Commit Graph

1579 Commits

  • docs: salvage focused stale PR contributions
    - add Vite and Redis pattern skills from closed stale PRs
    
    - add frontend-slides support assets
    
    - port skill-comply runner fixes and LLM prompt/provider regressions
    
    - harden agent frontmatter validation and sync catalog counts
  • docs: salvage focused skill curation updates (#1723)
    Port the safe, narrow pieces from contributor PR #1694 without taking the broad 11-skill rewrite.
    
    - add drift-prone warnings to external research/media/API skills
    
    - make search-first verify tool availability and use current agent naming
    
    - remove unsafe in-memory rate limiter example from backend patterns
    
    - tighten the CSP example in security-review
    
    Validation: node scripts/ci/validate-skills.js --strict; npx markdownlint targeted skill files; node tests/ci/validators.test.js && node tests/ci/catalog.test.js; npm run lint; node tests/run-all.js
  • docs: port Russian README translation (#1722)
    * docs: add Russian README translation
    
    * docs: update README language label
    
    * docs: sync Russian README catalog counts
    
    ---------
    
    Co-authored-by: Nikita <nkovalenko1@icloud.com>
  • fix: port continuous-learning observer fixes
    Ports continuous-learning observer signal, storage, remote normalization, and v1 deprecation fixes onto current main.
  • fix: harden CI validators
    Ports personal-path validator hardening and quoted checkout detection onto current main.
  • fix: port hook session and dashboard safety fixes
    Ports suggest-compact session_id isolation and dashboard terminal/document launch safety onto current main.
  • fix: sync skill frontmatter and catalog counts
    Adds missing skill frontmatter, normalizes strict YAML metadata, syncs README catalog counts, and extends catalog validation for README/plugin/marketplace count drift.
  • feat(skills): add flox-environments skill (#1317)
    * feat(skills): add flox-environments skill
    
    Add a skill for creating reproducible, cross-platform development
    environments with Flox. Covers manifest structure, package installation
    patterns, language-specific recipes (Python, Node, Rust, Go, C/C++),
    hooks/profile configuration, anti-patterns, environment sharing, and
    AI-assisted/vibe coding workflows.
    
    Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
    
    * fix(skills): address review feedback on flox-environments
    
    - Add initdb guard to full-stack example so PostgreSQL works on first run
    - Replace hardcoded /tmp path with mktemp in agent workflow snippet
    
    Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
    
    * fix(skills): use variable for mktemp path in agent workflow
    
    $_ resolves to the previous command's last argument (-c), not the
    mktemp path. Use an explicit variable instead.
    
    Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
    
    * Update skills/flox-environments/SKILL.md
    
    Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
    
    ---------
    
    Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
    Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
  • feat: add ios-icon-gen skill (#1356)
    * feat: add ios-icon-gen skill for Xcode asset catalog icon generation
    
    Add a skill that generates PNG icon imagesets (1x, 2x, 3x) for Xcode
    asset catalogs from two sources:
    
    - Iconify API: 275k+ open source icons from 200+ collections
      (Material Design, Phosphor, Tabler, Lucide, etc.)
    - SF Symbols: 5k+ Apple-native symbols (macOS only)
    
    Includes search, preview, and generation scripts with customizable
    size, color, weight, and direct output to asset catalogs.
    
    * fix: address PR review feedback for ios-icon-gen skill
    
    Security:
    - Fix shell injection in iconify_gen.sh by passing query via sys.argv
      instead of interpolating into Python string literal
    
    Robustness:
    - Replace all try!/force-unwrap with do/try/catch and guard let in
      generate_icons.swift for graceful error handling
    - Add option value validation (require_value/requireOptionValue) in
      both scripts to prevent crashes on missing flag values
    - Add curl timeouts (--connect-timeout 10, --max-time 30) to all
      network calls
    - Add sips conversion failure warnings instead of silent suppression
    - Add error handling for curl in list_collections
    
    Documentation:
    - Rename SKILL.md sections to "When to Use", "How It Works", "Examples"
      to match repo conventions
    
    * fix: restore canonical SKILL.md headers and validate color/weight CLI inputs
    
    - Revert SKILL.md section headers back to "When to Activate" and
      "Core Principles" per CONTRIBUTING.md and SKILL-DEVELOPMENT-GUIDE.md
      (the prior rename to "When to Use"/"How It Works" was incorrect)
    - Validate --color as a 6-digit hex code at parse time instead of
      silently falling back to the default gray
    - Validate --weight against the known set of font weights instead of
      silently falling back to thin
    
    ---------
    
    Co-authored-by: Quang Tran <16215255+trmquang93@users.noreply.github.com>
  • feat: add tinystruct-patterns skill and bootstrapping guidance (#1336)
    * feat: add tinystruct-patterns skill and bootstrapping guidance
    
    * docs(skills): restructuralize tinystruct-patterns to standard skill format
    
    - Reorganize SKILL.md and all reference documents into "When to Use", "How It Works", and "Examples" sections to conform to project standards.
    - Refine data-handling.md example to return Builder objects directly, leveraging framework auto-serialization.
    - Simplify @Action examples in routing.md for better readability.
    - Clarify framework mechanics including CLI bootstrapping via ApplicationManager.init(), event-driven architecture, and regex-based routing.
    
    * Update skills/tinystruct-patterns/references/testing.md
    
    Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
    
    * Update skills/tinystruct-patterns/SKILL.md
    
    Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
    
    * Update skills/tinystruct-patterns/references/routing.md
    
    Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
    
    * Update skills/tinystruct-patterns/references/testing.md
    
    Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
    
    * Update skills/tinystruct-patterns/references/testing.md
    
    Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
    
    ---------
    
    Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
    Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
  • fix(ci): flag SKILL.md frontmatter defects in validate-skills (#1669)
    * fix(ci): flag SKILL.md frontmatter defects in validate-skills
    
    Issue #1663 reported two SKILL.md frontmatter defects (missing `name:`
    on skill-stocktake; literal block-scalar `description: |-` on
    openclaw-persona-forge) that PR #1664 addresses at the data level.
    
    This change is complementary: it extends `scripts/ci/validate-skills.js`
    to catch the same class of defect statically going forward, so the
    frontmatter-vs-renderer problems do not silently reappear as new skills
    land.
    
    ## Checks added
    - Frontmatter must declare a `name:` field.
    - Frontmatter `description:` must not use a literal block scalar
      (`|` / `|-` / `|+`) — these preserve internal newlines and break
      flat-table renderers keyed off `description`. Folded (`>`) and inline
      strings are accepted.
    
    ## Behavior
    - Frontmatter findings default to WARN (exit 0) so this PR does not
      break CI while the two known offenders are still on main. Pass
      `--strict` or set `CI_STRICT_SKILLS=1` to promote them to ERROR
      (exit 1). Structural findings (missing / empty SKILL.md) remain
      errors as before.
    - Today against main, the validator reports exactly two warnings —
      the same two files called out in #1663 — and exits 0. When #1664
      lands, the validator reports zero warnings, at which point strict
      mode can be enabled in CI.
    
    ## Parser notes
    - Bespoke frontmatter parser mirrors the style of `validate-agents.js`
      (tolerant of UTF-8 BOM and CRLF; no new npm dependency).
    - Block-scalar continuation lines are skipped so keys inside a block
      scalar are not mistaken for top-level keys.
    - Hidden directories (`.something/`) under skills/ are now skipped.
    
    ## Tests
    Adds five focused tests to `tests/ci/validators.test.js`:
    - warns when frontmatter is missing `name` (default mode)
    - errors when frontmatter is missing `name` (--strict mode)
    - warns on literal block-scalar description (|-)
    - accepts folded (>) and inline descriptions under --strict
    - skips hidden directories under skills/
    
    ## Docs
    Adds two bullets to the `Skill Checklist` in CONTRIBUTING.md covering
    the two rules now surfaced by the validator.
    
    Refs #1663. Complements (does not compete with) #1664.
    
    Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
    
    * fix(ci): harden SKILL.md frontmatter checks after bot review
    
    Address findings from CodeRabbit, Greptile, and cubic on #1669:
    
    - Guard empty or whitespace-only `name:` values. Previously
      `name:    ` silently passed because the presence check only
      tested key-set membership; now inspectFrontmatter captures
      trimmed values and validate flags an explicit 'name is empty'
      WARN/ERROR.
    - Broaden block-scalar detection to cover YAML 1.2 indent
      indicators (`|2`, `|-2`, `>2-`) and trailing comments
      (`|-  # note`). The old regex required a bare `|`/`>` with
      optional `+`/`-`, which let valid-but-disallowed forms slip
      through.
    - Update CONTRIBUTING.md checklist to list `|+` alongside `|`
      and `|-` for parity with the validator.
    - Extend runSkillsValidator to accept env overrides and add four
      regression tests: empty name, |+ description, |-2 + comment, and
      CI_STRICT_SKILLS=1.
    
    * fix(ci): address round-2 review on validate-skills frontmatter
    
    - Tighten extractFrontmatter closing delimiter to require a newline or
      end-of-file after the closing `---`, so body lines beginning with
      `---text` are not parsed as frontmatter (CodeRabbit).
    - Strip both trailing and comment-only values in inspectFrontmatter, so
      `name: # todo` is surfaced as empty rather than silently passing
      (cubic P2).
    - Extract validateSkillDir helper so the per-directory validation
      block moves out of validateSkills, keeping both functions under the
      50-line guideline (CodeRabbit nit).
    - Hoist runSkillsValidator to module scope in the test harness and
      share the spawnSync import with execFileSync so the helper stops
      re-requiring child_process on every invocation (CodeRabbit nit).
    - Add regression tests: comment-only `name:` values must fail strict
      mode; `---trailing` body lines must not be parsed as frontmatter.
    
    Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
    
    * Update tests/ci/validators.test.js
    
    Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
    
    ---------
    
    Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
    Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
  • fix(hooks): resolve MCP health-check spawn ENOENT on Windows (#1456)
    * fix(hooks): resolve MCP health-check spawn ENOENT on Windows
    
    On Windows, commands like 'npx' are batch files (npx.cmd) that require
    shell expansion to resolve via PATH. Without shell: true, Node.js
    spawn() fails with ENOENT.
    
    However, absolute paths (e.g. C:\Program Files\nodejs\node.exe) must
    NOT use shell mode because cmd.exe misparses paths containing spaces.
    
    Fix: enable shell mode only for non-absolute commands on Windows, using
    path.isAbsolute() to distinguish. This matches how attemptReconnect()
    already handles the shell option.
    
    Fixes #1455
    
    * fix(hooks): harden Windows shell spawn — validate command for metacharacters
    
    Addresses bot review feedback on PR #1456:
    
    - Add UNSAFE_SHELL_CHARS regex to guard against shell injection when
      needsShell=true: cmd.exe operators (&, |, <, >, ^, %, !, (), ;,
      whitespace) are rejected before shell mode is enabled
    - Add typeof command === 'string' check so path.isAbsolute() cannot
      throw on malformed non-string command values
    - Rename test to 'via PATH resolution' (not Windows-only; runs all platforms)
    - Fix misleading test comment: 'node' resolves via PATH like npx.cmd but
      does not itself use .cmd; comment now accurately reflects the intent
    
    * fix(hooks): kill full process tree on Windows when shell mode is used
    
    When needsShell=true, the spawned child is cmd.exe. Calling child.kill()
    only terminates the shell, leaving the real server process orphaned.
    
    Use taskkill /PID <pid> /T /F on Windows+shell to kill the entire
    process tree rooted at cmd.exe. Fall back to SIGTERM+SIGKILL on all
    other platforms or when shell mode is not active.
    
    * fix(hooks): fall back to child.kill() when taskkill fails
    
    Windows taskkill can fail if it's not on PATH, the process already
    exited, or permissions are denied. Previously the failure was silently
    ignored and no kill signal reached the child.
    
    Now: capture the spawnSync result and fall back to child.kill('SIGKILL')
    on any taskkill error or non-zero status. This still may leak a
    detached server process but at least guarantees the cmd.exe shell is
    signaled.
  • docs(strategic-compact): fix hook command path in zh-CN/zh-TW/ja-JP SKILL.md (#1701)
    Extends the hook command path correction from PR #1682 (English source) to
    the zh-CN, zh-TW, and ja-JP translated mirrors so the PreToolUse hook
    example matches the actual script location at
    ~/.claude/scripts/hooks/suggest-compact.js.
    
    Changes per locale:
    
    - docs/zh-CN/skills/strategic-compact/SKILL.md: update both command strings
      from ~/.claude/skills/strategic-compact/suggest-compact.js to
      ~/.claude/scripts/hooks/suggest-compact.js.
    
    - docs/zh-TW/skills/strategic-compact/SKILL.md: replace the outdated
      suggest-compact.sh reference (the .sh variant was removed in merged PR
      #41) with the current node-invoked suggest-compact.js, and align the
      matcher block structure with the English canonical SKILL.md post-#1682.
    
    - docs/ja-JP/skills/strategic-compact/SKILL.md: same .sh -> .js migration
      and matcher alignment as zh-TW.
    
    The ko-KR mirror already uses the correct CLAUDE_PLUGIN_ROOT-based hook
    path and needs no change.
    
    Refs #1675
  • docs(strategic-compact): fix hook command path in SKILL.md (#1682)
    The Hook Setup example pointed to
    `~/.claude/skills/strategic-compact/suggest-compact.js`, which does not
    exist in the current repo layout. The cross-platform Node.js hook ships
    at `scripts/hooks/suggest-compact.js` and is installed to
    `~/.claude/scripts/hooks/suggest-compact.js`.
    
    Anyone copy-pasting the documented config hit a broken hook command.
    
    Closes #1675
    
    Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
  • build(deps): bump the minor-and-patch group across 1 directory with 3 updates (#1582)
    Bumps the minor-and-patch group with 3 updates in the / directory: [ajv](https://github.com/ajv-validator/ajv), @opencode-ai/plugin and [globals](https://github.com/sindresorhus/globals).
    
    
    Updates `ajv` from 8.18.0 to 8.20.0
    - [Release notes](https://github.com/ajv-validator/ajv/releases)
    - [Commits](https://github.com/ajv-validator/ajv/compare/v8.18.0...v8.20.0)
    
    Updates `@opencode-ai/plugin` from 1.3.15 to 1.14.33
    
    Updates `globals` from 17.4.0 to 17.6.0
    - [Release notes](https://github.com/sindresorhus/globals/releases)
    - [Commits](https://github.com/sindresorhus/globals/compare/v17.4.0...v17.6.0)
    
    ---
    updated-dependencies:
    - dependency-name: "@opencode-ai/plugin"
      dependency-version: 1.14.25
      dependency-type: direct:development
      update-type: version-update:semver-minor
      dependency-group: minor-and-patch
    - dependency-name: ajv
      dependency-version: 8.20.0
      dependency-type: direct:production
      update-type: version-update:semver-minor
      dependency-group: minor-and-patch
    - dependency-name: globals
      dependency-version: 17.5.0
      dependency-type: direct:development
      update-type: version-update:semver-minor
      dependency-group: minor-and-patch
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
  • build(deps): bump pnpm/action-setup from 6.0.0 to 6.0.6 (#1708)
    Bumps [pnpm/action-setup](https://github.com/pnpm/action-setup) from 6.0.0 to 6.0.6.
    - [Release notes](https://github.com/pnpm/action-setup/releases)
    - [Commits](https://github.com/pnpm/action-setup/compare/08c4be7e2e672a47d11bd04269e27e5f3e8529cb...91ab88e2619ed1f46221f0ba42d1492c02baf788)
    
    ---
    updated-dependencies:
    - dependency-name: pnpm/action-setup
      dependency-version: 6.0.6
      dependency-type: direct:production
      update-type: version-update:semver-patch
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
  • build(deps): bump fast-uri from 3.1.0 to 3.1.2 (#1703)
    Bumps [fast-uri](https://github.com/fastify/fast-uri) from 3.1.0 to 3.1.2.
    - [Release notes](https://github.com/fastify/fast-uri/releases)
    - [Commits](https://github.com/fastify/fast-uri/compare/v3.1.0...v3.1.2)
    
    ---
    updated-dependencies:
    - dependency-name: fast-uri
      dependency-version: 3.1.2
      dependency-type: indirect
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
  • chore(deps): bump actions/cache from 5.0.4 to 5.0.5 (#1497)
    Bumps [actions/cache](https://github.com/actions/cache) from 5.0.4 to 5.0.5.
    - [Release notes](https://github.com/actions/cache/releases)
    - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
    - [Commits](https://github.com/actions/cache/compare/668228422ae6a00e4ad889ee87cd7109ec5666a7...27d5ce7f107fe9357f9df03efb73ab90386fccae)
    
    ---
    updated-dependencies:
    - dependency-name: actions/cache
      dependency-version: 5.0.5
      dependency-type: direct:production
      update-type: version-update:semver-patch
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>