Merge pull request #20295 from mozilla/claude-code-dx-improvements

chore(claude): add skills, improve CLAUDE.md, fix VS Code config

Author: vpomerleau

.claude/skills/fxa-jira-bug-description/SKILL.md

@@ -0,0 +1,86 @@
+---
+name: fxa-jira-bug-description
+description: Drafts a Jira bug report for an FXA issue. Gathers repro steps, expected vs actual behaviour, and affected surface, then outputs a structured report ready to file or hand to Claude for investigation.
+user-invocable: true
+---
+
+# FXA Jira Bug Report
+
+Draft a Jira bug report for an FXA issue. Output the description only — do not create, edit, or suggest changes to any source files.
+
+## Step 1: Gather Context
+
+If a Sentry link, error log, or stack trace was provided, read it first and infer as much as possible before asking anything.
+
+Required information:
+- **What:** One-sentence description of the bug
+- **Steps to reproduce:** Numbered steps from a known starting state
+- **Expected behaviour:** What should happen
+- **Actual behaviour:** What actually happens
+- **Affected surface:** Which flow, page, or API endpoint; which users or account states are affected
+
+Also useful — ask only for what is missing:
+- Error message, Sentry event, or stack trace
+- Browser, OS, or environment (if frontend)
+- Account state at time of bug (e.g. 2FA enabled, passwordless, linked account)
+- Severity — data loss, security impact, broken flow, visual/cosmetic
+
+If all required information is clear, proceed directly to Step 2.
+
+## Step 2: Research
+
+Search only the packages likely involved. Find:
+- The code path most likely responsible (route handler, component, service method)
+- Any recent changes to that path (`git log` on the relevant files)
+- Whether a similar bug has been fixed before (look for related test cases or comments)
+
+Incorporate findings directly into Root Cause and Key Reference Files. Surface genuine unknowns as Open Questions.
+
+## Step 3: Output
+
+**Summary:** `[area] <concise bug description>` — e.g. `[auth] Passkey registration fails silently when device has no authenticator`
+
+**Background:**
+What the bug is, where it occurs, and who is affected. 2–3 sentences.
+
+**Steps to Reproduce:**
+Numbered steps from a known starting state. Include account state and environment where relevant.
+
+**Expected Behaviour:**
+What should happen.
+
+**Actual Behaviour:**
+What actually happens. Include error message, code, or Sentry event if available.
+
+**Affected Surface:**
+Which users, flows, account states, browsers, or environments are affected. Note if intermittent.
+
+**Severity:** *(Critical / High / Medium / Low)*
+- Critical — data loss, security vulnerability, auth bypass
+- High — broken core flow affecting multiple users
+- Medium — degraded experience, workaround exists
+- Low — cosmetic, edge case, minor inconvenience
+
+**Root Cause:** *(if known or suspected — omit if unknown)*
+Where in the code the bug originates. Reference specific file and function if identified.
+
+**Acceptance Criteria:**
+- Bug is no longer reproducible following the steps above
+- Regression test added covering the broken path
+- *(add any additional observable outcomes)*
+
+**Key Reference Files:**
+Specific files relevant to investigation or fix. One line each.
+
+**Out of Scope:** *(omit if not needed)*
+
+**Open Questions:** *(omit if none)*
+
+## Guidelines
+
+- Output the description only — no source file changes
+- Steps to Reproduce must be precise enough for another engineer to reproduce independently
+- Do not speculate on root cause unless there is clear evidence — use Open Questions instead
+- Severity should reflect user impact, not code complexity
+- Always include a regression test in Acceptance Criteria
+- If the bug has security implications (auth bypass, data exposure, token leakage), flag severity as Critical and note it explicitly in Background

.claude/skills/fxa-jira-feature-description/SKILL.md

@@ -0,0 +1,67 @@
+---
+name: fxa-jira-feature-description
+description: Drafts a concise Jira description for an FXA task. Gathers context via targeted interview, researches relevant patterns in the repo, then outputs a clean description ready for an engineer to hand to Claude for implementation.
+user-invocable: true
+---
+
+# FXA Jira Description
+
+Draft a Jira description for an FXA task. Output the description only — do not create, edit, or suggest changes to any source files.
+
+## Step 1: Gather Context
+
+If a planning doc, epic description, or tech spec was provided, read it first and infer what, why, packages, and constraints before asking anything.
+
+Required information:
+- **What:** What is being built or changed, in one sentence
+- **Why:** Motivation — user need, requirement, bug, or tech debt
+- **Packages:** Which specific package(s) will be modified (e.g. `fxa-auth-server`, `libs/accounts/passkey`)
+- **Constraints:** Feature flag, breaking change, migration, L10n — or none
+
+If all four are clear from provided context, proceed directly to Step 2. Otherwise ask for only what is missing in a single message. Also invite related PRs, tickets, existing approach notes, design mockups, or flow diagrams that would add useful context.
+
+## Step 2: Research
+
+Search only the packages identified in Step 1. Find the most relevant existing patterns: similar feature, nearby route, equivalent component. Expand to the broader repo only if nothing relevant is found there.
+
+Identify:
+- Key files an implementer will need to touch
+- The closest existing reference implementation to follow
+- Whether tests, metrics, or security events apply (see Step 3)
+
+Incorporate findings directly into the draft — do not list them separately or ask for confirmation. Surface genuine blockers as Open Questions.
+
+## Step 3: Output
+
+**Design:** *(Figma link if applicable. Note that all copy, strings, and visual specs should be taken from the latest Figma file — do not reproduce design details here as they may change before implementation. Omit if no design involved.)*
+
+**Background:**
+Why this is needed and what it enables. 2–4 sentences.
+
+**Acceptance Criteria:**
+Observable, testable outcomes. Each item verifiable without reading the code. Include criteria for tests, metrics emission, and security events where applicable to this task.
+
+**Implementation Steps:**
+Numbered steps with file paths, method names, and structural guidance. Reference the nearest existing pattern for each step. No code snippets — file locations, types, and patterns only.
+
+**Tests:**
+What needs to be tested. Unit, integration, and snapshot coverage expectations. Reference the nearest existing test file as a pattern. Omit if covered inline above.
+
+**Metrics & Security Events:** *(omit if not applicable)*
+Any StatsD metrics or security events (`log.info`, `request.emitMetricsEvent`, `customs` checks) that should be emitted. Reference the nearest equivalent for naming conventions.
+
+**Key Reference Files:**
+Specific files the implementer should read before starting. One line each.
+
+**Out of Scope:** *(omit if not needed)*
+
+**Open Questions:** *(omit if none)*
+
+## Guidelines
+
+- Output the description only — no source file changes
+- Implementation Steps should give enough detail to start work without follow-up questions — file paths and patterns, not prose
+- Do not include design details (copy, colours, layout, component specifics) — note that the implementer should refer to the latest Figma file
+- Omit redundant or obvious acceptance criteria
+- Include Tests, Metrics & Security Events sections only when relevant to the task type
+- If motivation or scope remain unclear after asking, flag as an Open Question rather than assuming

.vscode/settings.json

@@ -25,7 +25,6 @@
   "typescript.tsdk": "node_modules/typescript/lib",
   "files.exclude": {
     ".nx": true,
-    ".claude": true,
     "**/.git": true,
     "**/.DS_Store": true,
     "**/Thumbs.db": true,

CLAUDE.md

@@ -6,6 +6,7 @@ Security takes **absolute precedence**. This repository handles Mozilla authenti
 
 - Operate strictly under `<FXA_REPO_ROOT>`; normalize paths; do not follow symlinks outside the repo.
 - **Writes allowed** to working tree; always present a diff for review **before** any staging/commit.
+- Do not modify files adjacent to the requested change; mention issues found but do not fix them.
 - **Ask first** for any command (build/test/install, DB ops, git, services). Do **not** run `git add/commit/push/rebase` unless explicitly told to.
 
 ## 2) Non-Negotiables
@@ -76,3 +77,27 @@ _Note:_ This is a general overview and may vary per library/package. For authori
   **Never edit existing published migration files.**
 
 > When asked, show the exact minimal command block you intend to run; wait for approval.
+
+## 6) Git Commit Messages
+
+Follow the commit message format defined in [CONTRIBUTING.md — Git Commit Guidelines](https://github.com/mozilla/fxa/blob/main/CONTRIBUTING.md#git-commit-guidelines) and the `~/.gitmessage` template configured globally.
+
+Key points: `type(scope): subject` format; imperative present tense subject; `Because:` / `This commit:` body sections; `Fixes #N` footer for issues.
+
+## 7) Available Skills
+
+Suggest these proactively when the task matches — do not wait to be asked.
+
+| Skill                           | Use when                                                                                    |
+| ------------------------------- | ------------------------------------------------------------------------------------------- |
+| `/fxa-review`                   | Before merging — thorough parallel review covering security, TS, logic, tests, architecture |
+| `/fxa-review-quick`             | Quick pre-merge check, single pass, no subagents                                            |
+| `/fxa-security-review`          | Landing auth, session, crypto, or payment changes                                           |
+| `/fxa-jira-feature-description` | Writing a Jira description for a new feature or enhancement                                 |
+| `/fxa-jira-bug-description`     | Filing a bug report                                                                         |
+| `/fxa-check-smells`             | Suspecting code quality issues in changed files                                             |
+| `/fxa-check-react`              | Reviewing React/TSX component changes                                                       |
+| `/fxa-check-docs`               | Improving docs, JSDoc, or README in changed files                                           |
+| `/fxa-explain-code`             | Understanding what changed and why                                                          |
+| `/fxa-simplify`                 | Cleaning up recently written code                                                           |
+| `/fxa-check-githistory`         | Checking for regressions or conflicts with past fixes                                       |