feat: add fix-issue skill for GitHub Issues

[SamHoque]

Summary

• Adds a new fix-issue skill — the GitHub-native equivalent of fix-ticket
• Same 9-phase pipeline but uses gh CLI instead of Jira MCP for issue/PR management
• Adds a GitHub section to CONFIG.template.md for label and assignee config
• Updates README with the new skill in the table and project structure

What's new

The fix-issue skill automates the full GitHub issue bug-fix lifecycle:

1. Phase 0 — Branch strategy (ask/main/new/worktree)
2. Phase 1 — Read GitHub issue via gh issue view
3. Phase 1.5 — Headless browser bug reproduction (playwright-cli)
4. Phase 2 — Research & understand + user gate
5. Phase 3 — Analyze & plan
6. Phase 4 — Implement fix
7. Phase 5 — Parallel review agents (3-5)
8. Phase 5.5 — Headless browser fix verification
9. Phase 6 — Commit & push (with Closes #N trailer)
10. Phase 6.5 — Worktree merge (if applicable)
11. Phase 7 — Deployment monitor
12. Phase 8 — GitHub handoff: create PR, label issue, post comment
13. Phase 9 — Summary with phase tracker table

Why

fix-ticket is great for Jira-heavy teams. Many projects live entirely on GitHub — this skill brings the same zero-touch bug-fix pipeline to GitHub Issues without requiring any Jira MCP setup.

Test plan

• Run /fix-issue 123 on a repo with a known bug issue
• Verify Phase 0 prompts for branch strategy
• Verify Phase 8 creates a PR with Closes #N and comments on the issue
• Verify skip-github=true skips Phase 8 entirely
• Verify evaluation criteria table in SKILL.md covers all phases

[qodo-code-review]

Review Summary by Qodo

Add fix-issue skill for GitHub-native bug-fix automation

✨ Enhancement

Walkthroughs

Description

• Adds fix-issue skill for GitHub-native bug-fix automation
• Implements 9-phase pipeline: branch strategy, read issue, QA verify, research, plan, implement,
  review, QA check, commit/push, deploy monitor, GitHub handoff
• Includes headless browser QA verification (pre-fix and post-fix) using playwright-cli
• Adds GitHub configuration section to CONFIG.template.md for labels, reviewers, and assignees
• Updates README with skill table entry and project structure documentation

Diagram

flowchart LR
  User["User invokes<br/>/fix-issue 123"] --> Phase0["Phase 0:<br/>Branch Strategy"]
  Phase0 --> Phase1["Phase 1:<br/>Read Issue"]
  Phase1 --> Phase1_5["Phase 1.5:<br/>QA Verify<br/>Bug Reproduction"]
  Phase1_5 --> Phase2["Phase 2:<br/>Research &<br/>Understand"]
  Phase2 --> Phase3["Phase 3:<br/>Analyze & Plan"]
  Phase3 --> Phase4["Phase 4:<br/>Implement Fix"]
  Phase4 --> Phase5["Phase 5:<br/>Review<br/>3-5 Agents"]
  Phase5 --> Phase5_5["Phase 5.5:<br/>QA Check<br/>Fix Verification"]
  Phase5_5 --> Phase6["Phase 6:<br/>Commit & Push"]
  Phase6 --> Phase7["Phase 7:<br/>Deploy Monitor"]
  Phase7 --> Phase6_5["Phase 6.5:<br/>Worktree Merge<br/>if applicable"]
  Phase6_5 --> Phase8["Phase 8:<br/>GitHub Handoff<br/>PR + Comment"]
  Phase8 --> Phase9["Phase 9:<br/>Summary"]
  Phase9 --> Done["Fix Complete"]

Loading

File Changes

1. CONFIG.template.md ⚙️ Configuration changes +29/-0

Add GitHub configuration section for fix-issue skill

• Adds new GitHub section with repo configuration in owner/repo format
• Defines GitHub Labels table with in-review and fixed labels for issue tracking
• Adds PR Reviewers table mapping aliases to GitHub usernames
• Adds GitHub Assignees table for default PR assignee configuration

CONFIG.template.md

---

2. README.md 📝 Documentation +6/-0

Document fix-issue skill in README

• Adds fix-issue skill row to skills table with description and use case
• Adds fix-issue/ directory to project structure with SKILL.md and qa-integration.md references
• Adds GitHub CLI (gh) to the tools/dependencies list used by skills

README.md

---

3. skills/fix-issue/SKILL.md ✨ Enhancement +783/-0

Implement complete fix-issue skill definition

• Comprehensive 783-line skill definition for GitHub issue bug-fix automation
• Defines 9-phase sequential pipeline with strict execution order and parameter gates
• Includes detailed workflow for each phase: branch strategy, issue reading, QA verification,
 research with user gate, complexity analysis, implementation, multi-agent review, QA check,
 commit/push, deployment monitoring, GitHub handoff, and summary
• Specifies 10 configurable parameters (branch strategy, repo, skip flags for
 review/github/deploy/verify/qa-check, assignee, auto-commit)
• Provides comprehensive error handling matrix and evaluation criteria for skill validation
• Includes mandatory checklist before Phase 9 summary and context budget awareness guidelines

skills/fix-issue/SKILL.md

---

View more (1)

4. skills/fix-issue/references/qa-integration.md 📝 Documentation +249/-0

Add QA integration guide for browser-based verification

• Provides headless browser QA integration guide using playwright-cli (not MCP tools)
• Documents test user provisioning for Supabase and other auth providers via Admin APIs
• Specifies API-first login flow with fallback to form login and session injection techniques
• Defines verify mode (pre-fix bug reproduction) and check mode (post-fix verification) workflows
• Includes route detection mapping, cleanup procedures, and comprehensive error handling

skills/fix-issue/references/qa-integration.md

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (3) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. QA doc still Jira-based 🐞 Bug ✓ Correctness

Description

skills/fix-issue/references/qa-integration.md still refers to “Fix-Ticket”, “Jira ticket”, and
{ticket-id} screenshot folders, which conflicts with fix-issue instructions that use GitHub
issue numbers and issue-{N} screenshot paths.

Code

skills/fix-issue/references/qa-integration.md[R192-200]

+## Verify Mode (Pre-Fix)
+
+Goal: Reproduce the bug described in the Jira ticket using the browser.
+
+1. Navigate to the affected page
+2. Follow the reproduction steps from the ticket description
+3. Screenshot each step: `playwright-cli screenshot --filename=playwright-qa-screenshots/{ticket-id}-verify/NN-description.png`
+4. Check for JS errors: `playwright-cli console error`
+5. Look for the specific bug symptom described in the ticket

Evidence

The new fix-issue QA reference explicitly talks about Jira tickets and uses {ticket-id} screenshot
directory names, but the fix-issue pipeline instructs saving screenshots under issue-{N}-verify,
so following the reference doc will produce the wrong artifacts and misguide the QA phases.

skills/fix-issue/references/qa-integration.md[1-5]
skills/fix-issue/references/qa-integration.md[192-200]
skills/fix-issue/SKILL.md[268-271]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The QA reference doc for `fix-issue` is still written for `fix-ticket` (Jira) and uses `{ticket-id}` placeholders, which conflicts with the `fix-issue` skill’s screenshot naming (`issue-{N}`) and GitHub issue workflow.

### Issue Context
Users are instructed in `skills/fix-issue/SKILL.md` to rely on `references/qa-integration.md` for QA steps, so mismatched terminology/paths will cause incorrect execution and artifacts.

### Fix Focus Areas
- skills/fix-issue/references/qa-integration.md[1-5]
- skills/fix-issue/references/qa-integration.md[192-216]
- skills/fix-issue/SKILL.md[258-272]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Undefined Supabase placeholders 🐞 Bug ⛯ Reliability

Description

The new QA reference uses Supabase placeholders like {ANON_KEY} and {SUPABASE_REF} without
defining where they come from (CONFIG vs env), making the documented session-injection steps
non-executable as written.

Code

skills/fix-issue/references/qa-integration.md[R121-148]

+  const { createBrowserClient } = await import('@supabase/ssr');
+  const supabase = createBrowserClient('{SUPABASE_URL}', '{ANON_KEY}');
+  const { error } = await supabase.auth.setSession({
+    access_token: '${ACCESS_TOKEN}',
+    refresh_token: '${REFRESH_TOKEN}'
+  });
+  if (error) throw error;
+  return 'session set';
+}"
+```
+
+**If the eval approach fails**, use the cookie approach instead:
+
+```bash
+# For Supabase SSR (chunked cookies)
+playwright-cli eval "() => {
+  const name = 'sb-{SUPABASE_REF}-auth-token';
+  const encoded = btoa(JSON.stringify({
+    access_token: '${ACCESS_TOKEN}',
+    refresh_token: '${REFRESH_TOKEN}'
+  }));
+  document.cookie = name + '.0=' + encodeURIComponent(encoded) + '; path=/; SameSite=Lax';
+  // Clear stale chunks
+  for (let i = 1; i <= 5; i++) {
+    document.cookie = name + '.' + i + '=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT';
+  }
+  return 'cookies set';
+}"

Evidence

The QA doc requires {ANON_KEY} and {SUPABASE_REF} for session injection and cookie names, but
the provided configuration template doesn’t define these values in the Supabase/Q&A configuration
sections, nor does the QA doc explain how to derive them.

skills/fix-issue/references/qa-integration.md[121-129]
skills/fix-issue/references/qa-integration.md[135-148]
CONFIG.template.md[62-68]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`qa-integration.md` requires `{ANON_KEY}` and `{SUPABASE_REF}` but doesn’t explain how to obtain them or where they should be configured, so the documented login/session injection flow cannot be followed reliably.

### Issue Context
The fix-issue skill points users to `references/qa-integration.md` for the full QA steps; missing required inputs breaks Phase 1.5 and Phase 5.5.

### Fix Focus Areas
- skills/fix-issue/references/qa-integration.md[121-148]
- CONFIG.template.md[62-68]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

3. Service role used for login 🐞 Bug ⛨ Security

Description

The QA reference instructs using SUPABASE_SERVICE_ROLE_KEY as the apikey for password-grant
token retrieval, increasing exposure of a highly privileged secret and unnecessarily expanding blast
radius if copied into logs/shell history.

Code

skills/fix-issue/references/qa-integration.md[R92-99]

+```bash
+SUPABASE_URL=$(grep NEXT_PUBLIC_SUPABASE_URL .env.local | cut -d= -f2-)
+SERVICE_ROLE_KEY=$(grep SUPABASE_SERVICE_ROLE_KEY .env.local | cut -d= -f2-)
+AUTH_RESPONSE=$(curl -s -X POST "${SUPABASE_URL}/auth/v1/token?grant_type=password" \
+  -H "apikey: ${SERVICE_ROLE_KEY}" \
+  -H "Content-Type: application/json" \
+  -d '{"email":"{TEST_USER_EMAIL}","password":"{TEST_USER_PASSWORD}"}')
+echo "$AUTH_RESPONSE" | python3 -c "import sys,json; d=json.load(sys.stdin); print('ACCESS_TOKEN=' + d['access_token']); print('REFRESH_TOKEN=' + d['refresh_token'])"

Evidence

The doc explicitly uses SUPABASE_SERVICE_ROLE_KEY as the apikey for
/auth/v1/token?grant_type=password. In the same document, session injection uses {ANON_KEY},
indicating the intended credential for client auth is the anon key, not the service role key.

skills/fix-issue/references/qa-integration.md[92-99]
skills/fix-issue/references/qa-integration.md[121-123]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The QA doc uses `SUPABASE_SERVICE_ROLE_KEY` (high-privilege) for routine login token retrieval, which is a security footgun and increases the impact of accidental disclosure.

### Issue Context
The same document already distinguishes an `{ANON_KEY}` for client operations, suggesting the service role key is not the intended credential for password-grant login.

### Fix Focus Areas
- skills/fix-issue/references/qa-integration.md[92-99]
- skills/fix-issue/references/qa-integration.md[67-76]
- skills/fix-issue/references/qa-integration.md[121-129]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[qodo-code-review]

1. Qa doc still jira-based 🐞 Bug ✓ Correctness

skills/fix-issue/references/qa-integration.md still refers to “Fix-Ticket”, “Jira ticket”, and
{ticket-id} screenshot folders, which conflicts with fix-issue instructions that use GitHub
issue numbers and issue-{N} screenshot paths.

Agent Prompt

### Issue description
The QA reference doc for `fix-issue` is still written for `fix-ticket` (Jira) and uses `{ticket-id}` placeholders, which conflicts with the `fix-issue` skill’s screenshot naming (`issue-{N}`) and GitHub issue workflow.

### Issue Context
Users are instructed in `skills/fix-issue/SKILL.md` to rely on `references/qa-integration.md` for QA steps, so mismatched terminology/paths will cause incorrect execution and artifacts.

### Fix Focus Areas
- skills/fix-issue/references/qa-integration.md[1-5]
- skills/fix-issue/references/qa-integration.md[192-216]
- skills/fix-issue/SKILL.md[258-272]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[qodo-code-review]

2. Undefined supabase placeholders 🐞 Bug ⛯ Reliability

The new QA reference uses Supabase placeholders like {ANON_KEY} and {SUPABASE_REF} without
defining where they come from (CONFIG vs env), making the documented session-injection steps
non-executable as written.

Agent Prompt

### Issue description
`qa-integration.md` requires `{ANON_KEY}` and `{SUPABASE_REF}` but doesn’t explain how to obtain them or where they should be configured, so the documented login/session injection flow cannot be followed reliably.

### Issue Context
The fix-issue skill points users to `references/qa-integration.md` for the full QA steps; missing required inputs breaks Phase 1.5 and Phase 5.5.

### Fix Focus Areas
- skills/fix-issue/references/qa-integration.md[121-148]
- CONFIG.template.md[62-68]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[qodo-code-review]

3. Service role used for login 🐞 Bug ⛨ Security

The QA reference instructs using SUPABASE_SERVICE_ROLE_KEY as the apikey for password-grant
token retrieval, increasing exposure of a highly privileged secret and unnecessarily expanding blast
radius if copied into logs/shell history.

Agent Prompt

### Issue description
The QA doc uses `SUPABASE_SERVICE_ROLE_KEY` (high-privilege) for routine login token retrieval, which is a security footgun and increases the impact of accidental disclosure.

### Issue Context
The same document already distinguishes an `{ANON_KEY}` for client operations, suggesting the service role key is not the intended credential for password-grant login.

### Fix Focus Areas
- skills/fix-issue/references/qa-integration.md[92-99]
- skills/fix-issue/references/qa-integration.md[67-76]
- skills/fix-issue/references/qa-integration.md[121-129]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools