68 Commits

  • docs: tighten agent capability posture
    Remove shell access from two agents that do not need it and reword PyTorch autograd guidance that AgentShield flagged as encoded-payload-like text. AgentShield remains B/75 while findings drop 316->310 and high findings drop 26->21. Local tests passed 2369/2369; full GitHub Actions matrix green.
  • docs: add prompt defense baselines
    Add compact prompt-defense baselines to active ECC prompt surfaces and copied CLAUDE examples. AgentShield prompt-defense findings are now zero; local tests passed 2366/2366.
  • feat: salvage Django Celery workflow (#1812)
    Source: maintainer-owned salvage of useful Django reviewer/build-resolver/Celery work from stale PR #1310 by mrigank2seven.
    
    - add django-reviewer and django-build-resolver agents
    
    - add django-celery skill with timezone-aware scheduling example
    
    - update catalog counts to 60 agents / 221 skills and record the May 12 salvage gap pass
    
    Co-authored-by: MRIGANK GUPTA <mrigank2seven@users.noreply.github.com>
  • feat: add Quarkus handling
    Adds Quarkus handling across the Java skill/reviewer surface, with maintainer follow-up fixes for duplicate catalog entries, required skill sections, localized snippet structure, and current main alignment.\n\nValidation run locally on the final PR head:\n- NODE_PATH=/Users/affoon/GitHub/ECC/everything-claude-code/node_modules node scripts/ci/validate-install-manifests.js\n- NODE_PATH=/Users/affoon/GitHub/ECC/everything-claude-code/node_modules node scripts/ci/validate-skills.js\n- NODE_PATH=/Users/affoon/GitHub/ECC/everything-claude-code/node_modules node scripts/ci/catalog.js --text\n- npx --yes markdownlint-cli docs/ECC-2.0-GA-ROADMAP.md\n- git diff --check\n- NODE_PATH=/Users/affoon/GitHub/ECC/everything-claude-code/node_modules node tests/run-all.js (2324 passed, 0 failed)
  • docs: salvage focused stale PR contributions
    - add Vite and Redis pattern skills from closed stale PRs
    
    - add frontend-slides support assets
    
    - port skill-comply runner fixes and LLM prompt/provider regressions
    
    - harden agent frontmatter validation and sync catalog counts
  • Merge pull request #1445 from affaan-m/fix/plugin-installed-hook-root-resolution
    fix: resolve plugin-installed hook root on marketplace installs
  • Apply suggestion from @greptile-apps[bot]
    Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
  • fix: correct accessibility terminology and code fence in a11y skill and agent
    - Fix inverted focus trap terms: Keyboard Traps -> Uncontained Modal Focus with WCAG SC 2.1.2 reference
    - Fix Step 1 blocker example: missing keyboard traps -> missing focus containment in modals
    - Attach [language] placeholder to opening triple-backtick fence in agent implementation template
  • feat(agents,skills): add opensource-pipeline — 3-agent workflow for safe public releases (#1036)
    * feat(agents,skills): add opensource-pipeline — 3-agent open-source release workflow
    
    Adds a complete pipeline for safely preparing private projects for public
    release: secret stripping (20+ patterns), independent sanitization audit,
    and professional doc generation (CLAUDE.md, setup.sh, README, LICENSE).
    
    Agents added:
    - agents/opensource-forker.md    — copies project, strips secrets, generates .env.example
    - agents/opensource-sanitizer.md — independent PASS/FAIL audit, read-only, 20+ patterns
    - agents/opensource-packager.md  — generates CLAUDE.md, setup.sh, README, LICENSE, CONTRIBUTING
    
    Skill added:
    - skills/opensource-pipeline/SKILL.md — orchestrator: routes /opensource commands, chains agents
    
    Source: https://github.com/herakles-dev/opensource-pipeline (MIT)
    
    * fix: address P1/P2 review findings from Cubic, CodeRabbit, and Greptile
    
    - Collect GitHub org/username in Step 1, use quoted vars in publish command
    - Add 3-attempt retry cap on sanitizer FAIL loop
    - Use dynamic sanitization verdict in final review output
    - Broaden rsync exclusions: .env*, .claude/, .secrets/, secrets/
    - Fix JWT regex to match full 3-segment tokens (header.payload.signature)
    - Broaden GitHub token regex to cover gho_, ghu_ prefixes
    - Fix AWS regex to be case-insensitive, match env var formats
    - Tighten generic env regex: increase min length to 16, add non-secret lookaheads
    - Separate heuristic WARNING patterns from CRITICAL patterns in sanitizer
    - Broaden internal path detection: macOS /Users/, Windows C:\Users\
    - Clarify sanitizer is source-read-only (report writing is allowed)
    
    * fix: flag *.map files as dangerous instead of skipping them
    
    Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
    
    ---------
    
    Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
  • feat: add GAN-style generator-evaluator harness (#1029)
    Implements Anthropic's March 2026 harness design pattern — a multi-agent
    architecture that separates generation from evaluation, creating an
    adversarial feedback loop that produces production-quality applications.
    
    Components:
    - 3 agent definitions (planner, generator, evaluator)
    - 1 skill with full documentation (skills/gan-style-harness/)
    - 2 commands (gan-build for full apps, gan-design for frontend)
    - 1 shell orchestrator (scripts/gan-harness.sh)
    - Examples and configuration reference
    
    Based on: https://www.anthropic.com/engineering/harness-design-long-running-apps
    
    Co-authored-by: Hao Chen <haochen806@gmail.com>
  • Merge pull request #926 from xingzihai/feature/pre-commit-quality-hook
    feat(hooks): add pre-commit quality check hook
  • feat: add healthcare domain skills and agent
    New skills:
    - healthcare-emr-patterns: EMR/EHR encounter workflows, smart templates, medication safety, clinical UI patterns
    - healthcare-phi-compliance: PHI/PII protection patterns, RLS templates, leak vector checklist, audit trail patterns
    - healthcare-cdss-patterns: Drug interaction checking, dose validation, clinical scoring (NEWS2/qSOFA), alert severity
    - healthcare-eval-harness: Patient safety CI/CD gate — CDSS accuracy, PHI exposure, data integrity, clinical workflows
    
    New agent:
    - healthcare-reviewer: Clinical safety reviewer for CDSS accuracy, PHI compliance, medical data integrity
    
    All patterns are generalized and framework-agnostic. Applicable to any health-tech stack.
    Origin: Health1 Super Speciality Hospitals, Ahmedabad, India.
  • feat(agents): add flutter-reviewer agent and skill (#716)
    Library-agnostic Flutter/Dart code reviewer that adapts to the project's
    chosen state management solution (BLoC, Riverpod, Provider, GetX, MobX,
    Signals) and architecture pattern (Clean Architecture, MVVM, feature-first).
    
    Co-authored-by: Maciej Starosielec <maciej@code-snap.com>
    Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
  • feat(agents): add pytorch-build-resolver agent (#549)
    Adds pytorch-build-resolver agent for PyTorch runtime/CUDA error resolution, following established agent format.
  • feat(agents): add typescript-reviewer agent (#647)
    Adds typescript-reviewer agent following the established agent format, covering type safety, async correctness, security, and React/Next.js patterns.
  • feat: add C++ language support and hook tests (#539)
    - agents: cpp-build-resolver, cpp-reviewer
    - commands: cpp-build, cpp-review, cpp-test
    - rules: cpp/ (coding-style, hooks, patterns, security, testing)
    - tests: 9 new hook test files with comprehensive coverage
    
    Cherry-picked from PR #436.
  • feat(agents): add java-reviewer agent (#528)
    * Add java-reviewer agent for Java and Spring Boot code review
    
    * Fix java-reviewer: update tools format, git diff scope, diagnostic commands, AGENTS.md registration
    
    * Fix: correct skill reference, add command injection check, update agent count to 17
    
    * Fix: report-only disclaimer, path traversal, split ScriptEngine, escalation note, agent count 19
  • feat(commands): add /docs; feat(mcp-configs): document Context7 (#530)
    * feat(commands): add /docs; feat(agents): add docs-lookup; feat(mcp-configs): document Context7; docs: add MCP subsection to CONTRIBUTING
    
    Made-with: Cursor
    
    * fix: address PR review — use Context7 MCP tool names in docs-lookup agent; CONTRIBUTING Agent Fields + MCP wording; mcp-config description; /docs quoted example; treat fetched docs as untrusted
    
    Made-with: Cursor
    
    * docs-lookup: note that harness may expose Context7 tools under prefixed names
    
    Made-with: Cursor
    
    * docs-lookup: examples use prefixed tool names (mcp__context7__*) for resolution
    
    Made-with: Cursor
  • feat(agents): add Rust language support (#523)
    * feat(agents): add Rust language support — reviewer, build resolver, patterns, and testing
    
    Add Rust-specific agents and skills following the established Go/Kotlin pattern:
    - agents/rust-reviewer.md: ownership, lifetimes, unsafe audit, clippy, error handling
    - agents/rust-build-resolver.md: cargo build errors, borrow checker, dependency resolution
    - skills/rust-patterns/SKILL.md: idiomatic Rust patterns and best practices
    - skills/rust-testing/SKILL.md: TDD, unit/integration/async/property-based testing
    
    * fix(agents): correct Rust examples for accuracy and consistency
    
    - unsafe fn: add inner unsafe {} block for Rust 2024 edition compliance
    - edition: update from 2021 to 2024 as current default
    - rstest: add missing fixture import
    - mockall: add missing predicate::eq import
    - concurrency: use sync_channel (bounded) and expect() over unwrap()
      to align with rust-reviewer's HIGH-priority review checks
    
    * fix(skills): correct compilation issues in Rust code examples
    
    - collect: add .copied() for &str iterator into String
    - tokio import: remove unused sleep, keep Duration
    - async test: add missing Duration import
    
    * fix(skills): move --no-fail-fast before test-binary args
    
    --no-fail-fast is a Cargo option, not a test binary flag.
    Placing it after -- forwards it to the test harness where it is
    unrecognized.
    
    * fix(agents): distinguish missing cargo-audit from real audit failures
    
    Check if cargo-audit is installed before running it, so actual
    vulnerability findings are not suppressed by the fallback message.
    
    * fix: address automated review findings across all Rust files
    
    - build-resolver: prefer scoped cargo update over full refresh
    - testing: add Cargo.toml bench config with harness = false for criterion
    - testing: condense TDD example to stay under 500-line limit
    - patterns: use expect() over unwrap() on JoinHandle for consistency
    - patterns: add explicit lifetime to unsafe FFI return reference
    - reviewer: replace misleading "string interpolation" with concrete alternatives
    
    * fix: align with CONTRIBUTING.md conventions
    
    - skills: rename "When to Activate" to "When to Use" per template
    - reviewer: add cargo check gate before starting review
    
    * fix(agents): guard cargo-audit and cargo-deny with availability checks
    
    Match the pattern used in rust-build-resolver to avoid command-not-found
    errors when optional tools are not installed.
    
    * fix: address second round of automated review findings
    
    - testing: split TDD example into separate code blocks to avoid
      duplicate fn definition in single block
    - build-resolver/reviewer: use if/then/else instead of && ... ||
      chaining for cargo-audit/deny to avoid masking real failures
    - build-resolver: add MSRV caveat to edition upgrade guidance
    
    * feat: add Rust slash commands for build, review, and test
    
    Add commands/rust-build.md, commands/rust-review.md, and
    commands/rust-test.md to provide consistent user entrypoints
    matching the existing Go and Kotlin command patterns.
    
    * fix(commands): improve rust-build accuracy and tone
    
    - Restructure-first borrow fix example instead of clone-first
    - Realistic cargo test output format (per-test lines, not per-file)
    - Align "Parse Errors" step with actual resolver behavior
    - Prefer restructuring over cloning in common errors table
    
    * fix: address cubic-dev-ai review findings on commands
    
    - Gate review on all automated checks, not just cargo check
    - Use git diff HEAD~1 / git diff main...HEAD for PR file selection
    - Fix #[must_use] guidance: Result is already must_use by type
    - Remove error-masking fallback on cargo tree --duplicates
    
    * fix: address remaining review findings across all bots
    
    - Add rust-reviewer and rust-build-resolver to AGENTS.md registry
    - Update agent count from 16 to 18
    - Mark parse_config doctest as no_run (body is todo!())
    - Add "How It Works" section to both Rust skills
    - Replace cargo install with taiki-e/install-action in CI snippet
    - Trim tarpaulin section to stay under 500-line limit
    
    * fix(agents): align rust-reviewer invocation with command spec
    
    - Use git diff HEAD~1 / main...HEAD instead of bare git diff
    - Add cargo test as explicit step before review begins
    
    * fix(skills): address cubic review on patterns and testing
    
    - Remove Tokio-specific language from How It Works summary
    - Add cargo-llvm-cov install note in coverage section
    - Revert no_run on doctest examples (illustrative code, not compiled)
    
    * fix(skills): use expect on thread join for consistency
    
    Replace handle.join().unwrap() with .expect("worker thread panicked")
    to match the .expect("mutex poisoned") pattern used above.
    
    * fix(agents): gate review on all automated checks, not just cargo check
    
    Consolidate check/clippy/fmt/test into a single gate step that
    stops and reports if any fail, matching the command spec.
    
    * fix(skills): replace unwrap with expect in channel example
    
    Use .expect("receiver disconnected") on tx.send() for consistency
    with the .expect() convention used in all other concurrency examples.
    
    * fix: address final review round — OpenCode mirrors, counts, examples
    
    - Add .opencode/commands/rust-{build,review,test}.md mirrors
    - Add .opencode/prompts/agents/rust-{build-resolver,reviewer}.txt mirrors
    - Fix AGENTS.md count to 20 (add missing kotlin agents to table)
    - Fix review example: all checks pass (consistent with gate policy)
    - Replace should_panic doctest with is_err() (consistent with best practices)
    - Trim testing commands to stay at 500-line limit
    
    * fix: address cubic and greptile review on OpenCode files and agents
    
    - Fix crate::module import guidance (internal path, not Cargo.toml)
    - Add cargo fmt --check to verification steps
    - Fix TDD GREEN example to handle error path (validate(input)?)
    - Scope .context() guidance to anyhow/eyre application code
    - Update command count from 40 to 51
    - Add tokio channel variants to unbounded channel warning
    - Preserve JoinError context in spawned task panic message
    
    * fix: stale command count, channel guidance, cargo tree fallback
    
    - Fix stale command count in Project Structure section (40→51)
    - Clarify unbounded channel rule: context-appropriate bounded alternatives
    - Remove dead cargo tree fallback (exits 0 even with no duplicates)
    - Sync OpenCode reviewer mirror with tokio channel coverage