Commit Graph

724 Commits

  • docs: add SECURITY.md, publish agentic security guide, remove openclaw guide
    - Add SECURITY.md with vulnerability reporting policy
    - Publish "The Shorthand Guide to Everything Agentic Security" with attack
      vectors, sandboxing, sanitization, CVEs, and AgentShield coverage
    - Add security guide to README guides section (3-column layout)
    - Remove unpublished openclaw guide
    - Copy security article images to assets/images/security/
  • feat(agents): add flutter-reviewer agent and skill (#716)
    Library-agnostic Flutter/Dart code reviewer that adapts to the project's
    chosen state management solution (BLoC, Riverpod, Provider, GetX, MobX,
    Signals) and architecture pattern (Clean Architecture, MVVM, feature-first).
    
    Co-authored-by: Maciej Starosielec <maciej@code-snap.com>
    Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
  • fix: codex sync merges AGENTS.md instead of replacing it (#715)
    The sync script previously overwrote ~/.codex/AGENTS.md on every run,
    destroying any user-authored content. This adds marker-based merging
    (<!-- BEGIN ECC --> / <!-- END ECC -->) so only the ECC-managed section
    is replaced on subsequent runs, preserving user content outside the
    markers.
    
    Merge logic:
    - No file → create with markers
    - Both markers present (ordered, CRLF-safe) → replace only the ECC section
    - BEGIN without END (corrupted) → full replace (backup saved)
    - No markers at all → append ECC block (preserves existing content)
    
    Also fixes:
    - Symlink preservation: uses cat > instead of mv to write through symlinks
    - CRLF handling: strips \r in marker detection to handle Windows-edited files
    - Marker ordering: validates BEGIN appears before END, not just that both exist
    
    The legacy heading-match heuristic was intentionally removed per council
    review: any unmarked file is either user-authored (append is safe) or
    legacy ECC-generated (duplicates once, deduplicates on next run via
    markers). A timestamped backup is always saved before any mutation.
    
    Generated with [Claude Code](https://claude.ai/code)
    via [Happy](https://happy.engineering)
    
    Co-authored-by: Claude <noreply@anthropic.com>
    Co-authored-by: Happy <yesreply@happy.engineering>
  • feat(rules): add C# language support (#704)
    * feat(rules): add C# language support
    
    * feat: add everything-claude-code ECC bundle (#705)
    
    * feat: add everything-claude-code ECC bundle (.claude/ecc-tools.json)
    
    * feat: add everything-claude-code ECC bundle (.claude/skills/everything-claude-code/SKILL.md)
    
    * feat: add everything-claude-code ECC bundle (.agents/skills/everything-claude-code/SKILL.md)
    
    * feat: add everything-claude-code ECC bundle (.agents/skills/everything-claude-code/agents/openai.yaml)
    
    * feat: add everything-claude-code ECC bundle (.claude/identity.json)
    
    * feat: add everything-claude-code ECC bundle (.codex/agents/explorer.toml)
    
    * feat: add everything-claude-code ECC bundle (.codex/agents/reviewer.toml)
    
    * feat: add everything-claude-code ECC bundle (.codex/agents/docs-researcher.toml)
    
    * feat: add everything-claude-code ECC bundle (.claude/rules/everything-claude-code-guardrails.md)
    
    * feat: add everything-claude-code ECC bundle (.claude/research/everything-claude-code-research-playbook.md)
    
    * feat: add everything-claude-code ECC bundle (.claude/team/everything-claude-code-team-config.json)
    
    * feat: add everything-claude-code ECC bundle (.claude/enterprise/controls.md)
    
    * feat: add everything-claude-code ECC bundle (.claude/commands/database-migration.md)
    
    * feat: add everything-claude-code ECC bundle (.claude/commands/feature-development.md)
    
    * feat: add everything-claude-code ECC bundle (.claude/commands/add-language-rules.md)
    
    ---------
    
    Co-authored-by: ecc-tools[bot] <257055122+ecc-tools[bot]@users.noreply.github.com>
    
    * ci: retrigger
    
    ---------
    
    Co-authored-by: ecc-tools[bot] <257055122+ecc-tools[bot]@users.noreply.github.com>
  • feat: agent description compression with lazy loading (#696)
    * feat: add agent description compression with lazy loading (#491)
    
    Agent descriptions consume ~26k tokens (121KB across 27 agents). This adds
    a compression library with three modes:
    - catalog: metadata only (~2-3k tokens) for agent selection
    - summary: metadata + first paragraph (~4-5k tokens) for routing
    - full: no compression, for when agent is invoked
    
    Includes lazy-load function to fetch full agent body on demand.
    21 tests covering parsing, compression, filtering, and real agents dir.
    
    * fix: update JSDoc to include all stats fields in buildAgentCatalog
    
    Add compressedBytes and mode to the documented return type, matching
    the actual implementation.
  • fix(tests): resolve Windows CI test failures (#701)
    * fix(tests): skip bash tests on Windows and fix USERPROFILE in resolve-ecc-root
    
    - hooks.test.js: add SKIP_BASH guard for 8 bash-dependent tests
      (detect-project.sh, observe.sh) while keeping 207 Node.js tests running
    - resolve-ecc-root.test.js: add USERPROFILE to env overrides in 2
      INLINE_RESOLVE tests so os.homedir() resolves correctly on Windows
    
    Generated with [Claude Code](https://claude.ai/code)
    via [Happy](https://happy.engineering)
    
    Co-Authored-By: Claude <noreply@anthropic.com>
    Co-Authored-By: Happy <yesreply@happy.engineering>
    
    * fix(tests): handle BOM in shebang stripping and skip worktree tests on Windows
    
    - validators.test.js: replace regex stripShebang with character-code
      approach that handles UTF-8 BOM before shebang line
    - detect-project-worktree.test.js: skip entire file on Windows since
      tests invoke bash scripts directly
    
    Generated with [Claude Code](https://claude.ai/code)
    via [Happy](https://happy.engineering)
    
    Co-Authored-By: Claude <noreply@anthropic.com>
    Co-Authored-By: Happy <yesreply@happy.engineering>
    
    ---------
    
    Co-authored-by: Claude <noreply@anthropic.com>
    Co-authored-by: Happy <yesreply@happy.engineering>
  • fix: resolve ESLint errors and add npx command support in hook tests
    Remove unused loadInstallManifests import and prefix unused result
    variable with underscore in selective-install tests. Add npx as an
    approved command prefix in hook validation tests.
  • feat: add block-no-verify hook for Claude Code and Cursor (#649)
    Adds npx block-no-verify@1.1.2 as a PreToolUse Bash hook in hooks/hooks.json
    and a beforeShellExecution hook in .cursor/hooks.json to prevent AI agents
    from bypassing git hooks via the hook-bypass flag.
    
    This closes the last enforcement gap in the ECC security stack — the bypass
    flag silently skips pre-commit, commit-msg, and pre-push hooks.
    
    Closes #648
    
    Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
  • feat(skills): add rules-distill skill (rebased #561) (#678)
    * feat(skills): add rules-distill — extract cross-cutting principles from skills into rules
    
    Applies the skill-stocktake pattern to rules maintenance:
    scan skills → extract shared principles → propose rule changes.
    
    Key design decisions:
    - Deterministic collection (scan scripts) + LLM judgment (cross-read & verdict)
    - 6 verdict types: Append, Revise, New Section, New File, Already Covered, Too Specific
    - Anti-abstraction safeguard: 2+ skills evidence, actionable behavior test, violation risk
    - Rules full text passed to LLM (no grep pre-filter) for accurate matching
    - Never modifies rules automatically — always requires user approval
    
    * fix(skills): address review feedback for rules-distill
    
    Fixes raised by CodeRabbit, Greptile, and cubic:
    
    - Add Prerequisites section documenting skill-stocktake dependency
    - Add fallback command when skill-stocktake is not installed
    - Fix shell quoting: add IFS= and -r to while-read loops
    - Replace hardcoded paths with env var placeholders ($CLAUDE_RULES_DIR, $SKILL_STOCKTAKE_DIR)
    - Add json language identifier to code blocks
    - Add "How It Works" parent heading for Phase 1/2/3
    - Add "Example" section with end-to-end run output
    - Add revision.reason/before/after fields to output schema for Revise verdict
    - Document timestamp format (date -u +%Y-%m-%dT%H:%M:%SZ)
    - Document candidate-id format (kebab-case from principle)
    - Use concrete examples in results.json schema
    
    * fix(skills): remove skill-stocktake dependency, add self-contained scripts
    
    Address P1 review feedback:
    - Add scan-skills.sh and scan-rules.sh directly in rules-distill/scripts/
      (no external dependency on skill-stocktake)
    - Remove Prerequisites section (no longer needed)
    - Add cross-batch merge step to prevent 2+ skills requirement
      from being silently broken across batch boundaries
    - Fix nested triple-backtick fences (use quadruple backticks)
    - Remove head -100 cap (silent truncation)
    - Rename "When to Activate" → "When to Use" (ECC standard)
    - Remove unnecessary env var placeholders (SKILL.md is a prompt, not a script)
    
    * fix: update skill/command counts in README.md and AGENTS.md
    
    rules-distill added 1 skill + 1 command:
    - skills: 108 → 109
    - commands: 57 → 58
    
    Updates all count references to pass CI catalog validation.
    
    * fix(skills): address Servitor review feedback for rules-distill
    
    1. Rename SKILL_STOCKTAKE_* env vars to RULES_DISTILL_* for consistency
    2. Remove unnecessary observation counting (use_7d/use_30d) from scan-skills.sh
    3. Fix header comment: scan.sh → scan-skills.sh
    4. Use jq for JSON construction in scan-rules.sh to properly escape
       headings containing special characters (", \)
    
    * fix(skills): address CodeRabbit review — portability and scan scope
    
    1. scan-rules.sh: use jq for error JSON output (proper escaping)
    2. scan-rules.sh: replace GNU-only sort -z with portable sort (BSD compat)
    3. scan-rules.sh: fix pipefail crash on files without H2 headings
    4. scan-skills.sh: scan only SKILL.md files (skip learned/*.md and
       auxiliary docs that lack frontmatter)
    5. scan-skills.sh: add portable get_mtime helper (GNU stat/date
       fallback to BSD stat/date)
    
    * fix: sync catalog counts with filesystem (27 agents, 114 skills, 59 commands)
    
    ---------
    
    Co-authored-by: Tatsuya Shimomoto <shimo4228@gmail.com>
  • chore(deps-dev): bump flatted (#675)
    Bumps the npm_and_yarn group with 1 update in the / directory: [flatted](https://github.com/WebReflection/flatted).
    
    
    Updates `flatted` from 3.3.3 to 3.4.2
    - [Commits](https://github.com/WebReflection/flatted/compare/v3.3.3...v3.4.2)
    
    ---
    updated-dependencies:
    - dependency-name: flatted
      dependency-version: 3.4.2
      dependency-type: indirect
      dependency-group: npm_and_yarn
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
  • fix: auto-detect ECC root from plugin cache when CLAUDE_PLUGIN_ROOT is unset (#547) (#691)
    When ECC is installed as a Claude Code plugin via the marketplace,
    scripts live in the plugin cache (~/.claude/plugins/cache/...) but
    commands fallback to ~/.claude/ which doesn't have the scripts.
    
    Add resolve-ecc-root.js with a 3-step fallback chain:
      1. CLAUDE_PLUGIN_ROOT env var (existing)
      2. Standard install at ~/.claude/ (existing)
      3. NEW: auto-scan the plugin cache directory
    
    Update sessions.md and skill-health.md commands to use the new
    inline resolver. Includes 15 tests covering all fallback paths
    including env var priority, standard install, cache discovery,
    and the compact INLINE_RESOLVE used in command .md files.
  • feat: agent compression, inspection logic, governance hooks (#491, #485, #482) (#688)
    Implements three roadmap features:
    
    - Agent description compression (#491): New `agent-compress` module with
      catalog/summary/full compression modes and lazy-loading. Reduces ~26k
      token agent descriptions to ~2-3k catalog entries for context efficiency.
    
    - Inspection logic (#485): New `inspection` module that detects recurring
      failure patterns in skill_runs. Groups by skill + normalized failure
      reason, generates structured reports with suggested remediation actions.
      Configurable threshold (default: 3 failures).
    
    - Governance event capture hook (#482): PreToolUse/PostToolUse hook that
      detects secrets, policy violations, approval-required commands, and
      elevated privilege usage. Gated behind ECC_GOVERNANCE_CAPTURE=1 flag.
      Writes to governance_events table via JSON-line stderr output.
    
    59 new tests (16 + 16 + 27), all passing.
  • fix: strip ANSI escape codes from session persistence hooks (#642) (#684)
    Windows terminals emit control sequences (cursor movement, screen
    clearing) that leaked into session.tmp files and were injected
    verbatim into Claude's context on the next session start.
    
    Add a comprehensive stripAnsi() to utils.js that handles CSI, OSC,
    charset selection, and bare ESC sequences. Apply it in session-end.js
    (when extracting user messages from the transcript) and in
    session-start.js (safety net before injecting session content).
  • feat(rules): add Rust language rules (rebased #660) (#686)
    * feat(rules): add Rust coding style, hooks, and patterns rules
    
    Add language-specific rules for Rust extending the common rule set:
    - coding-style.md: rustfmt, clippy, ownership idioms, error handling,
      iterator patterns, module organization, visibility
    - hooks.md: PostToolUse hooks for rustfmt, clippy, cargo check
    - patterns.md: trait-based repository, newtype, enum state machines,
      builder, sealed traits, API response envelope
    
    Rules reference existing rust-patterns skill for deep content.
    
    Generated with [Claude Code](https://claude.ai/code)
    via [Happy](https://happy.engineering)
    
    Co-Authored-By: Claude <noreply@anthropic.com>
    Co-Authored-By: Happy <yesreply@happy.engineering>
    
    * feat(rules): add Rust testing and security rules
    
    Add remaining Rust language-specific rules:
    - testing.md: cargo test, rstest parameterized tests, mockall mocking
      with mock! macro, tokio async tests, cargo-llvm-cov coverage
    - security.md: secrets via env vars, parameterized SQL with sqlx,
      parse-don't-validate input validation, unsafe code audit requirements,
      cargo-audit dependency scanning, proper HTTP error status codes
    
    Generated with [Claude Code](https://claude.ai/code)
    via [Happy](https://happy.engineering)
    
    Co-Authored-By: Claude <noreply@anthropic.com>
    Co-Authored-By: Happy <yesreply@happy.engineering>
    
    * fix(rules): address review feedback on Rust rules
    
    Fixes from Copilot, Greptile, Cubic, and CodeRabbit reviews:
    - Add missing imports: use std::borrow::Cow, use anyhow::Context
    - Use anyhow::Result<T> consistently (patterns.md, security.md)
    - Change sqlx placeholder from ? to $1 (Postgres is most common)
    - Remove Cargo.lock from hooks.md paths (auto-generated file)
    - Fix tokio::test to show attribute form #[tokio::test]
    - Fix mockall mock! name collision, wrap in #[cfg(test)] mod tests
    - Fix --test target to match file layout (api_test, not integration)
    
    Generated with [Claude Code](https://claude.ai/code)
    via [Happy](https://happy.engineering)
    
    Co-Authored-By: Claude <noreply@anthropic.com>
    Co-Authored-By: Happy <yesreply@happy.engineering>
    
    * fix: update catalog counts in README.md and AGENTS.md
    
    Update documented counts to match actual repository state after rebase:
    - Skills: 109 → 113 (new skills merged to main)
    - Commands: 57 → 58 (new command merged to main)
    
    Generated with [Claude Code](https://claude.ai/code)
    via [Happy](https://happy.engineering)
    
    Co-Authored-By: Claude <noreply@anthropic.com>
    Co-Authored-By: Happy <yesreply@happy.engineering>
    
    ---------
    
    Co-authored-by: Chris Yau <chris@diveanddev.com>
    Co-authored-by: Claude <noreply@anthropic.com>
    Co-authored-by: Happy <yesreply@happy.engineering>
  • feat: implement --with/--without selective install flags (#679)
    Add agent: and skill: component families to the install component
    catalog, enabling fine-grained selective install via CLI flags:
    
      ecc install --profile developer --with lang:typescript --without capability:orchestration
      ecc install --with lang:python --with agent:security-reviewer
    
    Changes:
    - Add agent: family (9 entries) and skill: family (10 entries) to
      manifests/install-components.json for granular component addressing
    - Update install-components.schema.json to accept agent: and skill:
      family prefixes
    - Register agent and skill family prefixes in COMPONENT_FAMILY_PREFIXES
      (scripts/lib/install-manifests.js)
    - Add 41 comprehensive tests covering CLI parsing, request normalization,
      component catalog validation, plan resolution, target filtering,
      error handling, and end-to-end install with --with/--without flags
    
    Closes #470
  • chore: prepare v1.9.0 release (#666)
    - Bump version to 1.9.0 in package.json, package-lock.json, .opencode/package.json
    - Add v1.9.0 changelog with 212 commits covering selective install architecture,
      6 new agents, 15+ new skills, session/state infrastructure, observer fixes,
      12 language ecosystems, and community contributions
    - Update README with v1.9.0 release notes and complete agents tree (27 agents)
    - Add pytorch-build-resolver to AGENTS.md agent table
    - Update documentation counts to 27 agents, 109 skills, 57 commands
    - Update version references in zh-CN README
    - All 1421 tests passing, catalog counts verified
  • fix: resolve Windows CI failures and markdown lint (#667)
    - Replace node -e with temp file execution in validator tests to avoid
      Windows shebang parsing failures (node -e cannot handle scripts that
      originally contained #!/usr/bin/env node shebangs)
    - Remove duplicate blank line in skills/rust-patterns/SKILL.md (MD012)
  • docs: add Antigravity setup and usage guide (#552)
    * docs: add Antigravity setup and usage guide
    
    Addresses #462 — users were confused about Antigravity skills setup.
    
    Adds a comprehensive guide covering:
    - Install mapping (ECC → .agent/ directory)
    - Directory structure after install
    - openai.yaml agent config format
    - Managing installs (list, doctor, uninstall)
    - Cross-target comparison table
    - Troubleshooting common issues
    - How to contribute skills with Antigravity support
    
    Also links the guide from the README FAQ section.
    
    * fix: address review feedback on Antigravity guide
    
    - Remove spurious skills/ row from install mapping table, add note
      clarifying .agents/skills/ is static repo layout not installer-mapped
    - Fix repair section: doctor.js diagnoses, repair.js restores
    - Fix .agents/ → .agent/ path typo in custom skills section
    - Clarify 3-step workflow for adding Antigravity skills
    - Fix antigravity-project → antigravity in comparison table
    - Fix "flatten" → "flattened" grammar in README
    - Clarify openai.yaml full nested path structure
    
    * fix: clarify .agents/ vs .agent/ naming and fix Cursor comparison
    
    - Explain that .agents/ (with 's') is ECC source, .agent/ (no 's')
      is Antigravity runtime — installer copies between them
    - Fix Cursor Agents/Skills column: Cursor has no explicit agents/skills
      mapping (only rules), changed from 'skills/' to 'N/A'
    
    * fix: correct installer behavior claims and command style
    
    - Fix .agents/ vs .agent/ note: clarify that only rules, commands, and
      agents (no dot) are explicitly mapped by the installer. The dot-prefixed
      .agents/ directory falls through to default scaffold, not a direct copy.
    - Fix contributor workflow: remove false auto-deploy claim for openai.yaml.
      Clarify .agents/ is static repo layout, not installer-deployed.
    - Fix uninstall command: use direct script call (node scripts/uninstall.js)
      for consistency with doctor.js, repair.js, list-installed.js.
    
    * fix: add missing agents/ step to contributor workflow
    
    Contributors must add an agent definition at agents/ (no dot) for the
    installer to deploy it to .agent/skills/ at runtime. Without this step,
    skills only exist in the static .agents/ layout and are never deployed.
    
    ---------
    
    Co-authored-by: vazidmansuri005 <vazidmansuri005@users.noreply.github.com>
  • feat(skills): add architecture-decision-records skill (#555)
    * feat(skills): add architecture-decision-records skill
    
    Adds a skill that captures architectural decisions made during coding
    sessions as structured ADR documents (Michael Nygard format).
    
    Features:
    - Auto-detects decision moments from conversation signals
    - Records context, alternatives considered with pros/cons, and consequences
    - Maintains numbered ADR files in docs/adr/ with an index
    - Supports ADR lifecycle (proposed → accepted → deprecated/superseded)
    - Categorizes decisions worth recording vs trivial ones to skip
    - Integrates with planner, code-reviewer, and codebase-onboarding skills
    
    Includes Antigravity support via .agents/skills/ and openai.yaml.
    
    * fix: address review feedback on ADR skill
    
    - Add missing "why did we choose X?" read-ADR trigger to .agents/ copy
    - Add canonical-reference link to .agents/ SKILL.md pointing to full version
    - Remove integration reference to non-existent codebase-onboarding skill
    
    * fix: add initialization step and sync .agents/ trigger
    
    - Add Step 1 to workflow: initialize docs/adr/ directory, README.md
      index, and template.md on first use when directory doesn't exist
    - Add "API design" to .agents/ alternatives trigger to match canonical
      version
    
    * fix: address ADR workflow gaps and implicit signal safety
    
    - Init step: seed README.md with index table header so Step 8 can
      append rows correctly on first ADR
    - Add read-path workflow: graceful handling when docs/adr/ is empty
      or absent ("No ADRs found, would you like to start?")
    - Implicit signals: add "do not auto-create without user confirmation"
      guard, tighten triggers to require conclusion/rationale not just
      discussion, remove overly broad "testing strategy" trigger
    
    * fix: require user confirmation before creating files
    
    - Canonical SKILL.md: init step now asks user before creating docs/adr/
    - .agents/ condensed version: add confirmation gate for implicit signals
      and explicit consent step before any file writes
    
    * fix: require user approval before writing ADR file, add refusal path
    
    * fix: remove .agents/ duplicate, keep canonical in skills/
    
    ---------
    
    Co-authored-by: vazidmansuri005 <vazidmansuri005@users.noreply.github.com>
  • feat(commands): add /context-budget optimizer command (#554)
    * feat(commands): add /context-budget optimizer command
    
    Adds a command that audits context window token consumption across
    agents, skills, rules, MCP servers, and CLAUDE.md files.
    
    Detects bloated agent descriptions, redundant components, MCP
    over-subscription, and CLAUDE.md bloat. Produces a prioritized
    report with specific token savings per optimization.
    
    Directly relevant to #434 (agent descriptions too verbose, ~26k
    tokens causing performance warnings).
    
    * fix: address review feedback on context-budget command
    
    - Add $ARGUMENTS to enable --verbose flag passthrough
    - Fix MCP token estimate: 45 tools × ~500 tokens = ~22,500 (was ~2,200)
    - Fix heavy agents example: all 3 now exceed 200-line threshold
    - Fix description threshold: warning at >30 words, fail at >50 words
    - Add Step 4 instructions (was empty)
    - Fix audit cadence: "quarterly" → "regularly" + "monthly" consistently
    - Fix Output Format heading level under Step 4
    - Replace "Antigravity" with generic "harness versions"
    - Recalculate total overhead to match corrected MCP numbers
    
    * fix: correct MCP tool count and savings percentage in sample output
    
    - Fix MCP tool count: table now shows 87 tools matching the issues
      section (was 45 in table vs 87 in issues)
    - Fix savings percentage: 5,100 / 66,400 = 7.7% (was 20.6%)
    - Recalculate total overhead and effective context to match
    
    * fix: correct sample output arithmetic
    
    - Fix total overhead: 66,400 → 66,100 to match component table sum
      (12,400 + 6,200 + 2,800 + 43,500 + 1,200 = 66,100)
    - Fix MCP savings: ~1,500 → ~27,500 tokens (55 tools × 500 tokens/tool)
      to match the per-tool formula defined in Step 1
    - Reorder optimizations by savings (MCP removal is now #1)
    - Fix total savings and percentage (31,100 / 66,100 = 47.0%)
    
    * fix: distinguish always-on vs on-demand agent overhead
    
    Agent descriptions are always loaded into Task tool routing context,
    but the full agent body is only loaded when invoked. The audit now
    measures both: description-only tokens as always-on overhead and
    full-file tokens as worst-case overhead. This resolves the
    contradiction between Step 1 (counting full files) and Tip 1 (saying
    only descriptions are loaded per session).
    
    * fix: simplify agent accounting and resolve inconsistencies
    
    - Revert to single agent overhead metric (full file tokens) — simpler
      and matches what the report actually displays
    - Add back 200-line threshold for heavy agents in Step 1
    - Fix heavy agents action to match issue type (split/trim, not
      description-only)
    - Remove .agents/skills/ scan path (doesn't exist in ECC repo)
    - Consolidate description threshold to single 30-word check
    
    * fix: add model assumption and verbose mode activation
    
    - Step 4: assume 200K context window by default (Claude has no way to
      introspect its model at runtime)
    - Step 4: add explicit instruction to check $ARGUMENTS for --verbose
      flag and include additional output when present
    
    * fix: handle .agents/skills/ duplicates in skill scan
    
    Skills scan now checks .agents/skills/ for Codex harness copies and
    skips identical duplicates to avoid double-counting overhead.
    
    * fix: add savings estimate to heavy agents action for consistency
    
    * feat(skills): add context-budget backing skill, slim command to delegator
    
    * fix: use structurally detectable classification criteria instead of session frequency
    
    ---------
    
    Co-authored-by: vazidmansuri005 <vazidmansuri005@users.noreply.github.com>
  • feat(skills): add codebase-onboarding skill (#553)
    * feat(skills): add codebase-onboarding skill
    
    Adds a skill that systematically analyzes an unfamiliar codebase and
    produces two artifacts: a structured onboarding guide and a starter
    CLAUDE.md tailored to the project's conventions.
    
    Four-phase workflow:
    1. Reconnaissance — parallel detection of manifests, frameworks, entry
       points, directory structure, tooling, and test setup
    2. Architecture mapping — tech stack, patterns, key directories, request
       lifecycle tracing
    3. Convention detection — naming, error handling, async patterns, git
       workflow from recent history
    4. Artifact generation — scannable onboarding guide + project-specific
       CLAUDE.md
    
    Includes Antigravity support via .agents/skills/ and openai.yaml.
    
    * fix: address review feedback on codebase-onboarding skill
    
    - Rename headings to match skill format: When to Activate → When to Use,
      Onboarding Workflow → How It Works
    - Add Examples section with 3 usage scenarios
    - Mark Phase 4 Next.js paths as example with HTML comments
    - Fix CLAUDE.md generation to read/enhance existing file first
    - Replace abbreviated .agents/ SKILL.md with full copy per repo convention
    
    * fix: add example marker to Common Tasks template section
    
    Adds <!-- Example for a Node.js project --> comment to Common Tasks,
    matching the markers already on Key Entry Points and Where to Look.
    Syncs .agents/ copy.
    
    * fix: add missing example markers and shorten default_prompt
    
    - Add example comment to Tech Stack table in Phase 4 template
    - Add example comment to Key Directories block in Phase 2
    - Shorten openai.yaml default_prompt to match repo convention (~60 chars)
    - Sync .agents/ SKILL.md copy
    
    * fix: add empty-repo fallback and remove hardcoded output path
    
    - Phase 3: add fallback for repos with no git history
    - Example 1: remove hardcoded docs/ path assumption, output to
      conversation or project root instead
    - Sync .agents/ copy
    
    * fix: remove .agents/ duplicate, keep canonical in skills/
    
    * fix: clarify Example 1 output destination
    
    * fix: add shallow-clone fallback to git conventions detection
    
    ---------
    
    Co-authored-by: vazidmansuri005 <vazidmansuri005@users.noreply.github.com>
  • feat(skills): add agent-eval for head-to-head coding agent comparison (#540)
    * feat(skills): add agent-eval for head-to-head coding agent comparison
    
    * fix(skills): address PR #540 review feedback for agent-eval skill
    
    - Remove duplicate "When to Use" section (kept "When to Activate")
    - Add Installation section with pip install instructions
    - Change origin from "community" to "ECC" per repo convention
    - Add commit field to YAML task example for reproducibility
    - Fix pass@k mislabeling to "pass rate across repeated runs"
    - Soften worktree isolation language to "reproducibility isolation"
    
    Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
    
    * Pin agent-eval install to specific commit hash
    
    Address PR review feedback: pin the VCS install to commit
    6d062a2 to avoid supply-chain risk from unpinned external deps.
    
    Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
    
    ---------
    
    Co-authored-by: Joaquin Hui Gomez <joaquinhui1995@gmail.com>
    Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
  • Merge pull request #664 from ymdvsymd/fix/observer-sandbox-access-661
    fix(clv2): add --allowedTools to observer Haiku invocation (#661)
  • Merge pull request #665 from ymdvsymd/fix/worktree-project-id-mismatch
    fix(clv2): use -e instead of -d for .git check in detect-project.sh
  • fix(clv2): use -e instead of -d for .git check in detect-project.sh
    In git worktrees, .git is a file (not a directory) containing a gitdir
    pointer. The -d test fails for worktree checkouts, causing project
    detection to fall through to the "global" fallback. Changing to -e
    (exists) handles both regular repos and worktrees correctly.
    
    Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
  • fix(clv2): add --allowedTools to observer Haiku invocation (#661)
    The observer's Haiku subprocess cannot access files outside the project
    sandbox (/tmp/ for observations, ~/.claude/homunculus/ for instincts).
    Adding --allowedTools "Read,Write" grants the necessary file access
    while keeping the subprocess constrained by --max-turns and timeout.
    
    Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
  • fix: update catalog counts and resolve lint error
    - Update agent count 26→27 in README.md (quick-start + comparison table) and AGENTS.md (summary + project structure)
    - Update skill count 108→109 in README.md (quick-start + comparison table) and AGENTS.md (summary)
    - Rename unused variable provenance → _provenance in tests/lib/skill-dashboard.test.js
  • feat(skills): add pytorch-patterns skill (#550)
    Adds pytorch-patterns skill covering model architecture, training loops, data loading, and GPU optimization patterns.
  • feat(agents): add pytorch-build-resolver agent (#549)
    Adds pytorch-build-resolver agent for PyTorch runtime/CUDA error resolution, following established agent format.
  • feat(agents): add typescript-reviewer agent (#647)
    Adds typescript-reviewer agent following the established agent format, covering type safety, async correctness, security, and React/Next.js patterns.
  • feat(rules): add Java language rules (#645)
    Adds Java language rules (coding-style, hooks, patterns, security, testing) following the established language rule conventions.
  • fix(observe): allow sdk-ts entrypoint in observation hook (#614)
    Clean surgical fix allowing sdk-ts entrypoint in observe hook for Agent SDK sessions. Has APPROVED review.
  • fix: resolve 8 test failures on main (install pipeline, orchestrator, repair) (#564)
    - Add duplicate slug detection in buildOrchestrationPlan to reject
      worker names that collapse to the same slug
    - Use buildTemplateVariables() for launcher command interpolation
      so _sh and _raw suffixes are available in templates