feat: add semantic slicing skill

.claude-plugin/marketplace.json

@@ -38,6 +38,12 @@
       "skills": "./",
       "description": "Create and manage worktrees safely and consistently across projects while avoiding stale branch bases."
     },
+    {
+      "name": "semantic-slicing",
+      "source": "./skills/semantic-slicing",
+      "skills": "./",
+      "description": "Turn a large repo into reviewable semantic slices with evidence. Use code shape, threat candidates, issue clusters, and support chatter together so review budget lands on the right parts of the system."
+    },
     {
       "name": "technical-deslop",
       "source": "./skills/technical-deslop",

README.md

@@ -36,6 +36,7 @@ This is my personal **.skills** repository for Codex, Cursor, OpenClaw and agent
 | `ghcrawl-cluster-operator` | Operate ghcrawl local sync, clustering, and cluster inspection from the CLI. | `npx skills add vincentkoc/dotskills --skill ghcrawl-cluster-operator -y` |
 | `openclaw-github-dedupe` | Triage GitHub issue/PR clusters across repositories, preserving contributor credit while selecting canonical fixes and safe closures. | `npx skills add vincentkoc/dotskills --skill openclaw-github-dedupe -y` |
 | `operations-worktree` | Create safe git worktrees from fresh remote defaults instead of stale local branches. | `npx skills add vincentkoc/dotskills --skill operations-worktree -y` |
+| `semantic-slicing` | Build local feature, threat, issue, and support maps for focused repo review. | `npx skills add vincentkoc/dotskills --skill semantic-slicing -y` |
 | `technical-deslop` | Ship clean diffs fast: remove AI noise and keep behavior unchanged. | `npx skills add vincentkoc/dotskills --skill technical-deslop -y` |
 | `technical-documentation` | Produce dev‑ready docs: clear, structured build/review for brownfield + evergreen. | `npx skills add vincentkoc/dotskills --skill technical-documentation -y` |
 | `technical-integrations` | Design integrations that land: vendor‑agnostic API/RFC/SDK plans with rollout safety. | `npx skills add vincentkoc/dotskills --skill technical-integrations -y` |
@@ -57,6 +58,7 @@ npx skills add vincentkoc/dotskills --skill openclaw-github-dedupe -y
 npx skills add vincentkoc/dotskills --skill operations-worktree -y
 npx skills add vincentkoc/dotskills --skill crawlkit -y
 npx skills add vincentkoc/dotskills --skill graincrawl -y
+npx skills add vincentkoc/dotskills --skill semantic-slicing -y
 ```
 
 List available public skills:

catalog.yaml

@@ -123,3 +123,10 @@ skills:
     source: local
     tags: [git, worktree, operations, workflow]
     version: 0.1.0
+
+  - id: semantic-slicing
+    name: Semantic Slicing
+    path: skills/semantic-slicing
+    source: local
+    tags: [semantic-slicing, security, review, visualization, gitcrawl, discrawl]
+    version: 0.1.0

releases/skills.json

@@ -31,6 +31,12 @@
       "description": "Create and manage worktrees safely and consistently across projects while avoiding stale branch bases.",
       "install": "npx skills add https://github.com/vincentkoc/dotskills --skill operations-worktree -y"
     },
+    {
+      "name": "semantic-slicing",
+      "source": "./skills/semantic-slicing",
+      "description": "Turn a large repo into reviewable semantic slices with evidence. Use code shape, threat candidates, issue clusters, and support chatter together so review budget lands on the right parts of the system.",
+      "install": "npx skills add https://github.com/vincentkoc/dotskills --skill semantic-slicing -y"
+    },
     {
       "name": "technical-deslop",
       "source": "./skills/technical-deslop",

skills/semantic-slicing/SKILL.md

@@ -0,0 +1,86 @@
+---
+name: semantic-slicing
+description: Build local semantic review slices by combining clawpatch feature maps, deepsec threat candidates, visual review maps, and optional gitcrawl/discrawl evidence for repos such as openclaw/openclaw.
+license: AGPL-3.0-only
+metadata:
+  source: "https://github.com/vincentkoc/dotskills"
+---
+
+# Semantic Slicing
+
+## Purpose
+
+Turn a large repo into reviewable semantic slices with evidence. Use code shape, threat candidates, issue clusters, and support chatter together so review budget lands on the right parts of the system.
+
+Default stance: map locally first, rank second, spend agent/security-review budget last.
+
+## When to use
+
+- Setting up or running `openclaw/clawpatch` against a target repo.
+- Setting up or running `vercel-labs/deepsec` against a target repo.
+- Producing a local visual map of feature slices, risky files, ownership clusters, or review targets.
+- Cross-checking code slices against `gitcrawl` issue/PR data or `discrawl` Discord/support data.
+- Planning a focused security, regression, architecture, or maintainer-review pass for a large repo.
+
+## Workflow
+
+1. Create a scratch run directory outside the target checkout, usually `~/.semantic-slicing/<repo>/<timestamp>`.
+2. Read target repo instructions before scanning. For OpenClaw, read root `AGENTS.md`; subtree guides matter when reviewing a slice.
+3. Verify tool setup:
+   - `clawpatch`: clone/build `openclaw/clawpatch`, then run `clawpatch init`, `clawpatch map`, `clawpatch status`.
+   - `deepsec`: clone/build `vercel-labs/deepsec`, scaffold a scratch workspace, then run `deepsec scan`.
+   - `gitcrawl`: run `gitcrawl doctor --json`, then pull clusters/threads for related issue evidence.
+   - `discrawl`: run `discrawl doctor --json` and `discrawl status --json`; use search/digest only when support chatter is relevant.
+4. Run deterministic maps before AI review:
+   - Clawpatch feature map for entrypoints/packages/config/test slices.
+   - Deepsec regex scan for candidate threat surfaces.
+   - Optional gitcrawl/discrawl lookups for historical pain around the same files, components, or symptoms.
+5. Run `scripts/semantic-map.mjs` to merge the local artifacts into `semantic-map.html` and `semantic-map.json`.
+6. Rank slices by combined signal:
+   - high-risk entrypoint or tool boundary,
+   - deepsec candidate density and slug quality,
+   - recent/open gitcrawl clusters,
+   - matching discrawl support terms,
+   - churn/ownership/test gaps if available.
+7. Choose a cost size before running AI stages:
+   - `low`: deterministic maps only; no `deepsec process` or real `clawpatch review`.
+   - `medium`: one to three explicit files/features with high-risk slugs, batch size 1, concurrency 1, and a turn cap.
+   - `high`: broader AI processing or multiple feature reviews; requires an explicit budget/time decision.
+8. Run AI only at the chosen size:
+   - `clawpatch review --feature <id>` or a small `--limit`.
+   - `deepsec process --files <csv>` or tightly scoped `--filter` plus `--only-slugs`.
+9. Report exact artifact paths, run IDs, counts, cost size, exclusions, and skipped expensive stages.
+
+## Inputs
+
+- `target_repo`: local checkout path and/or GitHub `owner/repo`.
+- `scratch_root`: local artifact directory, default `~/.semantic-slicing/<repo>/<timestamp>`.
+- `clawpatch_repo`: local clone of `openclaw/clawpatch`, optional if `clawpatch` is already on PATH.
+- `deepsec_repo`: local clone of `vercel-labs/deepsec`, optional if `deepsec` is already on PATH.
+- `focus`: optional path prefixes, issue numbers, slugs, components, or channels to prioritize.
+- `cost_size`: `low`, `medium`, or `high`; default `low`.
+- `budget_mode`: `map-only`, `targeted-ai`, or `full-ai`; default follows `cost_size`.
+
+## Outputs
+
+- Tool setup status and blocker list.
+- Clawpatch feature counts and contamination checks.
+- Deepsec scan run ID, candidate counts, top slugs, and top files.
+- Optional gitcrawl cluster/thread evidence and discrawl support evidence.
+- Local visual map: `semantic-map.html` plus machine-readable `semantic-map.json`.
+- Ranked slice plan with recommended next commands and cost-size rationale.
+
+## Guardrails
+
+- Keep generated artifacts out of the target repo unless the user explicitly wants checked-in config.
+- Do not run full `deepsec process` or broad `clawpatch review` without an explicit high-cost decision; these can be expensive and noisy.
+- Treat local nested worktrees and dot-agent folders as contamination unless intentionally in scope: `.claude/`, `.codex/`, `.agents/`, `.deepsec/`, `.semantic-slicing/`.
+- If a tool maps contaminated paths, post-filter before ranking and call out the upstream limitation.
+- Never paste secrets from scan outputs. Scrub absolute personal paths before external PRs/comments.
+- For OpenClaw, use Testbox/Crabbox only when the task moves from mapping into validation.
+
+## References
+
+- Read `references/workflow.md` for concrete local setup and run commands.
+- Read `references/slicing-taxonomy.md` when choosing slice types or map layers.
+- Read `references/openclaw-profile.md` when the target is `openclaw/openclaw`.

skills/semantic-slicing/agents/openai.yaml

@@ -0,0 +1,10 @@
+interface:
+  display_name: "Semantic Slicing"
+  short_description: "Build local feature, threat, issue, and support maps for focused repo review."
+  icon_small: "./assets/icon.jpg"
+  icon_large: "./assets/icon.jpg"
+  brand_color: "#111827"
+  default_prompt: "Create a semantic slice map for this repo using local clawpatch/deepsec artifacts and gitcrawl/discrawl evidence where relevant."
+
+policy:
+  allow_implicit_invocation: true

skills/semantic-slicing/references/openclaw-profile.md

@@ -0,0 +1,59 @@
+# OpenClaw Profile
+
+Target repo: `openclaw/openclaw`.
+
+## High-signal buckets
+
+- `src/agents/**`: agent tools, shell/process/file access, sandbox policy, session reuse.
+- `src/gateway/**`: protocol, auth, WebSocket, delivery, live runtime.
+- `src/plugins/**`: plugin discovery, registry, activation, manifest/public-surface loaders.
+- `extensions/*`: bundled plugin runtime boundaries, channel/provider behavior.
+- `packages/memory-host-sdk/**`: storage, embeddings, remote HTTP, SSRF and proxy controls.
+- `scripts/**`: release, CI, Docker, package, generated contract checks.
+- `ui/**` and apps: local app/browser boundary, WebView and bridge surfaces.
+
+## Default excludes
+
+Treat these as contamination unless explicitly requested:
+
+```text
+.git/
+.claude/
+.codex/
+.agents/
+.deepsec/
+.semantic-slicing/
+node_modules/
+dist/
+build/
+coverage/
+.next/
+.turbo/
+```
+
+## Local probe on 2026-05-16
+
+Observed setup results on `openclaw/openclaw`:
+
+- `clawpatch` built locally and mapped 1,099 feature records.
+- The map included hundreds of `.claude`/`.codex`/`.agents` path references even with a config exclude. Post-filtering is required before review queue ranking.
+- `deepsec` built locally and scanned OpenClaw in 53.7 seconds.
+- Deepsec scan run ID: `20260516011830-96433ac3b3b6762a`.
+- Deepsec found 4,055 pending candidate files and 9,628 total matcher hits.
+- Highest-volume slugs were `insecure-crypto`, `agent-tool-definition`, `process-env-access`, `secret-in-log`, and `spread-operator-injection`.
+- `gitcrawl doctor --json` showed local OpenClaw data but the last sync was older than the current date, so use it as shortlist context and verify live state with `gh` before mutating.
+- `discrawl doctor --json` was healthy in git-share mode; `discrawl status --json` showed share update needed.
+
+Hydrated follow-up on the same day:
+
+- Hydrated `deepsec` with OpenClaw-specific `INFO.md` and priority/ignore config.
+- Fresh scan run ID: `20260516014350-082402b74eb441df`.
+- Fresh scan found 4,050 candidate files and 9,579 total matcher hits.
+- One targeted AI process pass on `src/agents/pi-embedded-runner/run/attempt.ts` produced 0 findings, cost `$4.794546`, and used 236,258 input tokens plus 6,065,152 cache-read tokens.
+- That file mapped to clawpatch feature `feat_library_997fa9c066`; dry-run review returned `wouldReview: 1`.
+
+Operational implication: default to `low` cost sizing for maps and queue building. Use `medium` only for file-explicit high-risk slices. Treat broad `deepsec process` as `high` cost unless the user has set a clear budget.
+
+## OpenClaw verification rule
+
+Mapping is not validation. If a slice leads to a code change, follow OpenClaw repo rules for targeted tests and Testbox/Crabbox proof before handoff.

skills/semantic-slicing/references/slicing-taxonomy.md

@@ -0,0 +1,109 @@
+# Slicing Taxonomy
+
+Use multiple slice layers. One lens is too easy to game.
+
+## Feature slices
+
+Source: clawpatch feature records.
+
+Best for:
+- package/API/plugin boundaries,
+- route or command entrypoints,
+- test ownership,
+- review units for targeted agent passes.
+
+Watch for:
+- hidden worktrees,
+- generated output,
+- overly broad source-group slices,
+- missing framework-specific entrypoints.
+
+## Threat slices
+
+Source: deepsec file records and candidates.
+
+Best for:
+- path traversal, SSRF, RCE, auth bypass, secret/log surfaces,
+- high-density files,
+- framework mismatch gaps where default matchers are weak.
+
+Watch for:
+- noisy slug families like generic crypto usage,
+- candidate count without exploitability,
+- processing cost.
+
+## Issue slices
+
+Source: gitcrawl clusters, threads, summaries, live GitHub checks.
+
+Best for:
+- repeated user-visible failures,
+- closed-but-recurring regressions,
+- duplicate PR/issue clusters,
+- maintainer narrative and shipped history.
+
+Watch for:
+- stale local crawl state,
+- title similarity without root-cause match,
+- closed clusters that should only inform risk, not current truth.
+
+## Support slices
+
+Source: discrawl search, digest, analytics.
+
+Best for:
+- Discord/support symptom clusters,
+- community vocabulary that differs from GitHub titles,
+- production pain not yet filed as issues.
+
+Watch for:
+- private chatter leakage,
+- stale share sync,
+- unstructured complaints without repro.
+
+## Diff slices
+
+Source: `git diff`, PR file lists, changed-lines metadata.
+
+Best for:
+- PR review,
+- regression-focused scans,
+- verifying whether a fix touches the real symptom path.
+
+Watch for:
+- tests/docs-only changes that should not expand into a full security scan,
+- moved files that break naive path matching.
+
+## Runtime/import slices
+
+Source: import graph, startup profiles, package manifests, plugin manifests.
+
+Best for:
+- hot-path performance,
+- lazy-loading regressions,
+- plugin/core boundary leakage,
+- package/dependency ownership.
+
+Watch for:
+- circular imports,
+- static+dynamic imports of the same heavy module,
+- core/plugin boundary violations.
+
+## Visual review map
+
+Map each bucket with:
+- feature count,
+- deepsec candidate count,
+- top slugs,
+- top files,
+- gitcrawl cluster count,
+- discrawl hit count,
+- contamination count.
+
+Recommended ranking:
+
+```text
+score = entrypoint_weight + threat_density + issue_signal + support_signal + churn_signal - contamination_penalty
+```
+
+The score is a review queue, not a bug claim.