docs: update Dependabot handling instructions and add prompt

Enhanced the instructions for handling Dependabot pull requests, emphasizing mandatory reading and execution of steps. Updated the comment posting process to require the use of GitHub CLI commands. Added a new prompt for guiding users through the Dependabot PR handling workflow, ensuring clarity and adherence to the updated rules. Removed outdated prompts related to planning and specification generation.

Signed-off-by: Odin Thomas Rochmann <[email protected]>

Author: odinr

.github/copilot-instructions.md

@@ -46,7 +46,7 @@ Fusion Framework uses file-based AI instructions under `.github/instructions/`.
 - **React** → `./.github/instructions/react.instructions.md`  
   Component, hook, provider, observable, and styling patterns for React.
 - **Dependabot PRs** → `./.github/instructions/dependabot-pr.instructions.md`  
-  Full Dependabot review workflow (research, tests, comments, merge).
+  **⚠️ MANDATORY**: When handling ANY Dependabot PR, you MUST read this entire instruction file first. It contains mandatory steps including posting comments using `gh pr comment -F <file>.md`. Do not skip steps.
 
 Each instruction file declares an `applyTo` glob so tools like Copilot/Cursor can automatically apply the right rules for the files you are editing.
 

.github/instructions/dependabot-pr.instructions.md

@@ -1,16 +1,26 @@
 ---
 description: Rules for reviewing and handling Dependabot pull requests
 name: Dependabot PR Review Rules
+applyTo: 
+  - "**/dependabot.yml"
+  - ".github/workflows/dependabot.yml"
+  - ".github/dependabot.yml"
+alwaysApply: true
 ---
 
 # Dependabot PR Review Rules
 
+**⚠️ CRITICAL: AI AGENTS MUST READ THIS ENTIRE FILE WHEN HANDLING DEPENDABOT PRs**
+
+This instruction file contains **mandatory steps** that MUST be executed in order. Do not skip steps. Do not proceed without reading the full workflow below.
+
 ## TL;DR (for AI agents)
 
+- **MANDATORY READING**: You MUST read this entire instruction file before handling any Dependabot PR. This is not optional.
 - **Consent**: Never post comments, generate changesets, push commits, close PRs, or merge without explicit user approval.
 - **Flow**: Rebase (if needed) → research dependency changes → install with `pnpm` → build → test → lint → (optionally) generate changeset → push → summarize → (optionally) merge.
 - **Safety**: Stop immediately on build/test/lint/security failures or user timeout; do not auto-resolve complex conflicts.
-- **Comments**: Use the provided research/results templates and always show content to the user for approval before posting.
+- **Comments**: Use the provided research/results templates, create temporary markdown files, show content to the user for approval, then execute `gh pr comment <PR_NUMBER> -F <comment-file>.md` to post. Always clean up temporary files.
 - **History**: Maintain linear history (force-with-lease after rebase) and clean up worktrees when done.
 
 ## Overview
@@ -76,8 +86,10 @@ Execute rebase analysis against base branch (default: `main`).
 - Continue to Step 4
 
 **B: Version Conflict (Auto-Close)**
-- Post redundancy explanation comment
-- Close PR with explanation
+- Create temporary comment file: `gh-comment-version-conflict.md` with redundancy explanation
+- **EXECUTE**: `gh pr comment <PR_NUMBER> -F gh-comment-version-conflict.md`
+- Clean up: `rm gh-comment-version-conflict.md`
+- Close PR: `gh pr close <PR_NUMBER> --comment "PR closed due to version conflict"`
 - Proceed to cleanup
 
 **C: Structural Conflict (User Consent Required)**
@@ -102,14 +114,22 @@ Execute rebase analysis against base branch (default: `main`).
 
 ### 5. Post Research Comment
 
+**MANDATORY STEP - DO NOT SKIP**
+
 1. Format research findings using [research comment template](dependabot-pr/research-comment.template.md)
-2. Display comment content to user
-3. Ask user: "Review research comment content. Is it accurate and complete?"
-4. Wait for user response
-5. Ask user: "Post this research comment to PR?"
-6. Wait for user response
-7. If approved: Post comment to PR
-8. If declined: Skip and continue
+2. Create temporary comment file: `gh-comment-research.md` with the formatted content
+3. Display comment content to user (show the file contents)
+4. Ask user: "Review research comment content. Is it accurate and complete?"
+5. Wait for user response
+6. Ask user: "Post this research comment to PR?"
+7. Wait for user response
+8. **If approved**: 
+   - **EXECUTE**: `gh pr comment <PR_NUMBER> -F gh-comment-research.md`
+   - Verify the comment was posted successfully
+   - Clean up: `rm gh-comment-research.md`
+9. **If declined**: Skip and continue (clean up: `rm gh-comment-research.md`)
+
+**CRITICAL**: You MUST execute the `gh pr comment` command when approved. Do not just say you will post it - actually run the command.
 
 **MANDATORY**: Proceed to Step 6 (Install Dependencies) - NEVER SKIP THIS STEP
 
@@ -169,15 +189,23 @@ Execute rebase analysis against base branch (default: `main`).
 
 ### 12. Comment PR Results
 
+**MANDATORY STEP - DO NOT SKIP**
+
 1. Format completion summary using [results comment template](dependabot-pr/results-comment.template.md)
-2. Display comment content to user
-3. Ask user: "Review validation results. Are they accurate?"
-4. Wait for user response (5 min timeout)
-5. Ask user: "Post this validation comment to PR?"
-6. Wait for user response (5 min timeout)
-7. If approved: Post comment to PR
-8. If declined: Skip and continue
-9. If timeout: **STOP EXECUTION** - User consent required
+2. Create temporary comment file: `gh-comment-results.md` with the formatted content
+3. Display comment content to user (show the file contents)
+4. Ask user: "Review validation results. Are they accurate?"
+5. Wait for user response (5 min timeout)
+6. Ask user: "Post this validation comment to PR?"
+7. Wait for user response (5 min timeout)
+8. **If approved**: 
+   - **EXECUTE**: `gh pr comment <PR_NUMBER> -F gh-comment-results.md`
+   - Verify the comment was posted successfully
+   - Clean up: `rm gh-comment-results.md`
+9. **If declined**: Skip and continue (clean up: `rm gh-comment-results.md`)
+10. **If timeout**: **STOP EXECUTION** - User consent required (clean up: `rm gh-comment-results.md`)
+
+**CRITICAL**: You MUST execute the `gh pr comment` command when approved. Do not just say you will post it - actually run the command.
 
 ### 13. Squash Merge PR
 
@@ -230,16 +258,21 @@ All PR comments must use the provided templates:
 
 ## AI Agent Rules
 
+**⚠️ MANDATORY: Read this entire section before handling Dependabot PRs**
+
 When handling Dependabot PRs:
 
-1. **Always get user consent** before posting comments or merging
-2. **Follow all steps sequentially** - never skip steps
-3. **Use provided templates** for all PR comments
-4. **Validate thoroughly** - build, test, lint before approval
-5. **Generate changesets** when required (follow [changeset rules](changesets.instructions.md))
-6. **Maintain linear history** - use force-with-lease after rebase
-7. **Clean up properly** - remove worktrees and temp directories
-8. **Stop execution** on any critical failure or user timeout
+1. **READ THIS FILE FIRST** - You must read and understand all steps before starting
+2. **Always get user consent** before posting comments or merging
+3. **Follow all steps sequentially** - never skip steps, especially Steps 5 and 12 (comment posting)
+4. **Use provided templates** for all PR comments
+5. **POST COMMENTS USING GITHUB CLI**: When approved, you MUST execute `gh pr comment <PR_NUMBER> -F <comment-file>.md`. Do not just say you will post - actually run the command. See [GitHub CLI file-based bodies rule](../.cursor/rules/github-cli-file-bodies.mdc)
+6. **Clean up comment files**: Always remove temporary comment files (`gh-comment-*.md`) after posting or if declined
+7. **Validate thoroughly** - build, test, lint before approval
+8. **Generate changesets** when required (follow [changeset rules](changesets.instructions.md))
+9. **Maintain linear history** - use force-with-lease after rebase
+10. **Clean up properly** - remove worktrees and temp directories
+11. **Stop execution** on any critical failure or user timeout
 
 ## Error Handling
 

.github/prompts/dependabot.prompt.md

@@ -0,0 +1,70 @@
+---
+description: Prompt for handling Dependabot pull requests
+name: Dependabot PR Handler Prompt
+---
+
+# Dependabot PR Handler Prompt
+
+You are handling a Dependabot pull request. Follow the instructions in `.github/instructions/dependabot-pr.instructions.md` **completely and in order**.
+
+## Initial Step: Identify the PR
+
+### If PR URL is provided:
+- Extract PR details: repository owner, repository name, PR number, and branch name
+- Store these details for use throughout the workflow
+- Proceed to Step 2: Create Git Worktree for PR
+
+### If NO PR URL is provided:
+You MUST do the following:
+
+1. **List Dependabot PRs** (always do this first):
+   - Execute: `gh pr list --author "app/dependabot" --state open --json number,title`
+   - Display the list of open Dependabot PRs to the user in a formatted way:
+     ```
+     Open Dependabot PRs:
+     
+     #<number> - <title>
+     
+     [Repeat for each PR]
+     ```
+   - Categorize PRs by update type (MAJOR/MINOR/PATCH) if possible from the title or labels
+   - Group by update type if multiple PRs exist
+
+2. **Ask user to select PR**:
+   - Prompt: "Please provide the Dependabot PR number (e.g., 1234) or PR URL from the list above"
+   - Wait for user response
+   - Parse the response to extract PR number or URL
+   - If PR number provided: Use `gh pr view <PR_NUMBER>` to get full PR details
+   - Store PR details (repository owner, name, PR number, branch name)
+   - Proceed to Step 2: Create Git Worktree for PR
+
+**CRITICAL**: Never auto-select a PR. The user MUST explicitly choose which PR to handle.
+
+## After PR Selection
+
+Once the PR is identified (either from URL, ID, or user selection from list), continue with the full workflow from `.github/instructions/dependabot-pr.instructions.md`:
+
+1. ✅ Select PR (completed above)
+2. Create Git Worktree for PR
+3. Rebase Branch
+4. Research Dependencies
+5. Post Research Comment (MANDATORY - use `gh pr comment <PR_NUMBER> -F <file>.md`)
+6. Install Dependencies
+7. Build Project
+8. Run Tests
+9. Run Linting
+10. Generate Changeset
+11. Push Changes
+12. Comment PR Results (MANDATORY - use `gh pr comment <PR_NUMBER> -F <file>.md`)
+13. Squash Merge PR (optional, requires user approval)
+14. Cleanup Repository
+15. Finalize Instruction
+
+## Important Reminders
+
+- **Read the full instruction file**: `.github/instructions/dependabot-pr.instructions.md` before starting
+- **Never skip steps**: Especially Steps 5 and 12 (comment posting)
+- **Execute commands**: When posting comments, you MUST run `gh pr comment <PR_NUMBER> -F <comment-file>.md`, not just say you will
+- **Get user consent**: For all critical operations (comments, pushes, merges)
+- **Clean up**: Always remove temporary files and worktrees when done
+

.github/prompts/plan.prompt.md

@@ -87,7 +87,9 @@ When you receive a task, default to this behavior:
   - Large-scale refactors across many packages.
   - Auto-merging PRs, especially Dependabot PRs.
 - **Dependabot-specific rules**:
-  - Always follow `.github/instructions/dependabot-pr.instructions.md`.
+  - **⚠️ MANDATORY**: When handling ANY Dependabot PR, you MUST read `.github/instructions/dependabot-pr.instructions.md` in its entirety before starting.
+  - The instruction file contains mandatory workflow steps that MUST be executed in order.
+  - When posting comments, you MUST execute `gh pr comment <PR_NUMBER> -F <comment-file>.md` - do not just say you will post it.
   - Do not post PR comments, push commits, or merge without user confirmation.
 
 When unsure, **stop and ask the user** instead of guessing.