Commit Graph

2090 Commits

  • feat(commands): add /vue-review slash command
    Add commands/vue-review.md providing:
    - /vue-review command entry point for Vue.js code review
    - Automated checks: eslint with eslint-plugin-vue, vue-tsc, npm audit
    - Review categories with severity (CRITICAL/HIGH/MEDIUM)
    - Vue 3.5+ specific items: reactive props destructure, useTemplateRef, onWatcherCleanup
    - Scope vs /code-review and typescript-reviewer (non-overlapping lanes)
    - Example review report output format
    - Integration guidance with build/test commands
  • feat(skills): add vue-patterns skill for Vue.js 3 best practices
    Add skills/vue-patterns/SKILL.md covering:
    - Project structure (feature-first layout, file naming)
    - Component architecture (SFC order, presentational vs container, props/emits)
    - Composables (use prefix, MaybeRef/toValue, cleanup, vs mixins)
    - State management decision tree (local → props → provide/inject → Pinia → server state)
    - Vue Router patterns (lazy loading, navigation guards, reactive params)
    - Template patterns (v-if/v-else, v-show, v-for, v-model with defineModel)
    - Performance techniques (shallowRef, v-memo, v-once, KeepAlive, Suspense)
    - Testing stack and patterns (Vitest, Vue Test Utils, Pinia testing)
    - Nuxt-specific patterns (auto-imports, useAsyncData, server routes, runtime config)
    - Vue 3.5+ new APIs section: reactive props destructure, useTemplateRef,
      onWatcherCleanup, useId, defer Teleport, lazy hydration
    - Anti-patterns table with Vue 3.5+ version-specific notes
  • feat(rules): add Vue testing rules
    Add rules/vue/testing.md:
    - Vitest + Vue Test Utils + @pinia/testing stack
    - Component mounting (mount vs shallowMount), stubs and mocks
    - Composable testing with effectScope and mountComposable helper
    - Pinia store testing pattern (setActivePinia + )
    - Vue Router testing with createMemoryHistory
    - Async assertion pitfalls (flushPromises/nextTick)
    - Testing implementation details vs rendered output
    - Coverage thresholds: 80%+ for composables/stores, smoke tests for components
    - Vitest configuration with jsdom environment and v8 coverage
  • feat(rules): add Vue architecture patterns and security rules
    Add rules/vue/patterns.md:
    - Presentational vs Container component design
    - Provide/Inject, Scoped Slots, Teleport (with 3.5+ defer prop)
    - State management decision tree and Pinia Setup Store patterns
    - Vue Router navigation guards, lazy loading, reactive route params
    - v-for/v-if patterns, v-model (Vue 3.4+ defineModel)
    - Scoped CSS (:deep, :slotted), KeepAlive with max, Dynamic Components
    - Vue 3.5+ new APIs: useId(), data-allow-mismatch, Suspense
    - Nuxt-specific patterns and Vue 2 migration notes
    
    Add rules/vue/security.md:
    - v-html XSS audit (DOMPurify sanitization checklist)
    - Unsafe URL binding validation (javascript:/data: scheme prevention)
    - Custom directive innerHTML injection
    - Secret exposure via VITE_ prefix and Nuxt runtimeConfig
    - Nuxt Nitro server API input validation with zod
    - localStorage/sessionStorage token risks, SSR browser API guards
    - target=_blank rel=noopener, CSP minimum policy
    - Prototype pollution, source maps in production
    - Vue 3.5+ SSR hydration mismatch security notes
  • feat(rules): add Vue coding-style and composables/reactivity rules
    Add rules/vue/coding-style.md:
    - <script setup> Composition API enforcement
    - Naming conventions (PascalCase components, useCamelCase composables)
    - SFC structure order, props/emits/slots patterns
    - Vue 3.5+ reactive props destructure with native default values
    - Template conventions, import ordering
    
    Add rules/vue/hooks.md:
    - ref() vs reactive() guidance and replacement pitfalls
    - Vue 3.5+ reactive props destructure (version-specific: Vue<3.5 loses reactivity, 3.5+ reactive by default with watch limitation)
    - computed() purity rules, watch vs watchEffect comparison
    - Watcher cleanup with onWatcherCleanup() (Vue 3.5+) and onCleanup callback
    - useTemplateRef() (Vue 3.5+) replacing name-matched plain refs
    - Composable conventions (use prefix, reactive returns, MaybeRef inputs)
    - shallowRef/shallowReactive for large data structures
  • feat(agents): add vue-reviewer agent for Vue.js code review
    Add vue-reviewer agent specializing in:
    - Composition API correctness and reactivity pitfalls (ref/reactive/computed/watch)
    - Vue 3.5+ reactive props destructure (stabilized, with watch limitation notes)
    - Composable patterns, template security, accessibility
    - Pinia state management, Vue Router navigation, Nuxt SSR safety
    - Vue-specific performance (shallowRef, v-memo, KeepAlive)
    
    Scope clearly delineated from typescript-reviewer for cross-invocation on .vue PRs.
  • fix: context-size /compact trigger, Codex marketplace plugin path, live README badges (#2237)
    - suggest-compact hook now reads the latest usage record from the session
      transcript and suggests /compact at a window-scaled token threshold
      (160k/200k window, 250k/1M window; COMPACT_CONTEXT_THRESHOLD and
      COMPACT_CONTEXT_INTERVAL overridable), re-firing per 60k-token growth
      bucket; tool-call count stays as the secondary signal (#2155)
    - Codex repo marketplace now points at ./plugins/ecc instead of ./ — Codex
      never discovers plugins whose local marketplace source.path is the
      marketplace root (verified on Codex CLI 0.137.0); plugins/ecc is a thin
      folder referencing root skills/.mcp.json per maintainer direction on
      #2097; docs flag plugin mode as experimental with the upstream blocker
      openai/codex#26037 linked (#2128)
    - README badges for installs/stars/forks now use shields endpoint badges
      backed by api.ecc.tools (live install count 3,712 vs the stale static
      150), which also eliminates shields' 'Unable to select next GitHub token
      from pool' render in the stars badge
    
    Closes #2155
    Closes #2128
  • chore(deps): bump rusqlite from 0.32.1 to 0.40.1 in /ecc2 (#2211)
    * chore(deps): bump rusqlite from 0.32.1 to 0.40.1 in /ecc2
    
    Bumps [rusqlite](https://github.com/rusqlite/rusqlite) from 0.32.1 to 0.40.1.
    - [Release notes](https://github.com/rusqlite/rusqlite/releases)
    - [Changelog](https://github.com/rusqlite/rusqlite/blob/master/Changelog.md)
    - [Commits](https://github.com/rusqlite/rusqlite/compare/v0.32.1...v0.40.1)
    
    ---
    updated-dependencies:
    - dependency-name: rusqlite
      dependency-version: 0.40.1
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    
    * fix(ecc2): cast u64 columns at sqlite boundary for rusqlite 0.40
    
    rusqlite 0.40 removed the u64 ToSql/FromSql impls (SQLite stores
    INTEGER as i64). Cast token counts, durations, counts, and paging
    values to/from i64 at each bind/read site in session/store.rs.
    
    ---------
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    Co-authored-by: Affaan Mustafa <me@affaanmustafa.com>
  • chore(deps): bump crossterm from 0.28.1 to 0.29.0 in /ecc2 (#2210)
    * chore(deps): bump crossterm from 0.28.1 to 0.29.0 in /ecc2
    
    Bumps [crossterm](https://github.com/crossterm-rs/crossterm) from 0.28.1 to 0.29.0.
    - [Release notes](https://github.com/crossterm-rs/crossterm/releases)
    - [Changelog](https://github.com/crossterm-rs/crossterm/blob/master/CHANGELOG.md)
    - [Commits](https://github.com/crossterm-rs/crossterm/commits/0.29)
    
    ---
    updated-dependencies:
    - dependency-name: crossterm
      dependency-version: 0.29.0
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    
    * fix(ecc2): switch ratatui feature to crossterm_0_29
    
    Keep a single crossterm version in the tree after the 0.29 bump;
    with crossterm_0_28 the lockfile carried both 0.28.1 and 0.29.0.
    
    ---------
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    Co-authored-by: Affaan Mustafa <me@affaanmustafa.com>
  • fix(assets): replace hero brand mark with website coral circuit mark (#2232)
    * fix(assets): replace hero brand mark with website coral circuit mark
    
    The top-left mark in the hero banner was the assets/ecc-icon.svg double-E
    lettermark, not the actual brand logo. Swap in the coral vector circuit
    mark from the ECC-website header (src/styles/brandMarks.ts), keeping the
    ~70px footprint, the soft coral glow, and every other element identical.
    PNG re-rendered at 2400x1350 via sharp with palette compression.
    
    * docs: sync skill count to 262 across catalog surfaces
    
    catalog:check was failing on main after config-gc (#2216) landed without
    a count bump. Ran npm run catalog:sync.
  • fix(ecc2): port webhook sender to ureq 3 Agent API (#2231)
    #2209 bumped ureq to 3.x but the AgentBuilder-based webhook sender
    was not ported (branch update raced the merge). ureq 3 replaces
    AgentBuilder with Agent::config_builder(); timeouts are Option-wrapped
    and status() returns http::StatusCode.
  • chore(deps): bump ureq from 2.12.1 to 3.3.0 in /ecc2 (#2209)
    Bumps [ureq](https://github.com/algesten/ureq) from 2.12.1 to 3.3.0.
    - [Changelog](https://github.com/algesten/ureq/blob/main/CHANGELOG.md)
    - [Commits](https://github.com/algesten/ureq/compare/2.12.1...3.3.0)
    
    ---
    updated-dependencies:
    - dependency-name: ureq
      dependency-version: 3.3.0
      dependency-type: direct:production
      update-type: version-update:semver-major
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
  • docs: sync skill count to 262 after config-gc skill landed (#2230)
    npm run catalog:sync — #2216 added skills/config-gc without bumping
    documented counts, leaving catalog:check (and npm test) red on main.
  • chore(deps): bump sha2 from 0.10.9 to 0.11.0 in /ecc2 (#2208)
    * chore(deps): bump sha2 from 0.10.9 to 0.11.0 in /ecc2
    
    Bumps [sha2](https://github.com/RustCrypto/hashes) from 0.10.9 to 0.11.0.
    - [Commits](https://github.com/RustCrypto/hashes/compare/sha2-v0.10.9...sha2-v0.11.0)
    
    ---
    updated-dependencies:
    - dependency-name: sha2
      dependency-version: 0.11.0
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    
    * fix(ecc2): hex-encode sha2 0.11 digest output manually
    
    sha2 0.11 (digest 0.11 / hybrid-array) output arrays no longer
    implement LowerHex, so format the fingerprint bytes directly.
    
    ---------
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    Co-authored-by: Affaan Mustafa <me@affaanmustafa.com>
  • docs: restore hero banner with ECC wordmark, v2.0.0 badge, and brand lettermark (#2229)
    Recreates the v1.10 hero banner design (sourced from commit 602894ef)
    that PR #2225 replaced with a plain HTML header:
    
    - Wordmark and breadcrumb now read ECC / affaan-m/ECC
    - Version badge reads v2.0.0 · Jun 2026, eyebrow updated to V2.0
    - Top-left mark is the actual assets/ecc-icon.svg lettermark (amber E,
      coral CC) instead of a generic coral square
    - Catalog columns refreshed with live counts (261 skills, 64 agents,
      84 commands, 409 catalog) and real item names from the repo
    - Harness pills updated to the current README list (Claude Code, Codex,
      Cursor, OpenCode, Gemini, Zed, Copilot)
    - SVG source committed as assets/hero.svg so future edits never need
      image archaeology; rendered to PNG at 2400x1350 via sharp
    
    README hero line restored to the markdown image; badges, sponsor table,
    and guide cards from #2225 kept intact.
  • docs(zh-CN): translate ecc-guide and parallel-execution-optimizer skills (#2217)
    * docs(zh-CN): translate ecc-guide and parallel-execution-optimizer skills
    
    Adds Simplified Chinese translations for two untranslated skills,
    following the existing docs/zh-CN/skills/ conventions (frontmatter
    name/origin preserved, code blocks and output templates kept in
    English, prose fully translated).
    
    Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
    
    * docs(zh-CN): polish two phrasings per review
    
    Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
    
    ---------
    
    Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
  • feat(skills): add config-gc skill (#2216)
    * feat(skills): add config-gc skill
    
    Garbage collection for Claude Code configuration sprawl: 8 scan
    channels (skills, memory, hooks, permissions, MCP, reminders,
    project history, caches), confirm-each-deletion human-in-the-loop,
    soft-delete with undo log. Subtractive counterpart to
    workspace-surface-audit and configure-ecc.
    
    Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
    
    * fix(skills): address review feedback on config-gc
    
    - Replace invalid comment-out strategy for JSON permission files with
      backup + gc_log entry + jq array removal (cubic P1)
    - Swap GNU-only find -printf for portable du -k (works on macOS/BSD)
    - Capture gc date once into a variable so trash dir and undo log agree
    - Simplify shadowed-permission detection with jq index() guard
    
    Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
    
    ---------
    
    Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
  • docs(zh-CN): add Chinese translation of SKILL-DEVELOPMENT-GUIDE (#2200)
    * docs(zh-CN): add Chinese translation of SKILL-DEVELOPMENT-GUIDE
    
    Translate the comprehensive Skill Development Guide to Chinese,
    enabling Chinese-speaking contributors to learn how to create
    effective ECC skills.
    
    * fix(docs): correct all relative links in zh-CN translation
    
    Fix CONTRIBUTING.md link to zh-CN local copy, and skills links
    to point to repo-root skills/ directory instead of non-existent
    docs/skills/.
    
    ---------
    
    Co-authored-by: lege962 <1515808962@qq.com>
    Co-authored-by: legeZZZ <277193585+legeZZZ@users.noreply.github.com>
  • chore: pin rust toolchain to 1.96 for edition2024 deps (#2228)
    - add ecc2/rust-toolchain.toml pinning stable 1.96 (deps now require
      edition2024, which needs rustc 1.85+; local 1.84 could no longer build)
    - make git test fixtures hermetic: disable core.hooksPath inside temp
      repos so global identity-checking pre-push hooks cannot fail tests
  • fix: stability batch — hook stdin truncation, Codex exa TOML, Stop hook JSON, GateGuard repetition (#2227)
    * fix(hooks): fail open on oversized stdin instead of echoing truncated JSON (#2222)
    
    run-with-flags.js capped stdin at 1MB but every fallthrough path still
    echoed the truncated string to stdout. The harness parses hook stdout as
    JSON, got a document cut mid-stream, and blocked the tool call — so any
    Edit/Write with a >1MB hook payload was permanently blocked by every
    registered pre-write hook, before ECC_HOOK_PROFILE / ECC_DISABLED_HOOKS
    gating could run.
    
    - Exit 0 with empty stdout (no opinion) when the stdin cap trips, before
      any echo or gating logic.
    - Flush stdout via write callback before process.exit: exiting right
      after stdout.write() dropped everything past the ~64KB pipe buffer,
      cutting even sub-cap pass-through payloads mid-JSON.
    
    Regression tests cover the enabled, disabled, and missing-arg paths for
    oversized payloads plus full echo of sub-cap >64KB payloads.
    
    * fix(codex): stop emitting invalid exa url entry, align merge with connector policy (#2224)
    
    The Codex MCP merge declared exa with a url key, but Codex's
    [mcp_servers.*] TOML schema is stdio-only — the url key makes the
    entire config.toml fail to load, bricking both the codex CLI and the
    desktop app. Every install/update re-injected the line because the
    urlEntry branch treated the broken entry as present.
    
    - ECC_SERVERS now emits only the current default set per
      docs/MCP-CONNECTOR-POLICY.md: chrome-devtools (stdio, command/args).
      Retired servers (supabase, playwright, context7, exa, github, memory,
      sequential-thinking) are never re-emitted; existing user-managed
      entries are untouched.
    - The merge now repairs the exact ECC-emitted broken form (url-only
      exa entry) on every run so re-running the installer fixes broken
      configs instead of preserving them. User stdio exa entries
      (command + mcp-remote) are left alone.
    - check-codex-global-state.sh requires chrome-devtools instead of the
      retired set, and flags url-only exa entries with a repair hint.
    
    Tests cover repair, re-run idempotence, stdio-entry preservation, and
    no-retired-server emission in add, update, dry-run, and disabled modes.
    
    * fix(hooks): never echo truncated stdin from Stop hooks (#2090)
    
    Stop hooks follow the ECC pass-through convention (echo stdin on
    stdout), but every echoing Stop hook capped stdin and echoed the capped
    string. The Stop payload carries last_assistant_message, so a long
    final assistant message produced a JSON document cut mid-stream on
    stdout, which the harness reports as 'Stop hook error: JSON validation
    failed' across the whole Stop chain.
    
    Reproduced: a Stop payload with a >64KB last_assistant_message run
    through run-with-flags + cost-tracker emitted exactly 65536 bytes of
    invalid JSON (cost-tracker capped stdin at 64KB — far below realistic
    Stop payloads).
    
    - cost-tracker: raise the cap to 1MB (matching all other hooks) and
      suppress the pass-through echo when stdin was truncated.
    - check-console-log, stop-format-typecheck, desktop-notify: suppress
      the echo when stdin was truncated; flush stdout before process.exit
      so sub-cap payloads are not cut at the ~64KB pipe buffer.
    - All hooks keep exiting 0 (fail-open); diagnostics go to stderr.
    
    New stop-hooks-stdout test asserts the contract for every registered
    Stop hook: stdout is empty or valid JSON, exit code 0 — for realistic
    100KB payloads and oversized >1MB payloads, via the production runner
    and via direct invocation. Updated the old hooks.test.js case that
    codified the truncated-echo behavior.
    
    * fix(hooks): dampen GateGuard fact-force repetition in long sessions (#2142)
    
    In long autonomous sessions the fact-force gate produced 10+
    near-identical 'state facts -> blocked -> restate -> retry' blocks in
    one context window, which measurably raises the odds of the model
    collapsing into a degenerate single-token repetition loop.
    
    - Track a per-session fact_force_denials counter in GateGuard state
      (merged max across concurrent writers, reset with the session, robust
      to malformed on-disk values).
    - The first GATEGUARD_FACT_FORCE_FULL_DENIALS denials (default 3) keep
      the full four-fact block; later denials emit a condensed single-line
      message that carries the denial ordinal, so consecutive denials are
      structurally different and never textually identical.
    - True retries of the same target remain allowed without re-prompting
      (unchanged). Destructive-Bash and routine-Bash gates are unchanged,
      as are the ECC_GATEGUARD=off / ECC_DISABLED_HOOKS escape hatches.
    
    Eight new tests cover budget counting, condensed format, ordinal
    advancement, retry pass-through, env tuning, malformed state, MultiEdit
    dampening, and destructive-gate exemption.
    
    * fix(hooks): keep security hooks able to block on oversized stdin (#2222)
    
    Refine the truncation fail-open: instead of skipping the hook entirely,
    the runner now suppresses only its own raw-echo when stdin was
    truncated. The hook still executes and receives the truncated flag
    (run() context / ECC_HOOK_INPUT_TRUNCATED), so config-protection keeps
    blocking truncated protected-config payloads (its test requires exit 2)
    while pass-through hooks fail open with empty stdout as before.
    
    * style: apply repo formatter to touched hook files
  • docs: restore on-brand ECC header, consolidate sponsor placement, make guide links visual (#2225)
    - Replace off-brand hero PNG (wrong product name + baked version) with a
      centered HTML header using assets/ecc-icon.svg, h1, and tagline
    - Consolidate duplicated sponsor sections: polished centered sponsor table
      at top (CodeRabbit, Greptile, community sponsors, sponsor links); bottom
      section reduced to a one-liner pointing to SPONSORS.md
    - Convert guide links to visual cards using the guides' own header images,
      linked to the local guide files
    - Fix broken tmux video URL in the shortform guide to the in-repo asset
  • chore(deps): bump the cargo-minor-and-patch group (#2207)
    Bumps the cargo-minor-and-patch group in /ecc2 with 8 updates:
    
    | Package | From | To |
    | --- | --- | --- |
    | [ratatui](https://github.com/ratatui/ratatui) | `0.30.0` | `0.30.1` |
    | [tokio](https://github.com/tokio-rs/tokio) | `1.50.0` | `1.52.3` |
    | [serde_json](https://github.com/serde-rs/json) | `1.0.149` | `1.0.150` |
    | [regex](https://github.com/rust-lang/regex) | `1.12.3` | `1.12.4` |
    | [clap](https://github.com/clap-rs/clap) | `4.6.0` | `4.6.1` |
    | [libc](https://github.com/rust-lang/libc) | `0.2.183` | `0.2.186` |
    | [chrono](https://github.com/chronotope/chrono) | `0.4.44` | `0.4.45` |
    | [uuid](https://github.com/uuid-rs/uuid) | `1.22.0` | `1.23.3` |
    
    
    Updates `ratatui` from 0.30.0 to 0.30.1
    - [Release notes](https://github.com/ratatui/ratatui/releases)
    - [Changelog](https://github.com/ratatui/ratatui/blob/main/CHANGELOG.md)
    - [Commits](https://github.com/ratatui/ratatui/compare/ratatui-v0.30.0...ratatui-v0.30.1)
    
    Updates `tokio` from 1.50.0 to 1.52.3
    - [Release notes](https://github.com/tokio-rs/tokio/releases)
    - [Commits](https://github.com/tokio-rs/tokio/compare/tokio-1.50.0...tokio-1.52.3)
    
    Updates `serde_json` from 1.0.149 to 1.0.150
    - [Release notes](https://github.com/serde-rs/json/releases)
    - [Commits](https://github.com/serde-rs/json/compare/v1.0.149...v1.0.150)
    
    Updates `regex` from 1.12.3 to 1.12.4
    - [Release notes](https://github.com/rust-lang/regex/releases)
    - [Changelog](https://github.com/rust-lang/regex/blob/master/CHANGELOG.md)
    - [Commits](https://github.com/rust-lang/regex/compare/1.12.3...1.12.4)
    
    Updates `clap` from 4.6.0 to 4.6.1
    - [Release notes](https://github.com/clap-rs/clap/releases)
    - [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
    - [Commits](https://github.com/clap-rs/clap/compare/clap_complete-v4.6.0...clap_complete-v4.6.1)
    
    Updates `libc` from 0.2.183 to 0.2.186
    - [Release notes](https://github.com/rust-lang/libc/releases)
    - [Changelog](https://github.com/rust-lang/libc/blob/0.2.186/CHANGELOG.md)
    - [Commits](https://github.com/rust-lang/libc/compare/0.2.183...0.2.186)
    
    Updates `chrono` from 0.4.44 to 0.4.45
    - [Release notes](https://github.com/chronotope/chrono/releases)
    - [Changelog](https://github.com/chronotope/chrono/blob/main/CHANGELOG.md)
    - [Commits](https://github.com/chronotope/chrono/compare/v0.4.44...v0.4.45)
    
    Updates `uuid` from 1.22.0 to 1.23.3
    - [Release notes](https://github.com/uuid-rs/uuid/releases)
    - [Commits](https://github.com/uuid-rs/uuid/compare/v1.22.0...v1.23.3)
    
    ---
    updated-dependencies:
    - dependency-name: ratatui
      dependency-version: 0.30.1
      dependency-type: direct:production
      update-type: version-update:semver-patch
      dependency-group: cargo-minor-and-patch
    - dependency-name: tokio
      dependency-version: 1.52.3
      dependency-type: direct:production
      update-type: version-update:semver-minor
      dependency-group: cargo-minor-and-patch
    - dependency-name: serde_json
      dependency-version: 1.0.150
      dependency-type: direct:production
      update-type: version-update:semver-patch
      dependency-group: cargo-minor-and-patch
    - dependency-name: regex
      dependency-version: 1.12.4
      dependency-type: direct:production
      update-type: version-update:semver-patch
      dependency-group: cargo-minor-and-patch
    - dependency-name: clap
      dependency-version: 4.6.1
      dependency-type: direct:production
      update-type: version-update:semver-patch
      dependency-group: cargo-minor-and-patch
    - dependency-name: libc
      dependency-version: 0.2.186
      dependency-type: direct:production
      update-type: version-update:semver-patch
      dependency-group: cargo-minor-and-patch
    - dependency-name: chrono
      dependency-version: 0.4.45
      dependency-type: direct:production
      update-type: version-update:semver-patch
      dependency-group: cargo-minor-and-patch
    - dependency-name: uuid
      dependency-version: 1.23.3
      dependency-type: direct:production
      update-type: version-update:semver-minor
      dependency-group: cargo-minor-and-patch
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
  • chore(deps-dev): bump the npm-minor-and-patch group across 1 directory with 2 updates (#2205)
    Bumps the npm-minor-and-patch group with 2 updates in the / directory: @opencode-ai/plugin and [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node).
    
    
    Updates `@opencode-ai/plugin` from 1.15.3 to 1.16.2
    
    Updates `@types/node` from 25.7.0 to 25.9.2
    - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
    - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)
    
    ---
    updated-dependencies:
    - dependency-name: "@opencode-ai/plugin"
      dependency-version: 1.16.2
      dependency-type: direct:development
      update-type: version-update:semver-minor
      dependency-group: npm-minor-and-patch
    - dependency-name: "@types/node"
      dependency-version: 25.9.2
      dependency-type: direct:development
      update-type: version-update:semver-minor
      dependency-group: npm-minor-and-patch
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
  • chore(deps): bump actions/setup-node (#2204)
    Bumps the actions-minor-and-patch group with 1 update in the / directory: [actions/setup-node](https://github.com/actions/setup-node).
    
    
    Updates `actions/setup-node` from 6.3.0 to 6.4.0
    - [Release notes](https://github.com/actions/setup-node/releases)
    - [Commits](https://github.com/actions/setup-node/compare/53b83947a5a98c8d113130e565377fae1a50d02f...48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e)
    
    ---
    updated-dependencies:
    - dependency-name: actions/setup-node
      dependency-version: 6.4.0
      dependency-type: direct:production
      update-type: version-update:semver-minor
      dependency-group: actions-minor-and-patch
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
  • feat(mcp): single-connector default set + connector policy (#2219)
    Reduce the default .mcp.json to one connector (chrome-devtools) per the
    new policy in docs/MCP-CONNECTOR-POLICY.md: a default earns its slot only
    if it is universal AND MCP beats a CLI/API wrapped in a skill. June 2026
    audit verdicts: github -> gh via github-ops skill; context7 -> REST via
    documentation-lookup; exa -> harness-native search (+ exa-search skill);
    memory -> native harness memory + instincts; playwright -> playwright CLI
    skills (vendor moved agent flows off MCP); sequential-thinking -> native
    extended thinking. All six remain opt-in in mcp-configs/mcp-servers.json.
    Tests updated: plugin-manifest policy assertions + install-apply Cursor
    expectations.
    
    Co-authored-by: ECC Test <ecc@example.test>
  • release: 2.0.0 — the agent harness operating system
    Graduate 2.0.0-rc.1 to stable. Bump version across package, plugin,
    marketplace, OpenCode, agent metadata, VERSION, and all localized docs.
    Add 2.0.0 release notes + README sections (en/zh/pt-BR/tr), CHANGELOG
    entry, and the ECC community Discord bot (dependency-free gateway client
    + guild command registrar). Update copilot-support and release-surface
    tests for the sponsored-review migration and the 2.0.0 surface.
  • feat(discord): release -> #announcements auto-post + pin + GitHub Discussions (#2201)
    On a published GitHub release, post the notes to the ECC Discord
    #announcements channel (via bot), pin it, and cross-post to GitHub
    Discussions (Announcements category). Release data flows through env vars
    (no shell interpolation of untrusted input). Secrets: DISCORD_BOT_TOKEN,
    DISCORD_ANNOUNCE_CHANNEL_ID (repo secrets), GITHUB_TOKEN.
    
    Ties the 2.0.0/1.11.0 official release to the community launch.
    
    Co-authored-by: ECC Test <ecc@example.test>
  • feat: add orch-* orchestrator skill family (#2153)
    * feat: add orch-* orchestrator skill family
    
    Lightweight wrappers that orchestrate existing ECC agents through a gated Research -> Plan -> TDD -> Review -> Commit pipeline, right-sized per task.
    
    - orch-pipeline: shared engine (phases, size classifier, two gates, agent map)
    - orch-add-feature/change-feature/fix-defect/refine-code/build-mvp: thin wrappers delegating to the engine
    
    * chore: register orch-* family in catalog, command registry, and agent.yaml (post-rebase onto green main)
    
    ---------
    
    Co-authored-by: ECC Test <ecc@example.test>
  • fix: make plugin hooks run on Node 21+ and green the suite under modern Node (#2184)
    ROOT CAUSE: hooks load plugin-hook-bootstrap.js via
    `node -e "...; process.argv.splice(1,0,s); require(s)"`. On Node 21+,
    require.main is `undefined` under --eval, so the `if (require.main === module)`
    guard was false and main() never ran — every plugin hook silently no-op'd
    (e.g. the MCP-health PreToolUse hook stopped blocking). CI (Node 18/20) hid
    this; it only surfaces on Node 21+. Fix: also run main() when require.main is
    undefined (the eval-bootstrap case), while staying dormant on real imports.
    
    Also clears pre-existing main debt the full local suite enforces:
    - catalog:sync — README/docs agent+skill counts drifted after recent merges
    - tests/ci/supply-chain-watch-workflow: update checkout SHA to the merged v6.0.3 (#2183)
    - markdownlint + check-unicode-safety --write across docs/skills
    
    Suite: 2683/2683 green under Node v25; lint + unicode clean.
    
    Co-authored-by: ECC Test <ecc@example.test>
  • feat(skills): add laravel-security, laravel-tdd, and php-reviewer agent (#2122)
    * feat(skills): add laravel-security, laravel-tdd, and php-reviewer agent
    
    * fix: resolve code review findings across laravel-security, laravel-tdd, and php-reviewer
    
    - laravel-security: replace env() with config() in runtime code,
      replace wildcard trusted proxies with CIDR ranges, remove blanket
      api/* CSRF exclusion, fix validated() return type, add null-safe
      rate limiter user access, sync mimes/extensions allowlists,
      replace #[Encrypted] with ShouldBeEncrypted, fix RateLimited args
    - laravel-tdd: remove global withoutExceptionHandling() from setUp,
      remove contradictory assertNothingOutgoing(), fix undefined
      variable, replace invalid PHPUnit --min-coverage flag
    - php-reviewer: fix Python contamination, add automated check
      requirement to approval criteria
    
    * fix: align php-reviewer approval criteria and use config dot-notation keys
    
    - agents/php-reviewer.md: sync approval criteria with .txt file version
      (add automated checks requirement for consistency across harnesses)
    - skills/laravel-security/SKILL.md: replace raw env names with proper
      Laravel dot-notation config keys (app.key, services.stripe.*, etc.)
      so config() returns valid values instead of null
    
    * fix: remove unnecessary secret validation for SMTP password
  • docs: fix renamed-repo links, drop stale assessment artifacts (#2058)
    CONTRIBUTING.md still pointed at the old `affaan-m/everything-claude-code`
    repo URL in the Quick Start fork instructions and in the Issues link at
    the bottom. Both relied on GitHub's silent rename-redirect, but the
    literal `cd everything-claude-code` after `gh repo fork` would land in
    the wrong directory now that the repo is `affaan-m/ECC`.
    
    REPO-ASSESSMENT.md and EVALUATION.md were both 2026-03-21 personal
    fork-audit artifacts written from one user's specific install. They
    describe the project as a fork at `Infiniteyieldai/everything-claude-code`
    v1.9.0 with 28 agents / 116 skills / 59 commands and pin the recommended
    mode at "use as upstream tracker". None of that is true anymore (this
    IS the upstream, v2.0.0-rc.1, currently 61 / 246 / 76). EVALUATION.md in
    particular still references a defunct branch (`claude/evaluate-repo-comparison-ASZ9Y`)
    and describes a "Current Setup" of zero installed components as if it
    were universal, which it is not.
    
    Neither file is referenced by anything else in the repo (`rg` confirmed)
    and they actively mislead new contributors and visitors. Delete both.
    
    A targeted line-by-line refresh of EVALUATION.md was considered but
    rejected: bringing only the totals up to date (61/246/76) would leave
    the rest of the document — v1.9.0 references, branch metadata, the
    zero-component "Current Setup" — internally inconsistent (CodeRabbit
    flagged this on the first revision of this PR). Wholesale removal is
    the honest fix.
    
    Translated copies (e.g. docs/pt-BR/README.md still has the 28/116/59
    numbers) are intentionally left for a follow-up i18n PR to keep this
    diff small.
  • fix(commands): resolve active plugin root in /instinct-status (#2037) (#2059)
    The `/instinct-status` slash command template expanded
    `${CLAUDE_PLUGIN_ROOT}` directly and documented a manual-install
    fallback to `~/.claude/skills/continuous-learning-v2/scripts/instinct-cli.py`.
    When users had both an active plugin install (under
    `~/.claude/plugins/cache/<slug>/<org>/<version>/`) and a legacy
    `~/.claude/skills/continuous-learning-v2/` directory left over from a
    previous manual install, an empty `CLAUDE_PLUGIN_ROOT` (which Claude
    Code does not always populate in slash-command shell contexts) silently
    made the command read the stale legacy install while the active plugin
    hooks and observer wrote to the new XDG path. The user saw "No
    instincts found" while the system was actively learning — exactly the
    divergence the bug reporter spent hours diagnosing.
    
    Replace the brittle two-block template with the same inline resolver
    pattern that `hooks/hooks.json` and `/sessions` / `/skill-health`
    already use: env var → standard install → known plugin roots → plugin
    cache walk → fallback. The resolver is the canonical `INLINE_RESOLVE`
    constant from `scripts/lib/resolve-ecc-root.js`, so no new code is
    introduced — just consistent adoption of the existing pattern.
    
    Apply the same fix to all five copies of the command:
      - commands/instinct-status.md (canonical)
      - .opencode/commands/instinct-status.md
      - docs/zh-CN/commands/instinct-status.md
      - docs/ja-JP/commands/instinct-status.md
      - docs/tr/commands/instinct-status.md
    
    Extend tests/lib/command-plugin-root.test.js with an assertion that the
    canonical instinct-status.md uses the inline resolver and no longer
    hard-codes the legacy `~/.claude/skills/...` fallback (regression
    guard).
    
    zh-CN copy: polish the Chinese phrasing per LanguageTool feedback
    (`使用与 ... 相同的解析器` → `以与 ... 相同的解析器`) so the verb is
    introduced by an explicit preposition instead of reading as an awkward
    verb-object construction.
  • docs: add Urdu (ur) README translation (#2061)
    * docs: add Urdu (ur) README translation
    
    Adds docs/ur/README.md — a full Urdu translation of the main README.
    Urdu is spoken by 230M+ people globally, with a large developer community
    in Pakistan. This follows the same structure as existing translations
    (de-DE, ja-JP, ko-KR, etc.).
    
    * docs(ur): sync install catalog counts with current repo metadata
    
    The Urdu README stated 60 agents / 232 skills / 75 legacy command shims, but the current repo metadata and English README use 61 / 246 / 76. Update to match so Urdu users following the install guide do not see a verification mismatch (flagged in review).
    
    Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
    
    ---------
    
    Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
  • feat: Cursor-independent ECC memory via ECC_AGENT_DATA_HOME (#2066)
    * feat: auto-isolate ECC memory data for Cursor via ECC_AGENT_DATA_HOME
    
    Add ECC_AGENT_DATA_HOME (defaults to ~/.claude) with Cursor-aware resolution,
    sessionStart env injection, install scaffolds, and hook bootstrap so memory
    hooks do not collide with Claude Code when both harnesses are used.
    
    Closes #2065
    
    Co-authored-by: Cursor <cursoragent@cursor.com>
    
    * fix: log agent-data config errors and ship cursor sessionStart deps
    
    Address CodeRabbit review: log invalid .cursor/ecc-agent-data.json parse
    failures, and copy cursor-session-env.js plus lib deps on legacy Cursor
    install so sessionStart hook path exists without hooks-runtime alone.
    
    Co-authored-by: Cursor <cursoragent@cursor.com>
    
    * fix: resolve relative agentDataHome paths from project root
    
    Project config values like ".ecc-data" now resolve against the
    repository root (parent of .cursor/), not process.cwd(), so Cursor
    hooks persist memory in the intended directory regardless of hook cwd.
    
    Addresses cubic review on PR #2066.
    
    Co-authored-by: Cursor <cursoragent@cursor.com>
    
    * docs: explain getHomeDir duplicate and docstring policy
    
    Document why agent-data-home keeps a local home-dir helper (circular
    require with utils.js) and list consolidation options for maintainers.
    Note that CodeRabbit JSDoc coverage warnings are informational relative
    to ECC's usual script documentation style.
    
    Addresses cubic P2 context on PR #2066.
    
    Co-authored-by: Cursor <cursoragent@cursor.com>
    
    * test: isolate agent-data-home tests from dogfooded .cursor config
    
    Use isolated temp cwd for default-resolution cases and assert
    resolveAgentDataHome({ projectDir }) reads ecc-agent-data.json.
    Document cwd/project caveats in the test file header.
    
    Co-authored-by: Cursor <cursoragent@cursor.com>
    
    ---------
    
    Co-authored-by: Cursor <cursoragent@cursor.com>
  • fix(docs): sync marketplace add URL across translated READMEs (#2050) (#2068)
    PR #2050 updated the root README.zh-CN.md install commands after the
    everything-claude-code → ECC rename, but the same stale marketplace URL
    remained in nine docs/<locale>/README.md copies. Align those quick-start
    and self-hosted install blocks so /plugin install ecc@ecc resolves the
    ecc marketplace instead of everything-claude-code.
  • feat(skills): add codehealth-mcp skill and CodeScene MCP config (#2077)
    * feat(skills): add codehealth-mcp skill and CodeScene MCP config
    
    * docs(skills): add When to Use, How It Works, and Examples sections
    
    * docs(skills): clarify MCP opt-in, data boundaries, and offline behavior
    
    Address security review on PR #2077: no bundled credentials, document what
    tools read locally, failure behavior when MCP is unavailable, and README
    wording that Code Health MCP is optional and not enabled by default.
    
    Co-authored-by: Cursor <cursoragent@cursor.com>
    
    ---------
    
    Co-authored-by: adnasalk-notus <adna.salkovic@notus.hr>
    Co-authored-by: Cursor <cursoragent@cursor.com>
  • feat(mcp): add parallel-search server catalog entry (#2085)
    * feat(mcp): add parallel-search server catalog entry
    
    * fix(mcp): drop placeholder Bearer header from parallel-search entry
    
    The /mcp endpoint accepts anonymous requests by default; baking in a
    placeholder "Authorization: Bearer YOUR_PARALLEL_API_KEY_HERE" header
    breaks the key-free default for users who copy the entry verbatim.
    Move the optional API-key guidance into the description instead.
  • fix(context-monitor): make cost warnings informational, not commands (#2091)
    The PostToolUse cost warnings emit imperative text via additionalContext
    ("Stop and inform the user...", "Review whether...", "Consider whether...").
    Subagents read additionalContext as an instruction and obey the "Stop",
    abandoning their task and returning a prompt-for-direction instead of their
    result — derailing multi-agent workflows. The main loop is also nudged to
    halt mid-task.
    
    Reword all three severities to pure-informational data: keep the
    CRITICAL/WARNING/NOTICE label + the dollar figure (and the threshold), drop
    the imperative sentence, and state plainly it is informational. No logic,
    severity, or threshold change. Existing tests pass (they assert the labels +
    severities, which are preserved).
    
    Before: `COST CRITICAL: Session cost is $X. Stop and inform the user about high cost before continuing.`
    After:  `COST CRITICAL: session total ~$X (over $50). Informational only — not an instruction to stop.`
    
    Co-authored-by: OrenG Tools <tools@orengacademy.com>
  • feat: add intent-driven-development skill (#2092)
    * feat: add intent-driven-development skill
    
    Converts ambiguous feature or engineering requests into scoped,
    verifiable acceptance criteria before implementation starts.
    
    - Chooses between Quick Capture (low/moderate risk) and Full
      Acceptance Brief (security, data, migration, cross-system changes)
    - Reads repo context before asking questions; only asks what cannot
      be inferred
    - Non-blocking by default: records criteria and proceeds unless a
      real risk requires confirmation
    - Rule 9: when an AC fails mid-implementation due to architectural
      constraints, marks it [revised], updates scope/verification method,
      and re-presents only changed criteria rather than silently dropping
    - Output template includes Revision Log for traceability across
      multiple implementation cycles
    
    * fix: add canonical When to Activate, How It Works, and Examples sections
    
    Required for auto-activation mechanism detection per CONTRIBUTING.md
    and existing skill conventions. Sections inserted after the intro
    and before Operating Rules.
    
    * fix: strengthen intent-driven-development skill per review
    
    Address skill-quality review feedback on the intent-driven-development PR:
    
    - Business/product constraints: add Operating Rule 2 forbidding inference
      of business rules, compliance/SLAs, pricing, retention, prioritization,
      and target users from code; surface the technical-vs-business split in
      How It Works, Discover Context, and a dedicated 'supplied, not inferred'
      section in the brief template.
    - Eval-style pass/fail: add a Pass/Fail Examples section (failing vs
      passing AC, plus a misplaced business-rule context entry) and a 5-point
      Pass/Fail Rubric users can apply to the output.
    - Renumber Operating Rules 1-10 accordingly; markdownlint clean.