Commit Graph

748 Commits

  • fix: bump plugin.json and marketplace.json to v1.9.0
    Both files were stuck at v1.8.0, blocking upgrades via claudepluginhub.
  • Update docs/pt-BR/commands/eval.md
    Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
  • Update docs/pt-BR/commands/plan.md
    Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
  • Update docs/pt-BR/commands/orchestrate.md
    Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
  • Update docs/pt-BR/agents/go-build-resolver.md
    Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
  • security: remove supply chain risks, external promotions, and unauthorized credits
    - Remove zenith.chat references and @DRodriguezFX shoutout from README
    - Remove Inspiration Credits section (already in CHANGELOG.md)
    - Remove awesome-agent-skills reference from Links
    - Remove Plankton H3 section by @alxfazio (skill stays in skills/)
    - Remove brand names (InsAIts, VideoDB, Evos) from v1.9.0 notes
    - Remove @ericcai0814 individual credit from README (kept in CHANGELOG)
    - Add Security Guide to Links section
    - Replace curl-pipe-to-bash in autonomous-loops with review warning
    - Replace git clone in plankton-code-quality with review warning
    - Replace pip install git+ in agent-eval with review warning
    - Replace npm install -g in dmux-workflows with review warning
    - Add commercial API notice to nutrient-document-processing
    - Remove VideoDB maintainer credit from videodb skill
    - Replace skill-creator.app link with ECC-Tools GitHub App reference
  • Update docs/pt-BR/commands/go-review.md
    Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
  • Update docs/pt-BR/commands/eval.md
    Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
  • Update docs/pt-BR/commands/plan.md
    Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
  • Merge pull request #728 from zdocapp/zh-CN-pr
    docs(zh-CN): sync Chinese docs with latest upstream changes
  • docs: publish The Shorthand Guide to Everything Agentic Security
    Full article with embedded images: attack chain diagram, sandboxing
    comparison, sanitization visual, observability logging, ghostyy overflow.
    Tweet quotes from @TalBeerySec, @HedgieMarkets, @blackorbird formatted
    as blockquotes. Stats table fixed. Code blocks tagged. Links to shorthand
    and longform guides at bottom.
  • docs: add SECURITY.md, publish agentic security guide, remove openclaw guide
    - Add SECURITY.md with vulnerability reporting policy
    - Publish "The Shorthand Guide to Everything Agentic Security" with attack
      vectors, sandboxing, sanitization, CVEs, and AgentShield coverage
    - Add security guide to README guides section (3-column layout)
    - Remove unpublished openclaw guide
    - Copy security article images to assets/images/security/
  • feat(agents): add flutter-reviewer agent and skill (#716)
    Library-agnostic Flutter/Dart code reviewer that adapts to the project's
    chosen state management solution (BLoC, Riverpod, Provider, GetX, MobX,
    Signals) and architecture pattern (Clean Architecture, MVVM, feature-first).
    
    Co-authored-by: Maciej Starosielec <maciej@code-snap.com>
    Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
  • fix: codex sync merges AGENTS.md instead of replacing it (#715)
    The sync script previously overwrote ~/.codex/AGENTS.md on every run,
    destroying any user-authored content. This adds marker-based merging
    (<!-- BEGIN ECC --> / <!-- END ECC -->) so only the ECC-managed section
    is replaced on subsequent runs, preserving user content outside the
    markers.
    
    Merge logic:
    - No file → create with markers
    - Both markers present (ordered, CRLF-safe) → replace only the ECC section
    - BEGIN without END (corrupted) → full replace (backup saved)
    - No markers at all → append ECC block (preserves existing content)
    
    Also fixes:
    - Symlink preservation: uses cat > instead of mv to write through symlinks
    - CRLF handling: strips \r in marker detection to handle Windows-edited files
    - Marker ordering: validates BEGIN appears before END, not just that both exist
    
    The legacy heading-match heuristic was intentionally removed per council
    review: any unmarked file is either user-authored (append is safe) or
    legacy ECC-generated (duplicates once, deduplicates on next run via
    markers). A timestamped backup is always saved before any mutation.
    
    Generated with [Claude Code](https://claude.ai/code)
    via [Happy](https://happy.engineering)
    
    Co-authored-by: Claude <noreply@anthropic.com>
    Co-authored-by: Happy <yesreply@happy.engineering>
  • feat(rules): add C# language support (#704)
    * feat(rules): add C# language support
    
    * feat: add everything-claude-code ECC bundle (#705)
    
    * feat: add everything-claude-code ECC bundle (.claude/ecc-tools.json)
    
    * feat: add everything-claude-code ECC bundle (.claude/skills/everything-claude-code/SKILL.md)
    
    * feat: add everything-claude-code ECC bundle (.agents/skills/everything-claude-code/SKILL.md)
    
    * feat: add everything-claude-code ECC bundle (.agents/skills/everything-claude-code/agents/openai.yaml)
    
    * feat: add everything-claude-code ECC bundle (.claude/identity.json)
    
    * feat: add everything-claude-code ECC bundle (.codex/agents/explorer.toml)
    
    * feat: add everything-claude-code ECC bundle (.codex/agents/reviewer.toml)
    
    * feat: add everything-claude-code ECC bundle (.codex/agents/docs-researcher.toml)
    
    * feat: add everything-claude-code ECC bundle (.claude/rules/everything-claude-code-guardrails.md)
    
    * feat: add everything-claude-code ECC bundle (.claude/research/everything-claude-code-research-playbook.md)
    
    * feat: add everything-claude-code ECC bundle (.claude/team/everything-claude-code-team-config.json)
    
    * feat: add everything-claude-code ECC bundle (.claude/enterprise/controls.md)
    
    * feat: add everything-claude-code ECC bundle (.claude/commands/database-migration.md)
    
    * feat: add everything-claude-code ECC bundle (.claude/commands/feature-development.md)
    
    * feat: add everything-claude-code ECC bundle (.claude/commands/add-language-rules.md)
    
    ---------
    
    Co-authored-by: ecc-tools[bot] <257055122+ecc-tools[bot]@users.noreply.github.com>
    
    * ci: retrigger
    
    ---------
    
    Co-authored-by: ecc-tools[bot] <257055122+ecc-tools[bot]@users.noreply.github.com>
  • feat: agent description compression with lazy loading (#696)
    * feat: add agent description compression with lazy loading (#491)
    
    Agent descriptions consume ~26k tokens (121KB across 27 agents). This adds
    a compression library with three modes:
    - catalog: metadata only (~2-3k tokens) for agent selection
    - summary: metadata + first paragraph (~4-5k tokens) for routing
    - full: no compression, for when agent is invoked
    
    Includes lazy-load function to fetch full agent body on demand.
    21 tests covering parsing, compression, filtering, and real agents dir.
    
    * fix: update JSDoc to include all stats fields in buildAgentCatalog
    
    Add compressedBytes and mode to the documented return type, matching
    the actual implementation.
  • fix(tests): resolve Windows CI test failures (#701)
    * fix(tests): skip bash tests on Windows and fix USERPROFILE in resolve-ecc-root
    
    - hooks.test.js: add SKIP_BASH guard for 8 bash-dependent tests
      (detect-project.sh, observe.sh) while keeping 207 Node.js tests running
    - resolve-ecc-root.test.js: add USERPROFILE to env overrides in 2
      INLINE_RESOLVE tests so os.homedir() resolves correctly on Windows
    
    Generated with [Claude Code](https://claude.ai/code)
    via [Happy](https://happy.engineering)
    
    Co-Authored-By: Claude <noreply@anthropic.com>
    Co-Authored-By: Happy <yesreply@happy.engineering>
    
    * fix(tests): handle BOM in shebang stripping and skip worktree tests on Windows
    
    - validators.test.js: replace regex stripShebang with character-code
      approach that handles UTF-8 BOM before shebang line
    - detect-project-worktree.test.js: skip entire file on Windows since
      tests invoke bash scripts directly
    
    Generated with [Claude Code](https://claude.ai/code)
    via [Happy](https://happy.engineering)
    
    Co-Authored-By: Claude <noreply@anthropic.com>
    Co-Authored-By: Happy <yesreply@happy.engineering>
    
    ---------
    
    Co-authored-by: Claude <noreply@anthropic.com>
    Co-authored-by: Happy <yesreply@happy.engineering>
  • fix: resolve ESLint errors and add npx command support in hook tests
    Remove unused loadInstallManifests import and prefix unused result
    variable with underscore in selective-install tests. Add npx as an
    approved command prefix in hook validation tests.
  • feat: add block-no-verify hook for Claude Code and Cursor (#649)
    Adds npx block-no-verify@1.1.2 as a PreToolUse Bash hook in hooks/hooks.json
    and a beforeShellExecution hook in .cursor/hooks.json to prevent AI agents
    from bypassing git hooks via the hook-bypass flag.
    
    This closes the last enforcement gap in the ECC security stack — the bypass
    flag silently skips pre-commit, commit-msg, and pre-push hooks.
    
    Closes #648
    
    Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
  • feat(skills): add rules-distill skill (rebased #561) (#678)
    * feat(skills): add rules-distill — extract cross-cutting principles from skills into rules
    
    Applies the skill-stocktake pattern to rules maintenance:
    scan skills → extract shared principles → propose rule changes.
    
    Key design decisions:
    - Deterministic collection (scan scripts) + LLM judgment (cross-read & verdict)
    - 6 verdict types: Append, Revise, New Section, New File, Already Covered, Too Specific
    - Anti-abstraction safeguard: 2+ skills evidence, actionable behavior test, violation risk
    - Rules full text passed to LLM (no grep pre-filter) for accurate matching
    - Never modifies rules automatically — always requires user approval
    
    * fix(skills): address review feedback for rules-distill
    
    Fixes raised by CodeRabbit, Greptile, and cubic:
    
    - Add Prerequisites section documenting skill-stocktake dependency
    - Add fallback command when skill-stocktake is not installed
    - Fix shell quoting: add IFS= and -r to while-read loops
    - Replace hardcoded paths with env var placeholders ($CLAUDE_RULES_DIR, $SKILL_STOCKTAKE_DIR)
    - Add json language identifier to code blocks
    - Add "How It Works" parent heading for Phase 1/2/3
    - Add "Example" section with end-to-end run output
    - Add revision.reason/before/after fields to output schema for Revise verdict
    - Document timestamp format (date -u +%Y-%m-%dT%H:%M:%SZ)
    - Document candidate-id format (kebab-case from principle)
    - Use concrete examples in results.json schema
    
    * fix(skills): remove skill-stocktake dependency, add self-contained scripts
    
    Address P1 review feedback:
    - Add scan-skills.sh and scan-rules.sh directly in rules-distill/scripts/
      (no external dependency on skill-stocktake)
    - Remove Prerequisites section (no longer needed)
    - Add cross-batch merge step to prevent 2+ skills requirement
      from being silently broken across batch boundaries
    - Fix nested triple-backtick fences (use quadruple backticks)
    - Remove head -100 cap (silent truncation)
    - Rename "When to Activate" → "When to Use" (ECC standard)
    - Remove unnecessary env var placeholders (SKILL.md is a prompt, not a script)
    
    * fix: update skill/command counts in README.md and AGENTS.md
    
    rules-distill added 1 skill + 1 command:
    - skills: 108 → 109
    - commands: 57 → 58
    
    Updates all count references to pass CI catalog validation.
    
    * fix(skills): address Servitor review feedback for rules-distill
    
    1. Rename SKILL_STOCKTAKE_* env vars to RULES_DISTILL_* for consistency
    2. Remove unnecessary observation counting (use_7d/use_30d) from scan-skills.sh
    3. Fix header comment: scan.sh → scan-skills.sh
    4. Use jq for JSON construction in scan-rules.sh to properly escape
       headings containing special characters (", \)
    
    * fix(skills): address CodeRabbit review — portability and scan scope
    
    1. scan-rules.sh: use jq for error JSON output (proper escaping)
    2. scan-rules.sh: replace GNU-only sort -z with portable sort (BSD compat)
    3. scan-rules.sh: fix pipefail crash on files without H2 headings
    4. scan-skills.sh: scan only SKILL.md files (skip learned/*.md and
       auxiliary docs that lack frontmatter)
    5. scan-skills.sh: add portable get_mtime helper (GNU stat/date
       fallback to BSD stat/date)
    
    * fix: sync catalog counts with filesystem (27 agents, 114 skills, 59 commands)
    
    ---------
    
    Co-authored-by: Tatsuya Shimomoto <shimo4228@gmail.com>
  • chore(deps-dev): bump flatted (#675)
    Bumps the npm_and_yarn group with 1 update in the / directory: [flatted](https://github.com/WebReflection/flatted).
    
    
    Updates `flatted` from 3.3.3 to 3.4.2
    - [Commits](https://github.com/WebReflection/flatted/compare/v3.3.3...v3.4.2)
    
    ---
    updated-dependencies:
    - dependency-name: flatted
      dependency-version: 3.4.2
      dependency-type: indirect
      dependency-group: npm_and_yarn
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
  • fix: auto-detect ECC root from plugin cache when CLAUDE_PLUGIN_ROOT is unset (#547) (#691)
    When ECC is installed as a Claude Code plugin via the marketplace,
    scripts live in the plugin cache (~/.claude/plugins/cache/...) but
    commands fallback to ~/.claude/ which doesn't have the scripts.
    
    Add resolve-ecc-root.js with a 3-step fallback chain:
      1. CLAUDE_PLUGIN_ROOT env var (existing)
      2. Standard install at ~/.claude/ (existing)
      3. NEW: auto-scan the plugin cache directory
    
    Update sessions.md and skill-health.md commands to use the new
    inline resolver. Includes 15 tests covering all fallback paths
    including env var priority, standard install, cache discovery,
    and the compact INLINE_RESOLVE used in command .md files.
  • feat: agent compression, inspection logic, governance hooks (#491, #485, #482) (#688)
    Implements three roadmap features:
    
    - Agent description compression (#491): New `agent-compress` module with
      catalog/summary/full compression modes and lazy-loading. Reduces ~26k
      token agent descriptions to ~2-3k catalog entries for context efficiency.
    
    - Inspection logic (#485): New `inspection` module that detects recurring
      failure patterns in skill_runs. Groups by skill + normalized failure
      reason, generates structured reports with suggested remediation actions.
      Configurable threshold (default: 3 failures).
    
    - Governance event capture hook (#482): PreToolUse/PostToolUse hook that
      detects secrets, policy violations, approval-required commands, and
      elevated privilege usage. Gated behind ECC_GOVERNANCE_CAPTURE=1 flag.
      Writes to governance_events table via JSON-line stderr output.
    
    59 new tests (16 + 16 + 27), all passing.