Commit Graph

313 Commits

  • Merge pull request #2118 from Seekers2001/add-generating-python-installer
    Add generating-python-installer skill (Nuitka commercial-grade Windows packaging). Catalog counts reconciled.
  • docs+chore: add README Security section; fix lint regressions on main
    - README: add a visible ## Security section (official sources, vuln reporting via SECURITY.md, GateGuard/IOC/AgentShield guardrails, security guide); make stats line a plain paragraph to clear MD028
    - eslint: empty catch comment in run-with-flags.js; drop unneeded escape in github-coordination/parsing.js; remove unused execFileSync import in its test (#2236 follow-ups)
    - markdownlint: wrap bare URLs in rules/vue/*.md (#2250 follow-up)
    
    npm run lint green; full suite 2836/2836.
  • Merge pull request #2189 from affaan-m/feat/taste-skill
    feat: add taste skill — music-video creative direction. Catalog counts reconciled.
  • Merge pull request #2236 from Victor-Casado/feat/github-native-coordination
    feat: add github-native coordination (epic-* commands + scripts + tests). Command registry + catalog reconciled.
  • Merge pull request #2241 from itkdm/feat/add-vue-ecosystem
    feat: add Vue ecosystem review support (vue-reviewer agent, /vue-review command, vue-patterns skill). Duplicate rules/vue/* kept from #2250; catalog counts reconciled.
  • Merge pull request #2221 from hretheum/feat/add-brand-discovery-competitive-skills
    feat(skills): add brand-discovery and competitive benchmarking pipeline. Catalog counts reconciled.
  • Merge pull request #2220 from lamenting-hawthorn/feat/agent-self-evaluation
    feat(skills,agents): add agent-self-evaluation skill and agent-evaluator persona. Catalog counts reconciled.
  • feat(agents): add spec-miner agent for brownfield spec extraction (#2253)
    * feat(agents): add spec-miner agent for brownfield spec extraction
    
    Mines behavioral specs (Requirements + Invariants) from existing codebases
    without OpenSpec. Fully self-bootstrapping with sample-and-expand token
    strategy. Produces flat, delta-ready spec.md files with machine-parseable
    metadata (id, entities, enforced, depends_on, triggers).
    
    Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
    
    * docs: bump agent catalog count from 64 to 65 for spec-miner
    
    All documentation and plugin manifests now reflect the new agent total.
    
    Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
    
    * fix: add spec-miner to routing table and clarify id field requirement
    
    - Add spec-miner to AGENTS.md agent table and orchestration hints
    - Fix id field in output template: was marked [optional] but Rule #7
      requires it when enforced is known
    
    Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
    
    * fix: update catalog skills count from 261 to 262 across all docs
    
    The upstream added a 262nd skill but documentation references across 7 files
    still reported 261. The CI validate step (scripts/ci/catalog.js --text) caught
    the mismatch — this only runs on PRs, not on direct pushes to main.
    
    Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
    
    * fix: replace emoji characters with text equivalents in spec-miner agent
    
    The unicode safety check (check-unicode-safety.js) blocks emoji characters.
    Replace  with FAIL: per the project's targeted replacement convention.
    
    Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
    
    * fix: add Write tool to spec-miner agent tools list
    
    The agent generates spec output files at openspec/specs/<capability>/spec.md
    and requires the Write tool to create them.
    
    Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
    
    * fix: address review bot comments - tool guardrails and metadata schema consistency
    
    - Add Tool guardrails section: scoping Write to openspec/specs/ path, Bash to read-only
    - Fix deferred/uncertainty comments to follow key: value schema (deferred: file list, uncertainty: reason)
    
    Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
    
    * fix: strengthen Prompt Defense Baseline for repository content and Bash boundaries
    
    Add two defense points: treat all repo content as untrusted prompt-injection
    vector, and explicitly reject Bash commands that mutate, exfiltrate, or write
    outside the allowed openspec/specs/ path.
    
    Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
    
    * fix: strip explanatory prose from id metadata comment to preserve key:value format
    
    The id comments included explanatory text after the value, which would be
    stored verbatim in copied specs and break stable delta matching. The
    explanation is already covered by Format Rule #7.
    
    Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
    
    * fix: restore README.md to upstream baseline with only catalog count changes
    
    The README was corrupted during cherry-pick conflict resolution — an older fork
    version was introduced, changing release notes links, badge URLs, sponsor
    sections, and other content. Restore to upstream/main (5b173d2) and re-apply
    only the agent count (64→65) using catalog.js --write.
    
    Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
    
    * fix: restore all catalog files to upstream baseline, keep only intentional changes
    
    The cherry-pick during rebase introduced a stale fork version of multiple files
    via git checkout --theirs conflict resolution. Restore from upstream/main and
    re-apply only:
    
    - Agent counts: 64→65 (all 7 catalog-tracked files)
    - Skills counts: 261→262 (where needed)
    - AGENTS.md: spec-miner routing table + orchestration hint (our additions)
    
    This reverts unintended regressions:
    - Version downgrades (2.0.0 → 2.0.0-rc.1) in marketplace.json, plugin.json,
      AGENTS.md, docs/zh-CN/AGENTS.md, docs/zh-CN/README.md
    - Badge URL changes (api.ecc.tools dynamic → hardcoded) in Chinese READMEs
    - Deleted v2.0.0 stable release sections in Chinese READMEs
    - Wrong release notes path (2.0.0-rc.1 → 2.0.0) in README.md
    
    Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
    
    ---------
    
    Co-authored-by: lege962 <1515808962@qq.com>
    Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
  • fix: add plugin cache health check (#2249)
    * fix: add plugin cache health check
    
    * fix: harden plugin cache diagnostics
    
    * fix: reject escaping plugin cache refs
    
    * test: remove unused plugin cache fixture
  • docs: add official-sources security warning to README (#2248)
    * docs: add official-sources security warning to README
    
    Add a GFM [!WARNING] alert near the top of README.md identifying
    github.com/affaan-m/ECC and the ecc-universal / ecc-agentshield npm
    packages as the only verified distribution channels, and warning users
    that third-party re-uploads may contain malware.
    
    Closes #2242
    
    * Update README.md
    
    Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
    
    ---------
    
    Co-authored-by: Matt Van Horn <455140+mvanhorn@users.noreply.github.com>
    Co-authored-by: Affaan Mustafa <affaan.mustafa09@gmail.com>
    Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
  • fix: context-size /compact trigger, Codex marketplace plugin path, live README badges (#2237)
    - suggest-compact hook now reads the latest usage record from the session
      transcript and suggests /compact at a window-scaled token threshold
      (160k/200k window, 250k/1M window; COMPACT_CONTEXT_THRESHOLD and
      COMPACT_CONTEXT_INTERVAL overridable), re-firing per 60k-token growth
      bucket; tool-call count stays as the secondary signal (#2155)
    - Codex repo marketplace now points at ./plugins/ecc instead of ./ — Codex
      never discovers plugins whose local marketplace source.path is the
      marketplace root (verified on Codex CLI 0.137.0); plugins/ecc is a thin
      folder referencing root skills/.mcp.json per maintainer direction on
      #2097; docs flag plugin mode as experimental with the upstream blocker
      openai/codex#26037 linked (#2128)
    - README badges for installs/stars/forks now use shields endpoint badges
      backed by api.ecc.tools (live install count 3,712 vs the stale static
      150), which also eliminates shields' 'Unable to select next GitHub token
      from pool' render in the stars badge
    
    Closes #2155
    Closes #2128
  • fix(ci): catalog sync, markdownlint, unicode safety, unsupported frontmatter key
    catalog:sync: update skill count 261→265 in README.md, AGENTS.md,
    docs/zh-CN/AGENTS.md, .claude-plugin/plugin.json
    
    markdownlint:
    - MD009: strip trailing spaces in 10_purpose-why, 20_positioning,
      40_personality-archetype, 50_voice-tone, 60_narrative-story, 90_SYNTHESIS
      (both skills/ and .agents/skills/ copies)
    - MD037: wrap ___ placeholders in backticks in 70_founder-tension.md:39
    - MD028: replace blank lines inside blockquotes with bare > in 90_SYNTHESIS.md
    
    unicode-safety: replace U+2194 (↔) with ASCII <-> in 50_voice-tone.md and
    competitive-report-structure/SKILL.md (both copies)
    
    codex-validator: remove unsupported `origin: community` key from
    brand-discovery, competitive-platform-analysis, competitive-report-structure,
    benchmark-methodology SKILL.md files (both copies)
  • fix(readme): restore historical skill count (261) in v2.0.0-rc.1 changelog entry
    v2.0.0-rc.1 shipped in April 2026 with 261 skills; the four new skills added
    in this PR bring the count to 265 only in v2.0.0+. Retroactively updating the
    rc.1 entry rewrote past release facts — restore the accurate historical count.
    
    Addresses cubic-dev-ai review finding (README.md:137).
  • feat(skills): add brand-discovery and competitive benchmarking pipeline
    Adds four community skills covering brand identity discovery and a
    three-skill competitive benchmarking pipeline.
    
    **brand-discovery** — Adaptive multi-session brand identity interview
    spanning 8 modules (purpose, positioning, audience, personality, voice,
    narrative, founder-brand tension, synthesis). Uses laddering, 5 Whys,
    and projective techniques. State persisted to disk via state.json so
    sessions resume across conversations without losing elicited knowledge.
    Frameworks: Sinek, Dunford, Baker, Enns, Kapferer, Aaker, Neumeier,
    Mark & Pearson, Lencioni. Includes 8 module output templates in
    references/.
    
    **competitive-platform-analysis** — Scopes and tiers a competitor set
    before benchmarking begins. Categorizes candidates along 8 generic
    creative-industry axes (positioning stance, specialization, size/model,
    engagement format, distinctiveness posture, evidence model, brand
    strength, market/reach) into Direct / Adjacent / Aspirational tiers.
    Includes a pre-filter scoring matrix. First step in the pipeline.
    
    **benchmark-methodology** — Scores each competitor across 9 weighted
    dimensions (positioning 18%, brand voice 15%, visual craft 15%, offer
    packaging 12%, evidence 12%, enterprise-readiness 10%, thought
    leadership 8%, pricing 5%, client's strategic tension 5%) with explicit
    1–5 rubrics and bias controls. Produces one profile card per competitor.
    
    **competitive-report-structure** — Assembles scored cards into a
    decision-grade report: executive summary, landscape map, competitor
    tiers, heatmap matrix, deep dives, white-space and threats, strategic
    recommendations, sources appendix.
    
    brand-discovery complements brand-voice (ECC): brand-voice extracts a
    style profile from existing source material; brand-discovery elicits
    identity from scratch through structured interviews when no prior
    material exists.
    
    A competitive set scoped without the client's positioning brief is
    noise, not intelligence — each skill enforces this by requiring the
    brief before proceeding. The 9-dimension scoring framework deliberately
    reports the client's strategic tension as two separate poles (never
    averaged) because the gap between them is the strategic finding.
    
    Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
  • docs: sync skill count to 262 after config-gc skill landed (#2230)
    npm run catalog:sync — #2216 added skills/config-gc without bumping
    documented counts, leaving catalog:check (and npm test) red on main.
  • docs: restore hero banner with ECC wordmark, v2.0.0 badge, and brand lettermark (#2229)
    Recreates the v1.10 hero banner design (sourced from commit 602894ef)
    that PR #2225 replaced with a plain HTML header:
    
    - Wordmark and breadcrumb now read ECC / affaan-m/ECC
    - Version badge reads v2.0.0 · Jun 2026, eyebrow updated to V2.0
    - Top-left mark is the actual assets/ecc-icon.svg lettermark (amber E,
      coral CC) instead of a generic coral square
    - Catalog columns refreshed with live counts (261 skills, 64 agents,
      84 commands, 409 catalog) and real item names from the repo
    - Harness pills updated to the current README list (Claude Code, Codex,
      Cursor, OpenCode, Gemini, Zed, Copilot)
    - SVG source committed as assets/hero.svg so future edits never need
      image archaeology; rendered to PNG at 2400x1350 via sharp
    
    README hero line restored to the markdown image; badges, sponsor table,
    and guide cards from #2225 kept intact.
  • docs: restore on-brand ECC header, consolidate sponsor placement, make guide links visual (#2225)
    - Replace off-brand hero PNG (wrong product name + baked version) with a
      centered HTML header using assets/ecc-icon.svg, h1, and tagline
    - Consolidate duplicated sponsor sections: polished centered sponsor table
      at top (CodeRabbit, Greptile, community sponsors, sponsor links); bottom
      section reduced to a one-liner pointing to SPONSORS.md
    - Convert guide links to visual cards using the guides' own header images,
      linked to the local guide files
    - Fix broken tmux video URL in the shortform guide to the in-repo asset
  • feat(mcp): single-connector default set + connector policy (#2219)
    Reduce the default .mcp.json to one connector (chrome-devtools) per the
    new policy in docs/MCP-CONNECTOR-POLICY.md: a default earns its slot only
    if it is universal AND MCP beats a CLI/API wrapped in a skill. June 2026
    audit verdicts: github -> gh via github-ops skill; context7 -> REST via
    documentation-lookup; exa -> harness-native search (+ exa-search skill);
    memory -> native harness memory + instincts; playwright -> playwright CLI
    skills (vendor moved agent flows off MCP); sequential-thinking -> native
    extended thinking. All six remain opt-in in mcp-configs/mcp-servers.json.
    Tests updated: plugin-manifest policy assertions + install-apply Cursor
    expectations.
    
    Co-authored-by: ECC Test <ecc@example.test>
  • release: 2.0.0 — the agent harness operating system
    Graduate 2.0.0-rc.1 to stable. Bump version across package, plugin,
    marketplace, OpenCode, agent metadata, VERSION, and all localized docs.
    Add 2.0.0 release notes + README sections (en/zh/pt-BR/tr), CHANGELOG
    entry, and the ECC community Discord bot (dependency-free gateway client
    + guild command registrar). Update copilot-support and release-surface
    tests for the sponsored-review migration and the 2.0.0 surface.
  • feat: add orch-* orchestrator skill family (#2153)
    * feat: add orch-* orchestrator skill family
    
    Lightweight wrappers that orchestrate existing ECC agents through a gated Research -> Plan -> TDD -> Review -> Commit pipeline, right-sized per task.
    
    - orch-pipeline: shared engine (phases, size classifier, two gates, agent map)
    - orch-add-feature/change-feature/fix-defect/refine-code/build-mvp: thin wrappers delegating to the engine
    
    * chore: register orch-* family in catalog, command registry, and agent.yaml (post-rebase onto green main)
    
    ---------
    
    Co-authored-by: ECC Test <ecc@example.test>
  • fix: make plugin hooks run on Node 21+ and green the suite under modern Node (#2184)
    ROOT CAUSE: hooks load plugin-hook-bootstrap.js via
    `node -e "...; process.argv.splice(1,0,s); require(s)"`. On Node 21+,
    require.main is `undefined` under --eval, so the `if (require.main === module)`
    guard was false and main() never ran — every plugin hook silently no-op'd
    (e.g. the MCP-health PreToolUse hook stopped blocking). CI (Node 18/20) hid
    this; it only surfaces on Node 21+. Fix: also run main() when require.main is
    undefined (the eval-bootstrap case), while staying dormant on real imports.
    
    Also clears pre-existing main debt the full local suite enforces:
    - catalog:sync — README/docs agent+skill counts drifted after recent merges
    - tests/ci/supply-chain-watch-workflow: update checkout SHA to the merged v6.0.3 (#2183)
    - markdownlint + check-unicode-safety --write across docs/skills
    
    Suite: 2683/2683 green under Node v25; lint + unicode clean.
    
    Co-authored-by: ECC Test <ecc@example.test>
  • feat: Cursor-independent ECC memory via ECC_AGENT_DATA_HOME (#2066)
    * feat: auto-isolate ECC memory data for Cursor via ECC_AGENT_DATA_HOME
    
    Add ECC_AGENT_DATA_HOME (defaults to ~/.claude) with Cursor-aware resolution,
    sessionStart env injection, install scaffolds, and hook bootstrap so memory
    hooks do not collide with Claude Code when both harnesses are used.
    
    Closes #2065
    
    Co-authored-by: Cursor <cursoragent@cursor.com>
    
    * fix: log agent-data config errors and ship cursor sessionStart deps
    
    Address CodeRabbit review: log invalid .cursor/ecc-agent-data.json parse
    failures, and copy cursor-session-env.js plus lib deps on legacy Cursor
    install so sessionStart hook path exists without hooks-runtime alone.
    
    Co-authored-by: Cursor <cursoragent@cursor.com>
    
    * fix: resolve relative agentDataHome paths from project root
    
    Project config values like ".ecc-data" now resolve against the
    repository root (parent of .cursor/), not process.cwd(), so Cursor
    hooks persist memory in the intended directory regardless of hook cwd.
    
    Addresses cubic review on PR #2066.
    
    Co-authored-by: Cursor <cursoragent@cursor.com>
    
    * docs: explain getHomeDir duplicate and docstring policy
    
    Document why agent-data-home keeps a local home-dir helper (circular
    require with utils.js) and list consolidation options for maintainers.
    Note that CodeRabbit JSDoc coverage warnings are informational relative
    to ECC's usual script documentation style.
    
    Addresses cubic P2 context on PR #2066.
    
    Co-authored-by: Cursor <cursoragent@cursor.com>
    
    * test: isolate agent-data-home tests from dogfooded .cursor config
    
    Use isolated temp cwd for default-resolution cases and assert
    resolveAgentDataHome({ projectDir }) reads ecc-agent-data.json.
    Document cwd/project caveats in the test file header.
    
    Co-authored-by: Cursor <cursoragent@cursor.com>
    
    ---------
    
    Co-authored-by: Cursor <cursoragent@cursor.com>
  • feat(skills): add codehealth-mcp skill and CodeScene MCP config (#2077)
    * feat(skills): add codehealth-mcp skill and CodeScene MCP config
    
    * docs(skills): add When to Use, How It Works, and Examples sections
    
    * docs(skills): clarify MCP opt-in, data boundaries, and offline behavior
    
    Address security review on PR #2077: no bundled credentials, document what
    tools read locally, failure behavior when MCP is unavailable, and README
    wording that Code Health MCP is optional and not enabled by default.
    
    Co-authored-by: Cursor <cursoragent@cursor.com>
    
    ---------
    
    Co-authored-by: adnasalk-notus <adna.salkovic@notus.hr>
    Co-authored-by: Cursor <cursoragent@cursor.com>
  • docs: add Spanish (es) translation (#2095)
    Adds a complete Spanish translation of the ECC documentation under
    docs/es/, mirroring the Turkish (docs/tr/) translation in scope.
    141 files covering agents, commands, rules, skills, contexts, examples,
    and core docs. Updates root README.md with the Spanish language link.
    
    Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
  • docs(claude): install manual skills at top level (#2160)
    * docs(claude): install manual skills at top level
    
    * test(docs): guard Claude manual skill install path
    
    * test(docs): detect PowerShell/$HOME nested skill-install paths
    
    Address CodeRabbit on #2160: the nested-path regression guard only matched
    Unix `mkdir`/`cp` with `~`, so a reintroduced PowerShell `Copy-Item ...
    $HOME/.claude/skills/ecc` (or backslash-separated) form would have slipped
    through. Extend the pattern to also cover `Copy-Item`/`New-Item` (and the
    `md`/`copy`/`cpi` aliases), accept `$HOME` as an alternative to `~`, allow both
    `/` and `\` separators, and match case-insensitively.
    
    Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
    
    ---------
    
    Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
  • fix(session-start): support ECC_SESSION_RETENTION_DAYS opt-out + document env var (#2151) (#2163)
    * fix(session-start): support ECC_SESSION_RETENTION_DAYS opt-out + document env var
    
    The retention pass for *-session.tmp files (issue #2151) landed previously,
    but the env var that controls it was undocumented in the README and rejected
    falsy values (0, off, disabled), silently falling back to the 30-day default.
    Users who want to keep all sessions for forensic or research workflows had no
    way to opt out.
    
    This patch:
    
    - Extends getSessionRetentionDays() so 0|off|false|disabled|never|none disables
      pruning entirely (returns null sentinel; default behavior unchanged).
    - Updates the call site in main() to skip pruneExpiredSessions when retention
      is null and emits a clear "[SessionStart] Pruning disabled via
      ECC_SESSION_RETENTION_DAYS" log line so the operator can tell pruning is off.
    - Documents ECC_SESSION_RETENTION_DAYS in the README "Hook Runtime Controls"
      section alongside the other ECC_SESSION_* knobs.
    - Adds three regression tests in tests/hooks/hooks.test.js covering opt-out
      via 0, opt-out via off, and garbage-value fallback to default 30.
    
    Verification:
    - node tests/hooks/hooks.test.js  — 240/240 green (incl. 3 new retention tests)
    - node tests/run-all.js           — 2622/2622 green
    - npx eslint scripts/hooks/session-start.js tests/hooks/hooks.test.js — clean
    - node scripts/ci/validate-no-personal-paths.js — clean
    - node scripts/ci/check-unicode-safety.js       — clean
    - node scripts/ci/validate-hooks.js — 28 matchers validated
    - node scripts/ci/validate-rules.js — 115 files validated
    
    Fixes #2151
    
    * docs(readme): list all ECC_SESSION_RETENTION_DAYS opt-out values + add Windows example
    
    Address reviewer feedback on PR #2163:
    - CodeRabbit and cubic both flagged that the README docs only listed 3 of 6
      opt-out values accepted by getSessionRetentionDays() (0, off, disabled),
      while the implementation also accepts false, never, none.
    - cubic also flagged the missing Windows PowerShell example for the new
      variable, breaking the parallel structure of the existing
      ECC_CONTEXT_MONITOR_COST_WARNINGS example block.
    
    Updated the README to:
    - Spell out all six opt-out values (0, off, false, disabled, never, none)
      and clarify they "keep all sessions (disable pruning)".
    - Add an ECC_SESSION_RETENTION_DAYS line to the Windows PowerShell example.
    
    No behavior change. README only.
    
    Verification:
    - npx markdownlint README.md — clean
    - npx eslint scripts/hooks/session-start.js tests/hooks/hooks.test.js — clean
  • feat: add dynamic workflow team orchestration surface
    Adds dynamic workflow/team orchestration skills, the content pack, and control-pane work-item/Kanban state DB support. Includes reviewer hardening for state-db CLI validation, optional state DB failure handling, and mergeStateStatus projection.
  • Add React language track with agents, skills, rules, and commands (#2024)
    * feat(rules): add rules/react/ track
    
    Five rule files mirroring per-language convention (coding-style,
    hooks, patterns, security, testing). Each has `paths:` glob
    frontmatter for auto-activation when editing matching files.
    
    - coding-style.md: file extensions, naming, JSX, RSC boundary
    - hooks.md: React hooks (NOT Claude Code hooks) — rules-of-hooks,
      dep arrays, cleanup, memoization, React 19 additions
    - patterns.md: container/presentational split, state location
      decision tree, Suspense + error boundaries, forms, data fetching
    - security.md: dangerouslySetInnerHTML, unsafe URL schemes,
      server-action validation, env-var leaks, CSP
    - testing.md: RTL queries, userEvent, async, MSW, axe, anti-patterns
    
    Each file extends typescript/* and common/* rules.
    
    * feat(skills): add react-patterns, react-testing, react-performance
    
    Three new skills under skills/ following the SKILL.md convention.
    
    - react-patterns: React 18/19 idioms — hooks discipline, state
      location decision tree, server/client component boundary,
      Suspense + error boundaries, form actions (React 19), data
      fetching matrix, composition recipes, accessibility-first.
    - react-testing: React Testing Library + Vitest/Jest, query
      priority order, userEvent, MSW network mocking, axe a11y
      assertions, RTL vs Playwright CT boundary, TDD workflow.
    - react-performance: 70-rule performance ruleset adapted from
      Vercel Labs react-best-practices (MIT) across 8 priority
      categories — waterfalls, bundle size, server-side, client
      fetch, re-render, rendering, JS micro, advanced patterns.
      Includes Lighthouse / Web Vitals mapping and attribution to
      upstream.
    
    Cross-links between the three skills and out to frontend-patterns,
    accessibility, e2e-testing, tdd-workflow.
    
    * feat(agents): add react-reviewer and react-build-resolver
    
    Two new agents covering React-specific code review and build error
    resolution, plus matching .kiro/ mirrors and a routing pointer
    edit on typescript-reviewer.
    
    - react-reviewer: slim React-only lanes (hooks rules,
      dangerouslySetInnerHTML, unsafe URL schemes, key prop, state
      mutation, derived-state-in-effect, server/client component
      boundary, accessibility, render performance, Server Action
      validation, env-var leaks). Explicitly delegates generic
      TypeScript/async/Node concerns to typescript-reviewer. Both
      agents should be invoked together on .tsx/.jsx PRs.
    - react-build-resolver: React build/bundler/runtime hydration
      failures across Vite, webpack, Next.js, CRA, Parcel, esbuild,
      Bun, Rsbuild. Handles JSX/TSX compile errors, tsconfig fixes,
      Next.js App Router server/client boundary errors, hydration
      mismatches, duplicated React copies, Tailwind/PostCSS pipeline.
    - .kiro/agents/react-reviewer.json + react-build-resolver.json:
      Kiro IDE format mirrors following the per-language precedent.
    - typescript-reviewer: routing pointer added to its MEDIUM React
      block — defers to /react-review for React-specific concerns
      while keeping its block as fallback for repos that only invoke
      typescript-reviewer.
    
    All agents carry the standard Prompt Defense Baseline stanza.
    
    * feat(commands): add /react-review /react-build /react-test
    
    Three new slash commands invoking the React agents.
    
    - /react-review: invokes react-reviewer. Documents the routing
      rule with typescript-reviewer — both should run together on
      TSX/JSX PRs. Lists CRITICAL/HIGH/MEDIUM rule categories and
      the automated checks (eslint with react-hooks + jsx-a11y,
      tsc --noEmit, npm audit).
    - /react-build: invokes react-build-resolver. Documents bundler
      detection, common failure patterns, fix strategy, and stop
      conditions.
    - /react-test: enforces TDD with React Testing Library + Vitest
      or Jest, behavior-focused queries, userEvent + MSW patterns,
      axe accessibility assertions, coverage targets.
    
    Each command file has the required description: frontmatter and
    follows the per-language command convention (cpp-test, go-test,
    kotlin-test, etc.).
    
    * chore: wire react track into manifests and stack mappings
    
    - agent.yaml: add react-patterns, react-performance, react-testing
      to the skills array; add react-build, react-review, react-test to
      the commands array (alphabetically inserted to satisfy the
      ci/agent-yaml-surface sync test).
    - config/project-stack-mappings.json: extend the `react` stack
      entry — add "react" to rules array (was ["common","typescript",
      "web"]); add react-patterns, react-performance, react-testing,
      accessibility to the skills array.
    - docs/COMMAND-REGISTRY.json: bump totalCommands 75 -> 78; add
      three new entries (react-build, react-review, react-test) with
      primaryAgents / allAgents / skills wiring. react-review's
      allAgents includes typescript-reviewer to reflect the dual-agent
      routing convention.
    - CLAUDE.md: add Skills-table row mapping *.tsx / *.jsx /
      components/** to react-patterns + react-testing skills and
      the /react-review, /react-build, /react-test commands.
    
    * chore(catalog): sync counts to 62 agents / 78 commands / 235 skills
    
    Auto-generated via `node scripts/ci/catalog.js --write --text`
    after the react track additions:
    
    - 2 new agents: react-reviewer, react-build-resolver (60 -> 62)
    - 3 new commands: react-build, react-review, react-test (75 -> 78)
    - 3 new skills: react-patterns, react-performance, react-testing
      (232 -> 235)
    
    Files updated by the catalog sync:
    - .claude-plugin/plugin.json description string
    - .claude-plugin/marketplace.json plugin description
    - README.md quick-start summary, project tree, feature parity tables
    - README.zh-CN.md quick-start summary
    - AGENTS.md project structure summary
    - docs/zh-CN/README.md parity table
    - docs/zh-CN/AGENTS.md project structure summary
    
    All counts now match the filesystem catalog (verified by
    ci/catalog.test.js).
    
    * feat(kiro): add react agent markdown companions to JSON entries
    
    * feat(kiro): add react skills into manifests
    
    * fix(ci): sync catalog counts, registry, and package files for react track
    
    - .claude-plugin/{plugin,marketplace}.json: bump description counts to 62/235/78
    - docs/COMMAND-REGISTRY.json: regenerate to include quality-gate and react commands
    - package.json: add skills/react-{patterns,performance,testing}/ to files allowlist so npm-publish-surface aligns with install-modules manifest
    
    * fix(react): address PR #2024 review feedback
    
    Critical:
    - Remove undefined/.claude/session-aliases.json containing __proto__ prototype-pollution
      fixture committed by accident in a7333c14
    
    High:
    - agents/react-build-resolver.md: replace brittle `test -o $(grep -l ...)` and
      `test -a -n $(grep ...)` detection with explicit `{ ... || grep -q ...; }` so
      bundler detection no longer breaks when grep returns empty
    - agents/react-build-resolver.md: drop hardcoded `npm i react@^19 react-dom@^19`
      remediation; replace with version-agnostic pair-upgrade note that honors the
      project's installed major (17/18/19) — surgical fix principle
    - commands/react-review.md: guard `tsc --noEmit -p tsconfig.json` with
      `[ -f tsconfig.json ] &&` so the review skips cleanly on JS-only projects
    
    Medium:
    - rules/react/security.md: correct the React-18-blocks-javascript-URL claim
      (React only warns in dev; production navigation is not blocked)
    - rules/react/security.md: correct CRA env-var exposure row (CRA exposes
      REACT_APP_*, NODE_ENV, PUBLIC_URL — not 'all' variables)
    - skills/react-testing/SKILL.md: instantiate QueryClient once outside the
      wrapper closure so React Query cache survives re-renders (flaky-test fix)
    - skills/react-testing/SKILL.md: restore console.error spy with mockRestore()
      in a try/finally so the mock does not leak across tests
    - commands/react-test.md: switch outer example-session fence to 4 backticks
      so the inner ```tsx/```bash blocks don't prematurely terminate it
    
    * fix(kiro): mirror react-build-resolver react 19 conditional remediation
    
    Discussion r3272907106 flagged the kiro json variant still carrying the hardcoded
    'npm i react@^19 react-dom@^19' line that the .md companion already dropped.
    Replace with the same conditional, version-agnostic guidance so both variants
    stay in sync.
    
    * fix(react): bump react-build example session fence to 4 backticks
    
    Discussion r3272907144 flagged the same nested-fence issue in
    commands/react-build.md that we fixed earlier in commands/react-test.md.
    The outer triple-backtick text block was being prematurely terminated by
    the inner bash/tsx fences inside the Example Session.
    
    * fix(react): bump react-review example usage fence to 4 backticks
    
    Discussion r3272907201 flagged the same nested-fence issue in
    commands/react-review.md. The outer triple-backtick text block was
    being prematurely terminated by the inner tsx/ts fences inside the
    Example Usage transcript.
    
    * fix(docs): clarify commands row as legacy shims in feature parity table
    
    Discussion r3272912003: README comparison table said 'PASS: 78 commands'
    while the install-section and quick-start prose use 'legacy command shims'.
    Aligned the comparison-table cell to 'PASS: 78 commands (legacy shims)' so
    the count word survives the catalog-validator regex while making the legacy
    nature explicit.
    
    Widened the catalog comparison-table commands regex to tolerate an optional
    parenthetical after the count word, so both the existing 'X commands' and
    the new 'X commands (legacy shims)' phrasings validate without breaking
    older READMEs/translations.
    
    * Update rules/react/security.md
    
    Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
    
    * fix(react): guard tsc in react-build-resolver diagnostic commands
    
    Discussion r3288910205: the agent prompt instructed an unconditional
    'tsc --noEmit -p tsconfig.json', which adds noise (or hard-fails) on
    JavaScript-only projects with no tsconfig.json or no installed TypeScript.
    
    Replaced with 'test -f tsconfig.json && npx --yes tsc --noEmit -p tsconfig.json'
    in both variants:
    - agents/react-build-resolver.md
    - .kiro/agents/react-build-resolver.json (prompt string mirrored)
    
    Mirrors the same guard already applied to commands/react-review.md in de135f61.
    
    * fix(react): pin tsc resolution to local install in build resolver
    
    Discussion r3289054157: previous fix used 'npx --yes tsc' which auto-installs
    the latest TypeScript from npm when none is local, producing version drift
    and non-reproducible typecheck results across machines.
    
    Switched to 'npx --no-install tsc' in both variants so the diagnostic uses
    only the project's pinned TypeScript and fails fast if it isn't installed:
    - agents/react-build-resolver.md
    - .kiro/agents/react-build-resolver.json (prompt string mirrored)
    
    * feat(counts): resolve counts for agents, skills...
    
    * fix(ci): regen command registry for golang-testing entry
    
    Removes stale kotlin-patterns entry to satisfy command-registry:check.
    
    * fix: keep local Claude settings out of React track PR
    
    ---------
    
    Co-authored-by: AlexisLeDain <a.ledain@docoon.com>
    Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
    Co-authored-by: Affaan Mustafa <affaan@dcube.ai>
  • docs(i18n): add German localization scout (#2029)
    Adds de-DE docs, installer wiring, and locale tests. Pre-validated on current main with install manifest checks, markdownlint, locale-install tests, and ECC 2.0 release-surface tests.
  • docs: keep renamed README install paths usable
    Adjust README manual-install snippets after the affaan-m/ECC repo rename so cloned paths use the new ECC checkout or relative paths.
  • Update README links to new repository name 'ECC'
    Changed `everything-claude-code` to `ECC`
  • Add Blender motion state inspection skill
    Adds the Blender motion state inspection skill with maintainer refinements for tools metadata, usage guidance, meter-scale threshold assumptions, and Blender interpreter notes.
  • docs(th): add Thai (th) README translation
    Adds docs/th/README.md with a concise onboarding-style Thai
    translation mirroring the docs/vi-VN format. Updates the language
    switchers in the English, Simplified Chinese, Traditional Chinese,
    Japanese, Korean, Portuguese (BR), Russian, Turkish, Vietnamese,
    and Simplified Chinese docs READMEs to link to the new Thai page.
    
    The English README remains the canonical source of truth; the Thai
    page links back to it for full content.
    
    Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>