repository: doom-protocol/doom-nft-program

Length of output: 1254

---

🏁 Script executed:

# Check if there's any mention of toolchain pinning in the repo
rg "rust-toolchain" --type yaml --type toml -i

Repository: doom-protocol/doom-nft-program

Length of output: 56

---

🏁 Script executed:

# Read the rust-toolchain.toml file to see the pinned version
cat rust-toolchain.toml

Repository: doom-protocol/doom-nft-program

Length of output: 159

---

🌐 Web query:

dtolnay/rust-toolchain action behavior read rust-toolchain.toml

💡 Result:

dtolnay/rust-toolchain does not read rust-toolchain.toml (or rust-toolchain) to decide what to install. The toolchain is chosen either:

• by the action ref you use (e.g. @stable, @nightly, @1.89.0) as described in its README [1], and implemented by those refs having an inputs.toolchain.default matching the ref (e.g. the stable ref defaults toolchain: stable) [2]; or
• by explicitly passing with: toolchain: ... (typically while using dtolnay/rust-toolchain@master) [1]. On master, the toolchain input is treated as required (the action errors if it’s empty) [3].

If you specifically want “use whatever is in rust-toolchain.toml”, you’ll need a different action (for example moonrepo/setup-rust, which can inspect rust-toolchain.toml / rust-toolchain) [4].

Sources: [1] [2] [3] [4]

---

Ensure CI uses the checked-in Rust toolchain.

The dtolnay/rust-toolchain@stable action does not read rust-toolchain.toml; it only uses the action ref to determine the toolchain to install. If the repository's toolchain file is updated to a pinned version in the future, CI will not respect it. Either switch to an action that reads the toolchain file (e.g., moonrepo/setup-rust), or explicitly pin the version here as well.

Note: The current rust-toolchain.toml specifies channel = "stable" rather than a pinned version, so the toolchain isn't actually pinned yet.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 22 - 25, Replace the
dtolnay/rust-toolchain@stable step so CI respects the checked-in
rust-toolchain.toml: either switch the action to one that reads the toolchain
file (e.g., use moonrepo/setup-rust) or explicitly pin the toolchain version in
the workflow instead of dtolnay/rust-toolchain@stable; update the workflow step
that currently uses dtolnay/rust-toolchain@stable and ensure it reads or matches
rust-toolchain.toml's channel/version so future changes to rust-toolchain.toml
are honored.