86 Commits

  • Merge pull request #2241 from itkdm/feat/add-vue-ecosystem
    feat: add Vue ecosystem review support (vue-reviewer agent, /vue-review command, vue-patterns skill). Duplicate rules/vue/* kept from #2250; catalog counts reconciled.
  • Merge pull request #2220 from lamenting-hawthorn/feat/agent-self-evaluation
    feat(skills,agents): add agent-self-evaluation skill and agent-evaluator persona. Catalog counts reconciled.
  • feat(agents): add spec-miner agent for brownfield spec extraction (#2253)
    * feat(agents): add spec-miner agent for brownfield spec extraction
    
    Mines behavioral specs (Requirements + Invariants) from existing codebases
    without OpenSpec. Fully self-bootstrapping with sample-and-expand token
    strategy. Produces flat, delta-ready spec.md files with machine-parseable
    metadata (id, entities, enforced, depends_on, triggers).
    
    Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
    
    * docs: bump agent catalog count from 64 to 65 for spec-miner
    
    All documentation and plugin manifests now reflect the new agent total.
    
    Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
    
    * fix: add spec-miner to routing table and clarify id field requirement
    
    - Add spec-miner to AGENTS.md agent table and orchestration hints
    - Fix id field in output template: was marked [optional] but Rule #7
      requires it when enforced is known
    
    Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
    
    * fix: update catalog skills count from 261 to 262 across all docs
    
    The upstream added a 262nd skill but documentation references across 7 files
    still reported 261. The CI validate step (scripts/ci/catalog.js --text) caught
    the mismatch — this only runs on PRs, not on direct pushes to main.
    
    Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
    
    * fix: replace emoji characters with text equivalents in spec-miner agent
    
    The unicode safety check (check-unicode-safety.js) blocks emoji characters.
    Replace  with FAIL: per the project's targeted replacement convention.
    
    Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
    
    * fix: add Write tool to spec-miner agent tools list
    
    The agent generates spec output files at openspec/specs/<capability>/spec.md
    and requires the Write tool to create them.
    
    Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
    
    * fix: address review bot comments - tool guardrails and metadata schema consistency
    
    - Add Tool guardrails section: scoping Write to openspec/specs/ path, Bash to read-only
    - Fix deferred/uncertainty comments to follow key: value schema (deferred: file list, uncertainty: reason)
    
    Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
    
    * fix: strengthen Prompt Defense Baseline for repository content and Bash boundaries
    
    Add two defense points: treat all repo content as untrusted prompt-injection
    vector, and explicitly reject Bash commands that mutate, exfiltrate, or write
    outside the allowed openspec/specs/ path.
    
    Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
    
    * fix: strip explanatory prose from id metadata comment to preserve key:value format
    
    The id comments included explanatory text after the value, which would be
    stored verbatim in copied specs and break stable delta matching. The
    explanation is already covered by Format Rule #7.
    
    Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
    
    * fix: restore README.md to upstream baseline with only catalog count changes
    
    The README was corrupted during cherry-pick conflict resolution — an older fork
    version was introduced, changing release notes links, badge URLs, sponsor
    sections, and other content. Restore to upstream/main (5b173d2) and re-apply
    only the agent count (64→65) using catalog.js --write.
    
    Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
    
    * fix: restore all catalog files to upstream baseline, keep only intentional changes
    
    The cherry-pick during rebase introduced a stale fork version of multiple files
    via git checkout --theirs conflict resolution. Restore from upstream/main and
    re-apply only:
    
    - Agent counts: 64→65 (all 7 catalog-tracked files)
    - Skills counts: 261→262 (where needed)
    - AGENTS.md: spec-miner routing table + orchestration hint (our additions)
    
    This reverts unintended regressions:
    - Version downgrades (2.0.0 → 2.0.0-rc.1) in marketplace.json, plugin.json,
      AGENTS.md, docs/zh-CN/AGENTS.md, docs/zh-CN/README.md
    - Badge URL changes (api.ecc.tools dynamic → hardcoded) in Chinese READMEs
    - Deleted v2.0.0 stable release sections in Chinese READMEs
    - Wrong release notes path (2.0.0-rc.1 → 2.0.0) in README.md
    
    Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
    
    ---------
    
    Co-authored-by: lege962 <1515808962@qq.com>
    Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
  • feat(agents): add vue-reviewer agent for Vue.js code review
    Add vue-reviewer agent specializing in:
    - Composition API correctness and reactivity pitfalls (ref/reactive/computed/watch)
    - Vue 3.5+ reactive props destructure (stabilized, with watch limitation notes)
    - Composable patterns, template security, accessibility
    - Pinia state management, Vue Router navigation, Nuxt SSR safety
    - Vue-specific performance (shallowRef, v-memo, KeepAlive)
    
    Scope clearly delineated from typescript-reviewer for cross-invocation on .vue PRs.
  • fix: address final lint blockers for agent self-evaluation
    - Replace U+274C cross-mark examples with ASCII FAIL: prefixes
    - Ensure agent-evaluator markdown ends with trailing newline
    - Replace markdown placeholder underscores with bracketed placeholders to satisfy markdownlint MD037
  • fix(agents): harden git commands against pager-based code execution
    Git commands (log, diff, show) can execute arbitrary code via:
    - core.pager set in repo-local .git/config
    - diff.external pointing to an attacker-controlled binary
    - filter drivers in .gitattributes
    
    Mitigation: require --no-pager flag, recommend -c core.pager=cat
    to disable pager-driven execution. Moved git commands from the
    unqualified allowlist to a hardened allowlist with explicit flags.
  • fix(agents): add Bash tool guardrails to agent-evaluator
    List allowed read-only commands (grep, cat, ls, find, head, tail, wc, stat,
    git log/diff/show) and explicitly forbid destructive commands (rm, mv, chmod,
    git push, git commit, sudo, pip/npm install, curl|wget piping to sh). Any
    write/delete/remote-push requires explicit user confirmation.
  • fix: address second-round review comments
    - Replace httpx.Retry references with correct httpx API usage across all files
      (httpx has no built-in Retry class; use HTTPTransport/Limits instead)
    - Fix _check_summary to check first 100 words (not 100 characters)
    - Fix template to only show → improvement arrow for non-5 scores
    - Clarify hook documentation: hook echoes reminder, does not run evaluator
    - Add return type annotation to main()
    - Make required parameter keyword-only in _read_file_or_text
  • fix: address self-evaluation review comments
    - Clarify that agent-evaluator reads skills/agent-self-evaluation/SKILL.md directly
    - Standardize on Conciseness terminology, including helper names
    - Remove invalid Stop hook matcher and avoid unsupported command-expression matcher examples
    - Add explicit hook-integration reference path in SKILL.md
    - Add summary and self-check fields to evaluate.py output, template, and agent spec
    - Refactor evaluate.py clarity and input parsing helpers
    - Remove unused task parameter from check_completeness
    
    Validation:
    - python3 -m py_compile skills/agent-self-evaluation/scripts/evaluate.py
    - evaluate.py high/low example smoke tests
    - node scripts/ci/validate-agents.js
    - node scripts/ci/validate-skills.js
    - node scripts/ci/validate-hooks.js
    - node scripts/ci/validate-no-personal-paths.js
  • fix: align report format across evaluate.py, agent spec, and template
    - evaluate.py: add CRITICAL ISSUES (axes ≤ 2) section, VERDICT line
    - agent-evaluator.md: match format_report output exactly (title, evidence markers, bar graphs)
    - templates/evaluation-report.md: match evaluate.py output format
    - All now produce identical AGENT SELF-EVALUATION REPORT structure
    
    Single authoritative format: evaluate.py's format_report() output.
  • Update agents/agent-evaluator.md
    Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
  • feat(skills,agents): add agent-self-evaluation skill and agent-evaluator persona
    Add structured 5-axis self-evaluation framework for agent output quality:
    - Accuracy, Completeness, Clarity, Actionability, Conciseness
    - Evidence-based scoring with concrete improvement suggestions
    - Standalone Python evaluator script with keyword heuristics
    - Detailed scoring anchors reference guide
    - High-score and low-score annotated examples
    - Reusable evaluation report template
    - Optional hook integration for session-stop evaluation
    
    Agent persona (agent-evaluator) provides a dedicated subagent
    for applying the rubric to agent output with tool-backed verification.
    
    All files tested: Python script runs, examples score correctly
    (high 4.2, low 3.4), frontmatter parses clean, 183 lines (under 500).
  • fix: make plugin hooks run on Node 21+ and green the suite under modern Node (#2184)
    ROOT CAUSE: hooks load plugin-hook-bootstrap.js via
    `node -e "...; process.argv.splice(1,0,s); require(s)"`. On Node 21+,
    require.main is `undefined` under --eval, so the `if (require.main === module)`
    guard was false and main() never ran — every plugin hook silently no-op'd
    (e.g. the MCP-health PreToolUse hook stopped blocking). CI (Node 18/20) hid
    this; it only surfaces on Node 21+. Fix: also run main() when require.main is
    undefined (the eval-bootstrap case), while staying dormant on real imports.
    
    Also clears pre-existing main debt the full local suite enforces:
    - catalog:sync — README/docs agent+skill counts drifted after recent merges
    - tests/ci/supply-chain-watch-workflow: update checkout SHA to the merged v6.0.3 (#2183)
    - markdownlint + check-unicode-safety --write across docs/skills
    
    Suite: 2683/2683 green under Node v25; lint + unicode clean.
    
    Co-authored-by: ECC Test <ecc@example.test>
  • feat(skills): add laravel-security, laravel-tdd, and php-reviewer agent (#2122)
    * feat(skills): add laravel-security, laravel-tdd, and php-reviewer agent
    
    * fix: resolve code review findings across laravel-security, laravel-tdd, and php-reviewer
    
    - laravel-security: replace env() with config() in runtime code,
      replace wildcard trusted proxies with CIDR ranges, remove blanket
      api/* CSRF exclusion, fix validated() return type, add null-safe
      rate limiter user access, sync mimes/extensions allowlists,
      replace #[Encrypted] with ShouldBeEncrypted, fix RateLimited args
    - laravel-tdd: remove global withoutExceptionHandling() from setUp,
      remove contradictory assertNothingOutgoing(), fix undefined
      variable, replace invalid PHPUnit --min-coverage flag
    - php-reviewer: fix Python contamination, add automated check
      requirement to approval criteria
    
    * fix: align php-reviewer approval criteria and use config dot-notation keys
    
    - agents/php-reviewer.md: sync approval criteria with .txt file version
      (add automated checks requirement for consistency across harnesses)
    - skills/laravel-security/SKILL.md: replace raw env names with proper
      Laravel dot-notation config keys (app.key, services.stripe.*, etc.)
      so config() returns valid values instead of null
    
    * fix: remove unnecessary secret validation for SMTP password
  • fix: refresh stale technical content in agents, rules, and skills (#2168)
    Several published examples contained APIs that no longer exist, code that
    does not run, or model versions that drifted from reality:
    
    - agents/performance-optimizer.md used the web-vitals v3 API
      (getCLS/getFID/getLCP/getFCP/getTTFB) and reported FID. web-vitals v4
      renamed the imports to onCLS/onINP/onLCP/onFCP/onTTFB and FID was
      replaced by INP (target < 200ms)
    - rules/common/performance.md pinned stale model versions in the
      model-selection guidance; refresh to the versions the repo itself uses
      (agent.yaml pins claude-opus-4-6) and add the PowerShell variant for
      MAX_THINKING_TOKENS next to the bash export
    - skills/python-patterns/SKILL.md: both get_value examples referenced
      default_value without declaring the parameter (NameError); add
      default_value: Any = None to the EAFP and LBYL signatures
    - skills/frontend-patterns/SKILL.md: the custom useQuery example rebuilt
      refetch whenever callers passed inline fetchers/options, re-triggering
      the effect after every state update (infinite fetch loop). Keep the
      latest fetcher/options in refs so refetch stays referentially stable.
      The PASS-labelled useMemo example mutated its input with in-place sort;
      copy before sorting
    - skills/coding-standards/SKILL.md repeated the same PASS-labelled
      in-place-sort-in-useMemo example; same fix
    - rules/typescript/security.md used a vendor-specific OPENAI_API_KEY in
      generic guidance; switch to a neutral API_KEY
    
    Every hand-maintained copy of the affected content is synced in the same
    change: locale mirrors (ja-JP, ko-KR, pt-BR, tr, zh-CN, zh-TW - each only
    where it carries the affected file) and the .agents/.kiro/.cursor harness
    mirrors. Two structural divergences are left alone and noted here:
    .kiro/steering/performance.md has no extended-thinking control list to
    carry the PowerShell variant, and docs/zh-TW/rules/performance.md keeps an
    older condensed thinking section without the budget-cap line.
    rules/zh/performance.md is intentionally untouched - the rules/zh tree is
    being retired in a separate change
  • Add React language track with agents, skills, rules, and commands (#2024)
    * feat(rules): add rules/react/ track
    
    Five rule files mirroring per-language convention (coding-style,
    hooks, patterns, security, testing). Each has `paths:` glob
    frontmatter for auto-activation when editing matching files.
    
    - coding-style.md: file extensions, naming, JSX, RSC boundary
    - hooks.md: React hooks (NOT Claude Code hooks) — rules-of-hooks,
      dep arrays, cleanup, memoization, React 19 additions
    - patterns.md: container/presentational split, state location
      decision tree, Suspense + error boundaries, forms, data fetching
    - security.md: dangerouslySetInnerHTML, unsafe URL schemes,
      server-action validation, env-var leaks, CSP
    - testing.md: RTL queries, userEvent, async, MSW, axe, anti-patterns
    
    Each file extends typescript/* and common/* rules.
    
    * feat(skills): add react-patterns, react-testing, react-performance
    
    Three new skills under skills/ following the SKILL.md convention.
    
    - react-patterns: React 18/19 idioms — hooks discipline, state
      location decision tree, server/client component boundary,
      Suspense + error boundaries, form actions (React 19), data
      fetching matrix, composition recipes, accessibility-first.
    - react-testing: React Testing Library + Vitest/Jest, query
      priority order, userEvent, MSW network mocking, axe a11y
      assertions, RTL vs Playwright CT boundary, TDD workflow.
    - react-performance: 70-rule performance ruleset adapted from
      Vercel Labs react-best-practices (MIT) across 8 priority
      categories — waterfalls, bundle size, server-side, client
      fetch, re-render, rendering, JS micro, advanced patterns.
      Includes Lighthouse / Web Vitals mapping and attribution to
      upstream.
    
    Cross-links between the three skills and out to frontend-patterns,
    accessibility, e2e-testing, tdd-workflow.
    
    * feat(agents): add react-reviewer and react-build-resolver
    
    Two new agents covering React-specific code review and build error
    resolution, plus matching .kiro/ mirrors and a routing pointer
    edit on typescript-reviewer.
    
    - react-reviewer: slim React-only lanes (hooks rules,
      dangerouslySetInnerHTML, unsafe URL schemes, key prop, state
      mutation, derived-state-in-effect, server/client component
      boundary, accessibility, render performance, Server Action
      validation, env-var leaks). Explicitly delegates generic
      TypeScript/async/Node concerns to typescript-reviewer. Both
      agents should be invoked together on .tsx/.jsx PRs.
    - react-build-resolver: React build/bundler/runtime hydration
      failures across Vite, webpack, Next.js, CRA, Parcel, esbuild,
      Bun, Rsbuild. Handles JSX/TSX compile errors, tsconfig fixes,
      Next.js App Router server/client boundary errors, hydration
      mismatches, duplicated React copies, Tailwind/PostCSS pipeline.
    - .kiro/agents/react-reviewer.json + react-build-resolver.json:
      Kiro IDE format mirrors following the per-language precedent.
    - typescript-reviewer: routing pointer added to its MEDIUM React
      block — defers to /react-review for React-specific concerns
      while keeping its block as fallback for repos that only invoke
      typescript-reviewer.
    
    All agents carry the standard Prompt Defense Baseline stanza.
    
    * feat(commands): add /react-review /react-build /react-test
    
    Three new slash commands invoking the React agents.
    
    - /react-review: invokes react-reviewer. Documents the routing
      rule with typescript-reviewer — both should run together on
      TSX/JSX PRs. Lists CRITICAL/HIGH/MEDIUM rule categories and
      the automated checks (eslint with react-hooks + jsx-a11y,
      tsc --noEmit, npm audit).
    - /react-build: invokes react-build-resolver. Documents bundler
      detection, common failure patterns, fix strategy, and stop
      conditions.
    - /react-test: enforces TDD with React Testing Library + Vitest
      or Jest, behavior-focused queries, userEvent + MSW patterns,
      axe accessibility assertions, coverage targets.
    
    Each command file has the required description: frontmatter and
    follows the per-language command convention (cpp-test, go-test,
    kotlin-test, etc.).
    
    * chore: wire react track into manifests and stack mappings
    
    - agent.yaml: add react-patterns, react-performance, react-testing
      to the skills array; add react-build, react-review, react-test to
      the commands array (alphabetically inserted to satisfy the
      ci/agent-yaml-surface sync test).
    - config/project-stack-mappings.json: extend the `react` stack
      entry — add "react" to rules array (was ["common","typescript",
      "web"]); add react-patterns, react-performance, react-testing,
      accessibility to the skills array.
    - docs/COMMAND-REGISTRY.json: bump totalCommands 75 -> 78; add
      three new entries (react-build, react-review, react-test) with
      primaryAgents / allAgents / skills wiring. react-review's
      allAgents includes typescript-reviewer to reflect the dual-agent
      routing convention.
    - CLAUDE.md: add Skills-table row mapping *.tsx / *.jsx /
      components/** to react-patterns + react-testing skills and
      the /react-review, /react-build, /react-test commands.
    
    * chore(catalog): sync counts to 62 agents / 78 commands / 235 skills
    
    Auto-generated via `node scripts/ci/catalog.js --write --text`
    after the react track additions:
    
    - 2 new agents: react-reviewer, react-build-resolver (60 -> 62)
    - 3 new commands: react-build, react-review, react-test (75 -> 78)
    - 3 new skills: react-patterns, react-performance, react-testing
      (232 -> 235)
    
    Files updated by the catalog sync:
    - .claude-plugin/plugin.json description string
    - .claude-plugin/marketplace.json plugin description
    - README.md quick-start summary, project tree, feature parity tables
    - README.zh-CN.md quick-start summary
    - AGENTS.md project structure summary
    - docs/zh-CN/README.md parity table
    - docs/zh-CN/AGENTS.md project structure summary
    
    All counts now match the filesystem catalog (verified by
    ci/catalog.test.js).
    
    * feat(kiro): add react agent markdown companions to JSON entries
    
    * feat(kiro): add react skills into manifests
    
    * fix(ci): sync catalog counts, registry, and package files for react track
    
    - .claude-plugin/{plugin,marketplace}.json: bump description counts to 62/235/78
    - docs/COMMAND-REGISTRY.json: regenerate to include quality-gate and react commands
    - package.json: add skills/react-{patterns,performance,testing}/ to files allowlist so npm-publish-surface aligns with install-modules manifest
    
    * fix(react): address PR #2024 review feedback
    
    Critical:
    - Remove undefined/.claude/session-aliases.json containing __proto__ prototype-pollution
      fixture committed by accident in a7333c14
    
    High:
    - agents/react-build-resolver.md: replace brittle `test -o $(grep -l ...)` and
      `test -a -n $(grep ...)` detection with explicit `{ ... || grep -q ...; }` so
      bundler detection no longer breaks when grep returns empty
    - agents/react-build-resolver.md: drop hardcoded `npm i react@^19 react-dom@^19`
      remediation; replace with version-agnostic pair-upgrade note that honors the
      project's installed major (17/18/19) — surgical fix principle
    - commands/react-review.md: guard `tsc --noEmit -p tsconfig.json` with
      `[ -f tsconfig.json ] &&` so the review skips cleanly on JS-only projects
    
    Medium:
    - rules/react/security.md: correct the React-18-blocks-javascript-URL claim
      (React only warns in dev; production navigation is not blocked)
    - rules/react/security.md: correct CRA env-var exposure row (CRA exposes
      REACT_APP_*, NODE_ENV, PUBLIC_URL — not 'all' variables)
    - skills/react-testing/SKILL.md: instantiate QueryClient once outside the
      wrapper closure so React Query cache survives re-renders (flaky-test fix)
    - skills/react-testing/SKILL.md: restore console.error spy with mockRestore()
      in a try/finally so the mock does not leak across tests
    - commands/react-test.md: switch outer example-session fence to 4 backticks
      so the inner ```tsx/```bash blocks don't prematurely terminate it
    
    * fix(kiro): mirror react-build-resolver react 19 conditional remediation
    
    Discussion r3272907106 flagged the kiro json variant still carrying the hardcoded
    'npm i react@^19 react-dom@^19' line that the .md companion already dropped.
    Replace with the same conditional, version-agnostic guidance so both variants
    stay in sync.
    
    * fix(react): bump react-build example session fence to 4 backticks
    
    Discussion r3272907144 flagged the same nested-fence issue in
    commands/react-build.md that we fixed earlier in commands/react-test.md.
    The outer triple-backtick text block was being prematurely terminated by
    the inner bash/tsx fences inside the Example Session.
    
    * fix(react): bump react-review example usage fence to 4 backticks
    
    Discussion r3272907201 flagged the same nested-fence issue in
    commands/react-review.md. The outer triple-backtick text block was
    being prematurely terminated by the inner tsx/ts fences inside the
    Example Usage transcript.
    
    * fix(docs): clarify commands row as legacy shims in feature parity table
    
    Discussion r3272912003: README comparison table said 'PASS: 78 commands'
    while the install-section and quick-start prose use 'legacy command shims'.
    Aligned the comparison-table cell to 'PASS: 78 commands (legacy shims)' so
    the count word survives the catalog-validator regex while making the legacy
    nature explicit.
    
    Widened the catalog comparison-table commands regex to tolerate an optional
    parenthetical after the count word, so both the existing 'X commands' and
    the new 'X commands (legacy shims)' phrasings validate without breaking
    older READMEs/translations.
    
    * Update rules/react/security.md
    
    Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
    
    * fix(react): guard tsc in react-build-resolver diagnostic commands
    
    Discussion r3288910205: the agent prompt instructed an unconditional
    'tsc --noEmit -p tsconfig.json', which adds noise (or hard-fails) on
    JavaScript-only projects with no tsconfig.json or no installed TypeScript.
    
    Replaced with 'test -f tsconfig.json && npx --yes tsc --noEmit -p tsconfig.json'
    in both variants:
    - agents/react-build-resolver.md
    - .kiro/agents/react-build-resolver.json (prompt string mirrored)
    
    Mirrors the same guard already applied to commands/react-review.md in de135f61.
    
    * fix(react): pin tsc resolution to local install in build resolver
    
    Discussion r3289054157: previous fix used 'npx --yes tsc' which auto-installs
    the latest TypeScript from npm when none is local, producing version drift
    and non-reproducible typecheck results across machines.
    
    Switched to 'npx --no-install tsc' in both variants so the diagnostic uses
    only the project's pinned TypeScript and fails fast if it isn't installed:
    - agents/react-build-resolver.md
    - .kiro/agents/react-build-resolver.json (prompt string mirrored)
    
    * feat(counts): resolve counts for agents, skills...
    
    * fix(ci): regen command registry for golang-testing entry
    
    Removes stale kotlin-patterns entry to satisfy command-registry:check.
    
    * fix: keep local Claude settings out of React track PR
    
    ---------
    
    Co-authored-by: AlexisLeDain <a.ledain@docoon.com>
    Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
    Co-authored-by: Affaan Mustafa <affaan@dcube.ai>
  • feat: add marketing campaign agent skill and command (#2031)
    Adds marketing-agent, marketing-campaign skill, and marketing-campaign command. Pre-validated in a synthetic current-main merge.
  • docs: tighten agent capability posture
    Remove shell access from two agents that do not need it and reword PyTorch autograd guidance that AgentShield flagged as encoded-payload-like text. AgentShield remains B/75 while findings drop 316->310 and high findings drop 26->21. Local tests passed 2369/2369; full GitHub Actions matrix green.
  • docs: add prompt defense baselines
    Add compact prompt-defense baselines to active ECC prompt surfaces and copied CLAUDE examples. AgentShield prompt-defense findings are now zero; local tests passed 2366/2366.
  • feat: salvage Django Celery workflow (#1812)
    Source: maintainer-owned salvage of useful Django reviewer/build-resolver/Celery work from stale PR #1310 by mrigank2seven.
    
    - add django-reviewer and django-build-resolver agents
    
    - add django-celery skill with timezone-aware scheduling example
    
    - update catalog counts to 60 agents / 221 skills and record the May 12 salvage gap pass
    
    Co-authored-by: MRIGANK GUPTA <mrigank2seven@users.noreply.github.com>
  • feat: add Quarkus handling
    Adds Quarkus handling across the Java skill/reviewer surface, with maintainer follow-up fixes for duplicate catalog entries, required skill sections, localized snippet structure, and current main alignment.\n\nValidation run locally on the final PR head:\n- NODE_PATH=/Users/affoon/GitHub/ECC/everything-claude-code/node_modules node scripts/ci/validate-install-manifests.js\n- NODE_PATH=/Users/affoon/GitHub/ECC/everything-claude-code/node_modules node scripts/ci/validate-skills.js\n- NODE_PATH=/Users/affoon/GitHub/ECC/everything-claude-code/node_modules node scripts/ci/catalog.js --text\n- npx --yes markdownlint-cli docs/ECC-2.0-GA-ROADMAP.md\n- git diff --check\n- NODE_PATH=/Users/affoon/GitHub/ECC/everything-claude-code/node_modules node tests/run-all.js (2324 passed, 0 failed)
  • docs: salvage focused stale PR contributions
    - add Vite and Redis pattern skills from closed stale PRs
    
    - add frontend-slides support assets
    
    - port skill-comply runner fixes and LLM prompt/provider regressions
    
    - harden agent frontmatter validation and sync catalog counts
  • Merge pull request #1445 from affaan-m/fix/plugin-installed-hook-root-resolution
    fix: resolve plugin-installed hook root on marketplace installs
  • Apply suggestion from @greptile-apps[bot]
    Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
  • fix: correct accessibility terminology and code fence in a11y skill and agent
    - Fix inverted focus trap terms: Keyboard Traps -> Uncontained Modal Focus with WCAG SC 2.1.2 reference
    - Fix Step 1 blocker example: missing keyboard traps -> missing focus containment in modals
    - Attach [language] placeholder to opening triple-backtick fence in agent implementation template
  • feat(agents,skills): add opensource-pipeline — 3-agent workflow for safe public releases (#1036)
    * feat(agents,skills): add opensource-pipeline — 3-agent open-source release workflow
    
    Adds a complete pipeline for safely preparing private projects for public
    release: secret stripping (20+ patterns), independent sanitization audit,
    and professional doc generation (CLAUDE.md, setup.sh, README, LICENSE).
    
    Agents added:
    - agents/opensource-forker.md    — copies project, strips secrets, generates .env.example
    - agents/opensource-sanitizer.md — independent PASS/FAIL audit, read-only, 20+ patterns
    - agents/opensource-packager.md  — generates CLAUDE.md, setup.sh, README, LICENSE, CONTRIBUTING
    
    Skill added:
    - skills/opensource-pipeline/SKILL.md — orchestrator: routes /opensource commands, chains agents
    
    Source: https://github.com/herakles-dev/opensource-pipeline (MIT)
    
    * fix: address P1/P2 review findings from Cubic, CodeRabbit, and Greptile
    
    - Collect GitHub org/username in Step 1, use quoted vars in publish command
    - Add 3-attempt retry cap on sanitizer FAIL loop
    - Use dynamic sanitization verdict in final review output
    - Broaden rsync exclusions: .env*, .claude/, .secrets/, secrets/
    - Fix JWT regex to match full 3-segment tokens (header.payload.signature)
    - Broaden GitHub token regex to cover gho_, ghu_ prefixes
    - Fix AWS regex to be case-insensitive, match env var formats
    - Tighten generic env regex: increase min length to 16, add non-secret lookaheads
    - Separate heuristic WARNING patterns from CRITICAL patterns in sanitizer
    - Broaden internal path detection: macOS /Users/, Windows C:\Users\
    - Clarify sanitizer is source-read-only (report writing is allowed)
    
    * fix: flag *.map files as dangerous instead of skipping them
    
    Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
    
    ---------
    
    Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
  • feat: add GAN-style generator-evaluator harness (#1029)
    Implements Anthropic's March 2026 harness design pattern — a multi-agent
    architecture that separates generation from evaluation, creating an
    adversarial feedback loop that produces production-quality applications.
    
    Components:
    - 3 agent definitions (planner, generator, evaluator)
    - 1 skill with full documentation (skills/gan-style-harness/)
    - 2 commands (gan-build for full apps, gan-design for frontend)
    - 1 shell orchestrator (scripts/gan-harness.sh)
    - Examples and configuration reference
    
    Based on: https://www.anthropic.com/engineering/harness-design-long-running-apps
    
    Co-authored-by: Hao Chen <haochen806@gmail.com>
  • Merge pull request #926 from xingzihai/feature/pre-commit-quality-hook
    feat(hooks): add pre-commit quality check hook