This skill walks a maintainer through **deep, line-aware review** of open pull requests, **one PR at a time**. Its job is to answer two questions per PR:

**Status: experimental.** First prototype of Mode B ([conversational mentoring](../../../docs/mentoring/spec.md)). The skill exists to make the spec executable on a single thread at a time so we can iterate on tone wording, convention pointers, and hand-off triggers against real contributor traffic

Merge two <tracker> tracking issues that describe the same root-cause vulnerability (typically discovered independently by two reporters, arriving via different channels), preserving every reporter's credit, every mailing-list thread reference, and every independent attack-vector description. Updates the kept issue's body in place, closes the duplicate with the `duplicate` label, and regenerates the CVE JSON attachment so both finders land in `credits[]`.

This skill is the **on-ramp** of the security-issue handling process. It converts an inbound `<security-list>` email thread into an `<tracker>` tracking issue that follows the repo's issue template, then drafts the receipt-of-confirmation reply to the reporter.

This skill is an alternative on-ramp of the security-issue handling process for the case where the report **never arrived on `<security-list>`**. A contributor opened a public fix in `<upstream>`; somebody on the security team noticed it is security-relevant; the team decided informally that the fix

Synchronize a security issue in <tracker> with the state of its GitHub discussion, the <security-list> mailing thread, and any <upstream> PRs that fix it. The skill gathers all relevant signals, proposes label, milestone, assignee, field and draft-email updates, and only applies changes the user has explicitly confirmed. Suggests the next step in the handling process and prints the CVE allocation link when a CVE is needed.

This skill is the **on-ramp** for adopters who do not yet have the secure setup running. It is a thin walkthrough wrapper around the canonical install path documented in [`docs/setup/secure-agent-setup.md`](../../../docs/setup/secure-agent-setup.md). The authoritative content lives there; this skill

This skill is the **drift report** for an already-installed secure setup. It walks the canonical update-check at [`docs/setup/secure-agent-setup.md` → Keeping the setup updated → Via a Claude Code prompt](../../../docs/setup/secure-agent-setup.md#via-a-claude-code-prompt-2) and surfaces what is

This skill is the **assertion** layer over the secure setup. It runs the checklist documented in [`docs/setup/secure-agent-setup.md` → Verification → Via a Claude Code prompt](../../../docs/setup/secure-agent-setup.md#via-a-claude-code-prompt-1) and reports each check's status to the user with c

This skill propagates local edits in `~/.claude-config/` to the sync repo's remote, so other machines can pull them. It is the counterpart to the periodic `git pull --rebase --autostash` that the framework's example `sync.sh` runs on a timer — that direction pulls *upstream* into the local clone;

This skill is **the only framework artefact an adopter project commits**. Every other apache-steward skill (security, pr-management) is a gitignored symlink into the gitignored snapshot at `<snapshot-dir>` that this skill manages.