313 Commits

  • docs: add SECURITY.md, publish agentic security guide, remove openclaw guide
    - Add SECURITY.md with vulnerability reporting policy
    - Publish "The Shorthand Guide to Everything Agentic Security" with attack
      vectors, sandboxing, sanitization, CVEs, and AgentShield coverage
    - Add security guide to README guides section (3-column layout)
    - Remove unpublished openclaw guide
    - Copy security article images to assets/images/security/
  • feat(skills): add rules-distill skill (rebased #561) (#678)
    * feat(skills): add rules-distill — extract cross-cutting principles from skills into rules
    
    Applies the skill-stocktake pattern to rules maintenance:
    scan skills → extract shared principles → propose rule changes.
    
    Key design decisions:
    - Deterministic collection (scan scripts) + LLM judgment (cross-read & verdict)
    - 6 verdict types: Append, Revise, New Section, New File, Already Covered, Too Specific
    - Anti-abstraction safeguard: 2+ skills evidence, actionable behavior test, violation risk
    - Rules full text passed to LLM (no grep pre-filter) for accurate matching
    - Never modifies rules automatically — always requires user approval
    
    * fix(skills): address review feedback for rules-distill
    
    Fixes raised by CodeRabbit, Greptile, and cubic:
    
    - Add Prerequisites section documenting skill-stocktake dependency
    - Add fallback command when skill-stocktake is not installed
    - Fix shell quoting: add IFS= and -r to while-read loops
    - Replace hardcoded paths with env var placeholders ($CLAUDE_RULES_DIR, $SKILL_STOCKTAKE_DIR)
    - Add json language identifier to code blocks
    - Add "How It Works" parent heading for Phase 1/2/3
    - Add "Example" section with end-to-end run output
    - Add revision.reason/before/after fields to output schema for Revise verdict
    - Document timestamp format (date -u +%Y-%m-%dT%H:%M:%SZ)
    - Document candidate-id format (kebab-case from principle)
    - Use concrete examples in results.json schema
    
    * fix(skills): remove skill-stocktake dependency, add self-contained scripts
    
    Address P1 review feedback:
    - Add scan-skills.sh and scan-rules.sh directly in rules-distill/scripts/
      (no external dependency on skill-stocktake)
    - Remove Prerequisites section (no longer needed)
    - Add cross-batch merge step to prevent 2+ skills requirement
      from being silently broken across batch boundaries
    - Fix nested triple-backtick fences (use quadruple backticks)
    - Remove head -100 cap (silent truncation)
    - Rename "When to Activate" → "When to Use" (ECC standard)
    - Remove unnecessary env var placeholders (SKILL.md is a prompt, not a script)
    
    * fix: update skill/command counts in README.md and AGENTS.md
    
    rules-distill added 1 skill + 1 command:
    - skills: 108 → 109
    - commands: 57 → 58
    
    Updates all count references to pass CI catalog validation.
    
    * fix(skills): address Servitor review feedback for rules-distill
    
    1. Rename SKILL_STOCKTAKE_* env vars to RULES_DISTILL_* for consistency
    2. Remove unnecessary observation counting (use_7d/use_30d) from scan-skills.sh
    3. Fix header comment: scan.sh → scan-skills.sh
    4. Use jq for JSON construction in scan-rules.sh to properly escape
       headings containing special characters (", \)
    
    * fix(skills): address CodeRabbit review — portability and scan scope
    
    1. scan-rules.sh: use jq for error JSON output (proper escaping)
    2. scan-rules.sh: replace GNU-only sort -z with portable sort (BSD compat)
    3. scan-rules.sh: fix pipefail crash on files without H2 headings
    4. scan-skills.sh: scan only SKILL.md files (skip learned/*.md and
       auxiliary docs that lack frontmatter)
    5. scan-skills.sh: add portable get_mtime helper (GNU stat/date
       fallback to BSD stat/date)
    
    * fix: sync catalog counts with filesystem (27 agents, 114 skills, 59 commands)
    
    ---------
    
    Co-authored-by: Tatsuya Shimomoto <shimo4228@gmail.com>
  • chore: prepare v1.9.0 release (#666)
    - Bump version to 1.9.0 in package.json, package-lock.json, .opencode/package.json
    - Add v1.9.0 changelog with 212 commits covering selective install architecture,
      6 new agents, 15+ new skills, session/state infrastructure, observer fixes,
      12 language ecosystems, and community contributions
    - Update README with v1.9.0 release notes and complete agents tree (27 agents)
    - Add pytorch-build-resolver to AGENTS.md agent table
    - Update documentation counts to 27 agents, 109 skills, 57 commands
    - Update version references in zh-CN README
    - All 1421 tests passing, catalog counts verified
  • docs: add Antigravity setup and usage guide (#552)
    * docs: add Antigravity setup and usage guide
    
    Addresses #462 — users were confused about Antigravity skills setup.
    
    Adds a comprehensive guide covering:
    - Install mapping (ECC → .agent/ directory)
    - Directory structure after install
    - openai.yaml agent config format
    - Managing installs (list, doctor, uninstall)
    - Cross-target comparison table
    - Troubleshooting common issues
    - How to contribute skills with Antigravity support
    
    Also links the guide from the README FAQ section.
    
    * fix: address review feedback on Antigravity guide
    
    - Remove spurious skills/ row from install mapping table, add note
      clarifying .agents/skills/ is static repo layout not installer-mapped
    - Fix repair section: doctor.js diagnoses, repair.js restores
    - Fix .agents/ → .agent/ path typo in custom skills section
    - Clarify 3-step workflow for adding Antigravity skills
    - Fix antigravity-project → antigravity in comparison table
    - Fix "flatten" → "flattened" grammar in README
    - Clarify openai.yaml full nested path structure
    
    * fix: clarify .agents/ vs .agent/ naming and fix Cursor comparison
    
    - Explain that .agents/ (with 's') is ECC source, .agent/ (no 's')
      is Antigravity runtime — installer copies between them
    - Fix Cursor Agents/Skills column: Cursor has no explicit agents/skills
      mapping (only rules), changed from 'skills/' to 'N/A'
    
    * fix: correct installer behavior claims and command style
    
    - Fix .agents/ vs .agent/ note: clarify that only rules, commands, and
      agents (no dot) are explicitly mapped by the installer. The dot-prefixed
      .agents/ directory falls through to default scaffold, not a direct copy.
    - Fix contributor workflow: remove false auto-deploy claim for openai.yaml.
      Clarify .agents/ is static repo layout, not installer-deployed.
    - Fix uninstall command: use direct script call (node scripts/uninstall.js)
      for consistency with doctor.js, repair.js, list-installed.js.
    
    * fix: add missing agents/ step to contributor workflow
    
    Contributors must add an agent definition at agents/ (no dot) for the
    installer to deploy it to .agent/skills/ at runtime. Without this step,
    skills only exist in the static .agents/ layout and are never deployed.
    
    ---------
    
    Co-authored-by: vazidmansuri005 <vazidmansuri005@users.noreply.github.com>
  • fix: update catalog counts and resolve lint error
    - Update agent count 26→27 in README.md (quick-start + comparison table) and AGENTS.md (summary + project structure)
    - Update skill count 108→109 in README.md (quick-start + comparison table) and AGENTS.md (summary)
    - Rename unused variable provenance → _provenance in tests/lib/skill-dashboard.test.js
  • feat(agents): add typescript-reviewer agent (#647)
    Adds typescript-reviewer agent following the established agent format, covering type safety, async correctness, security, and React/Next.js patterns.
  • docs: add npm install step before running install.sh (#526)
    The install script requires the ajv package (a devDependency) for
    config validation. Without running npm install first, users get
    "Cannot find module 'ajv'" when running ./install.sh.
    
    Co-authored-by: Jeffrey Jordan <jeffreyjordan@dizplai.com>
  • fix(ci): enforce catalog count integrity (#525)
    * fix(ci): enforce catalog count integrity
    
    * test: harden catalog structure parsing
  • feat: add laravel skills (#420)
    * feat: add laravel skills
    
    * docs: fix laravel patterns example
    
    * docs: add laravel api example
    
    * docs: update readme and configure-ecc for laravel skills
    
    * docs: reference laravel skills in php rules
    
    * docs: add php import guidance
    
    * docs: expand laravel skills with more pattern, security, testing, and verification examples
    
    * docs: add laravel routing, security, testing, and sail guidance
    
    * docs: fix laravel example issues from code review
    
    * docs: fix laravel examples and skills per review findings
    
    * docs: resolve remaining laravel review fixes
    
    * docs: refine laravel patterns and tdd guidance
    
    * docs: clarify laravel queue healthcheck guidance
    
    * docs: fix laravel examples and test guidance
    
    * docs: correct laravel tdd and api example details
    
    * docs: align laravel form request auth semantics
    
    * docs: fix laravel coverage, imports, and scope guidance
    
    * docs: align laravel tdd and security examples with guidance
    
    * docs: tighten laravel form request authorization examples
    
    * docs: fix laravel tdd and queue job examples
    
    * docs: harden laravel rate limiting and policy examples
    
    * docs: fix laravel pagination, validation, and verification examples
    
    * docs: align laravel controller response with envelope
    
    * docs: strengthen laravel password validation example
    
    * docs: address feedback regarding examples
    
    * docs: improve guidance and examples for pest usage
    
    * docs: clarify laravel upload storage and authorization notes
    
    * docs: tighten up examples
  • Add PowerShell installer wrapper and update documentation (#532)
    * Add install.ps1 PowerShell wrapper and tests
    
    Add a Windows-native PowerShell wrapper (install.ps1) that resolves symlinks and delegates to the Node-based installer runtime. Update README with PowerShell usage examples and cross-platform npx entrypoint guidance. Point the ecc-install bin to the Node installer (scripts/install-apply.js) in package.json (and refresh package-lock), include install.ps1 in package files, and add tests: a new install-ps1.test.js and a tweak to install-sh.test.js to skip on Windows. These changes provide native Windows installer support while keeping npm-compatible cross-platform invocation.
    
    * Improve tests for Windows HOME/USERPROFILE
    
    Make tests more cross-platform by ensuring HOME and USERPROFILE are kept in sync and by normalizing test file paths for display.
    
    - tests/lib/session-adapters.test.js: set USERPROFILE when temporarily setting HOME and restore previous USERPROFILE on teardown.
    - tests/run-all.js: use a normalized displayPath (forward-slash separated) for logging and error messages so output is consistent across platforms.
    - tests/scripts/ecc.test.js & tests/scripts/session-inspect.test.js: build envOverrides from options.env and add HOME <-> USERPROFILE fallbacks so spawned child processes receive both variables when only one is provided.
    
    These changes prevent test failures and inconsistent logs on Windows where USERPROFILE is used instead of HOME.
    
    * Fix Windows paths and test flakiness
    
    Improve cross-platform behavior and test stability.
    
    - Remove unused createLegacyInstallPlan import from install-lifecycle.js.
    - Change resolveInstallConfigPath to use path.normalize(path.join(cwd, configPath)) to produce normalized relative paths.
    - Tests: add toBashPath and normalizedRelativePath helpers to normalize Windows paths for bash and comparisons.
    - Make cleanupTestDir retry rmSync on transient Windows errors (EPERM/EBUSY/ENOTEMPTY) with short backoff using sleepMs.
    - Ensure spawned test processes receive USERPROFILE and convert repo/detect paths to bash format when invoking bash.
    
    These changes reduce Windows-specific failures and flakiness in the test suite and tidy up a small unused import.
  • Merge pull request #301 from 0xrohitgarg/add-videodb-skills
    Add VideoDB Skills to Individual Skills
  • fix: address code review findings from cubic-dev-ai
    - Fix path traversal regex prefix confusion in perl-security skill
      - Revert v1.4.0 changelog entry (Perl not part of that release)
      - Rename $a/$b to $x/$y to avoid shadowing sort globals
      - Replace return undef with bare return per perlcritic rules
  • feat: add Perl language rules and update documentation
    Add rules/perl/ with 5 rule files (coding-style, testing, patterns,
      hooks, security) following the same structure as existing languages.
      Update README.md, README.zh-CN.md, and rules/README.md to document
      Perl support including badges, directory trees, install instructions,
      and rule counts.
  • fix: remove internal sponsor/partner notes from public README
    The "Traction & Distribution" section contained internal business
    context (sponsor-call checklists, partner reporting instructions)
    that doesn't belong in a user-facing README.
  • fix: remove internal sponsor/partner notes from public README
    The "Traction & Distribution" section contained internal business
    context (sponsor-call checklists, partner reporting instructions)
    that doesn't belong in a user-facing README. Moved to docs/business/.
  • feat(CLI): Add Antigravity IDE support via --target antigravity flag
    This Pull Request introduces `--target antigravity` support within the installation script to bridge Everything Claude Code configurations smoothly onto the Antigravity IDE ecosystem.
    
    - Modified `install.sh` to parse and act on the new `--target antigravity` CLI arg.
    - **Flattened Rules Conversion**: Logic automatically copies Language-agnostic (Common/Globs) rules as well as specific language stack rules into `common-*.md` and `{lang}-*.md` structures within `.agent/rules/`.
    - **Workflow & Agent Aggregation**: Commands safely fall in `.agent/workflows/`, and `agents/` alongside `skills/` components are merged into `.agent/skills/`.
    - Contains overwrite warnings to ensure local customized rules aren't completely overridden without consent.
    - Minor updates to `README.md` to properly document the flag addition.
  • feat(skills): add autonomous-loops and plankton-code-quality skills
    - autonomous-loops: 6 loop patterns from simple claude -p pipelines to
      RFC-driven DAG orchestration (Ralphinho, infinite-agentic-loop,
      continuous-claude, de-sloppify pattern)
    - plankton-code-quality: write-time enforcement integration guide
    - README: updated directory listing and Plankton description
    
    Sources: enitrat/ralphinho, disler/infinite-agentic-loop,
    AnandChowdhary/continuous-claude, alexfazio/plankton
  • feat: project-scoped instinct isolation
    * feat: add project-scoped instinct isolation
    
    * fix(continuous-learning-v2): harden instinct loading and promotion safety; sync v2.1 command docs
    
    * fix(ci): make copilot-setup-steps a valid GitHub Actions workflow
    
    * fix(hooks): stabilize docs warning inline JS regex parsing
  • feat: separate core vs niche skills and enforce research-first default
    * Initial plan
    
    * docs: document core skill scope
    
    ---------
    
    Co-authored-by: openai-code-agent[bot] <242516109+Codex@users.noreply.github.com>
  • fix(docs): use namespaced /everything-claude-code:plan in README examples
    When installed as a plugin, /plan triggers Claude Code's built-in plan
    mode instead of the plugin's plan skill. Updated all 4 README files
    (EN, zh-CN, zh-TW, ja-JP) to show the plugin-namespaced form with a
    comment noting the shorter form works for manual installs.
    
    Also fixes markdownlint MD012 violation in chief-of-staff.md (trailing
    double blank line from #280 merge).
    
    Fixes #297
  • feat: add Cursor, Codex, and OpenCode harnesses — maximize every AI coding tool
    - AGENTS.md: universal cross-tool file read by Claude Code, Cursor, Codex, and OpenCode
    - .cursor/: 15 hook events via hooks.json, 16 hook scripts with DRY adapter pattern,
      29 rules (9 common + 20 language-specific) with Cursor YAML frontmatter
    - .codex/: reference config.toml, Codex-specific AGENTS.md supplement,
      10 skills ported to .agents/skills/ with openai.yaml metadata
    - .opencode/: 3 new tools (format-code, lint-check, git-summary), 3 new hooks
      (shell.env, experimental.session.compacting, permission.ask), expanded instructions,
      version bumped to 1.6.0
    - README: fixed Cursor section, added Codex section, added cross-tool parity table
    - install.sh: now copies hooks.json + hooks/ for --target cursor
  • feat: add security guides and sanitize external links across repo
    New articles:
    - the-security-guide.md: "The Shorthand Guide to Securing Your Agent" (595 lines)
      Attack vectors, sandboxing, sanitization, OWASP Top 10, observability
    - the-openclaw-guide.md: "The Hidden Danger of OpenClaw" (470 lines)
      Security analysis of OpenClaw, MiniClaw thesis, industry evidence
    
    External link sanitization (22 files across EN, zh-CN, zh-TW, ja-JP, .cursor):
    - Removed third-party GitHub links from skills and guides
    - Replaced with inline descriptions to prevent transitive prompt injection
    - Kept official org links (Anthropic, Google, Supabase, Mixedbread)
  • chore: update README stats and add Codex platform support
    - Stars: 42K+ -> 50K+, forks: 5K+ -> 6K+, contributors: 24 -> 30
    - Skills: 43 -> 44 (search-first), commands: 31 -> 32 (learn-eval)
    - Add Codex to supported platforms in FAQ
    - Add search-first skill and learn-eval command to directory listing
    - Update OpenCode feature parity table counts