mirror of
https://github.com/affaan-m/everything-claude-code.git
synced 2026-06-18 15:54:13 +08:00
d2dfca21a43a8a2faa7f759e8e86ffb82a3a806d
2049 Commits
-
docs: fix renamed-repo links, drop stale assessment artifacts (#2058)
CONTRIBUTING.md still pointed at the old `affaan-m/everything-claude-code` repo URL in the Quick Start fork instructions and in the Issues link at the bottom. Both relied on GitHub's silent rename-redirect, but the literal `cd everything-claude-code` after `gh repo fork` would land in the wrong directory now that the repo is `affaan-m/ECC`. REPO-ASSESSMENT.md and EVALUATION.md were both 2026-03-21 personal fork-audit artifacts written from one user's specific install. They describe the project as a fork at `Infiniteyieldai/everything-claude-code` v1.9.0 with 28 agents / 116 skills / 59 commands and pin the recommended mode at "use as upstream tracker". None of that is true anymore (this IS the upstream, v2.0.0-rc.1, currently 61 / 246 / 76). EVALUATION.md in particular still references a defunct branch (`claude/evaluate-repo-comparison-ASZ9Y`) and describes a "Current Setup" of zero installed components as if it were universal, which it is not. Neither file is referenced by anything else in the repo (`rg` confirmed) and they actively mislead new contributors and visitors. Delete both. A targeted line-by-line refresh of EVALUATION.md was considered but rejected: bringing only the totals up to date (61/246/76) would leave the rest of the document — v1.9.0 references, branch metadata, the zero-component "Current Setup" — internally inconsistent (CodeRabbit flagged this on the first revision of this PR). Wholesale removal is the honest fix. Translated copies (e.g. docs/pt-BR/README.md still has the 28/116/59 numbers) are intentionally left for a follow-up i18n PR to keep this diff small.
fxdv ·
2026-06-07 13:27:08 +08:00 -
fix(commands): resolve active plugin root in /instinct-status (#2037) (#2059)
The `/instinct-status` slash command template expanded `${CLAUDE_PLUGIN_ROOT}` directly and documented a manual-install fallback to `~/.claude/skills/continuous-learning-v2/scripts/instinct-cli.py`. When users had both an active plugin install (under `~/.claude/plugins/cache/<slug>/<org>/<version>/`) and a legacy `~/.claude/skills/continuous-learning-v2/` directory left over from a previous manual install, an empty `CLAUDE_PLUGIN_ROOT` (which Claude Code does not always populate in slash-command shell contexts) silently made the command read the stale legacy install while the active plugin hooks and observer wrote to the new XDG path. The user saw "No instincts found" while the system was actively learning — exactly the divergence the bug reporter spent hours diagnosing. Replace the brittle two-block template with the same inline resolver pattern that `hooks/hooks.json` and `/sessions` / `/skill-health` already use: env var → standard install → known plugin roots → plugin cache walk → fallback. The resolver is the canonical `INLINE_RESOLVE` constant from `scripts/lib/resolve-ecc-root.js`, so no new code is introduced — just consistent adoption of the existing pattern. Apply the same fix to all five copies of the command: - commands/instinct-status.md (canonical) - .opencode/commands/instinct-status.md - docs/zh-CN/commands/instinct-status.md - docs/ja-JP/commands/instinct-status.md - docs/tr/commands/instinct-status.md Extend tests/lib/command-plugin-root.test.js with an assertion that the canonical instinct-status.md uses the inline resolver and no longer hard-codes the legacy `~/.claude/skills/...` fallback (regression guard). zh-CN copy: polish the Chinese phrasing per LanguageTool feedback (`使用与 ... 相同的解析器` → `以与 ... 相同的解析器`) so the verb is introduced by an explicit preposition instead of reading as an awkward verb-object construction.fxdv ·
2026-06-07 13:27:05 +08:00 -
docs: add Urdu (ur) README translation (#2061)
* docs: add Urdu (ur) README translation Adds docs/ur/README.md — a full Urdu translation of the main README. Urdu is spoken by 230M+ people globally, with a large developer community in Pakistan. This follows the same structure as existing translations (de-DE, ja-JP, ko-KR, etc.). * docs(ur): sync install catalog counts with current repo metadata The Urdu README stated 60 agents / 232 skills / 75 legacy command shims, but the current repo metadata and English README use 61 / 246 / 76. Update to match so Urdu users following the install guide do not see a verification mismatch (flagged in review). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
zucchini ·
2026-06-07 13:27:03 +08:00 -
feat: Cursor-independent ECC memory via ECC_AGENT_DATA_HOME (#2066)
* feat: auto-isolate ECC memory data for Cursor via ECC_AGENT_DATA_HOME Add ECC_AGENT_DATA_HOME (defaults to ~/.claude) with Cursor-aware resolution, sessionStart env injection, install scaffolds, and hook bootstrap so memory hooks do not collide with Claude Code when both harnesses are used. Closes #2065 Co-authored-by: Cursor <cursoragent@cursor.com> * fix: log agent-data config errors and ship cursor sessionStart deps Address CodeRabbit review: log invalid .cursor/ecc-agent-data.json parse failures, and copy cursor-session-env.js plus lib deps on legacy Cursor install so sessionStart hook path exists without hooks-runtime alone. Co-authored-by: Cursor <cursoragent@cursor.com> * fix: resolve relative agentDataHome paths from project root Project config values like ".ecc-data" now resolve against the repository root (parent of .cursor/), not process.cwd(), so Cursor hooks persist memory in the intended directory regardless of hook cwd. Addresses cubic review on PR #2066. Co-authored-by: Cursor <cursoragent@cursor.com> * docs: explain getHomeDir duplicate and docstring policy Document why agent-data-home keeps a local home-dir helper (circular require with utils.js) and list consolidation options for maintainers. Note that CodeRabbit JSDoc coverage warnings are informational relative to ECC's usual script documentation style. Addresses cubic P2 context on PR #2066. Co-authored-by: Cursor <cursoragent@cursor.com> * test: isolate agent-data-home tests from dogfooded .cursor config Use isolated temp cwd for default-resolution cases and assert resolveAgentDataHome({ projectDir }) reads ecc-agent-data.json. Document cwd/project caveats in the test file header. Co-authored-by: Cursor <cursoragent@cursor.com> --------- Co-authored-by: Cursor <cursoragent@cursor.com>
Tom Cruise Missile ·
2026-06-07 13:27:00 +08:00 -
fix(docs): sync marketplace add URL across translated READMEs (#2050) (#2068)
PR #2050 updated the root README.zh-CN.md install commands after the everything-claude-code → ECC rename, but the same stale marketplace URL remained in nine docs/<locale>/README.md copies. Align those quick-start and self-hosted install blocks so /plugin install ecc@ecc resolves the ecc marketplace instead of everything-claude-code.
Infinity_Block ·
2026-06-07 13:26:58 +08:00 -
feat(skills): add codehealth-mcp skill and CodeScene MCP config (#2077)
* feat(skills): add codehealth-mcp skill and CodeScene MCP config * docs(skills): add When to Use, How It Works, and Examples sections * docs(skills): clarify MCP opt-in, data boundaries, and offline behavior Address security review on PR #2077: no bundled credentials, document what tools read locally, failure behavior when MCP is unavailable, and README wording that Code Health MCP is optional and not enabled by default. Co-authored-by: Cursor <cursoragent@cursor.com> --------- Co-authored-by: adnasalk-notus <adna.salkovic@notus.hr> Co-authored-by: Cursor <cursoragent@cursor.com>
Adna Salković ·
2026-06-07 13:26:54 +08:00 -
feat(mcp): add parallel-search server catalog entry (#2085)
* feat(mcp): add parallel-search server catalog entry * fix(mcp): drop placeholder Bearer header from parallel-search entry The /mcp endpoint accepts anonymous requests by default; baking in a placeholder "Authorization: Bearer YOUR_PARALLEL_API_KEY_HERE" header breaks the key-free default for users who copy the entry verbatim. Move the optional API-key guidance into the description instead.
Matt H ·
2026-06-07 13:26:51 +08:00 -
fix(context-monitor): make cost warnings informational, not commands (#2091)
The PostToolUse cost warnings emit imperative text via additionalContext ("Stop and inform the user...", "Review whether...", "Consider whether..."). Subagents read additionalContext as an instruction and obey the "Stop", abandoning their task and returning a prompt-for-direction instead of their result — derailing multi-agent workflows. The main loop is also nudged to halt mid-task. Reword all three severities to pure-informational data: keep the CRITICAL/WARNING/NOTICE label + the dollar figure (and the threshold), drop the imperative sentence, and state plainly it is informational. No logic, severity, or threshold change. Existing tests pass (they assert the labels + severities, which are preserved). Before: `COST CRITICAL: Session cost is $X. Stop and inform the user about high cost before continuing.` After: `COST CRITICAL: session total ~$X (over $50). Informational only — not an instruction to stop.` Co-authored-by: OrenG Tools <tools@orengacademy.com>Farzul Nizam Zolkifli ·
2026-06-07 13:26:48 +08:00 -
feat: add intent-driven-development skill (#2092)
* feat: add intent-driven-development skill Converts ambiguous feature or engineering requests into scoped, verifiable acceptance criteria before implementation starts. - Chooses between Quick Capture (low/moderate risk) and Full Acceptance Brief (security, data, migration, cross-system changes) - Reads repo context before asking questions; only asks what cannot be inferred - Non-blocking by default: records criteria and proceeds unless a real risk requires confirmation - Rule 9: when an AC fails mid-implementation due to architectural constraints, marks it [revised], updates scope/verification method, and re-presents only changed criteria rather than silently dropping - Output template includes Revision Log for traceability across multiple implementation cycles * fix: add canonical When to Activate, How It Works, and Examples sections Required for auto-activation mechanism detection per CONTRIBUTING.md and existing skill conventions. Sections inserted after the intro and before Operating Rules. * fix: strengthen intent-driven-development skill per review Address skill-quality review feedback on the intent-driven-development PR: - Business/product constraints: add Operating Rule 2 forbidding inference of business rules, compliance/SLAs, pricing, retention, prioritization, and target users from code; surface the technical-vs-business split in How It Works, Discover Context, and a dedicated 'supplied, not inferred' section in the brief template. - Eval-style pass/fail: add a Pass/Fail Examples section (failing vs passing AC, plus a misplaced business-rule context entry) and a 5-point Pass/Fail Rubric users can apply to the output. - Renumber Operating Rules 1-10 accordingly; markdownlint clean.
Andrea Cavallo ·
2026-06-07 13:26:45 +08:00 -
docs: add Spanish (es) translation (#2095)
Adds a complete Spanish translation of the ECC documentation under docs/es/, mirroring the Turkish (docs/tr/) translation in scope. 141 files covering agents, commands, rules, skills, contexts, examples, and core docs. Updates root README.md with the Spanish language link. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Santiago González Siordia ·
2026-06-07 13:26:42 +08:00 -
feat: add inherit-legacy-style — prevent AI code style drift in legac… (#2098)
* feat: add inherit-legacy-style — prevent AI code style drift in legacy projects - 4-dimension meta-architecture scan (File Anatomy, State & Control Flow, Infrastructure, Error Handling) - Scale-adaptive (small=full read, large=smart sampling) - Signal-threshold noise reduction with one-at-a-time grilling protocol - Generates .ai-style-rules.md with persistent CLAUDE.md hook - Language- and framework-agnostic * fix: add AskUserQuestion to allowed-tools, add When to Use/How It Works/Examples sections per bot review --------- Co-authored-by: wulinzai <linsywu@gmail.com>
linsy ·
2026-06-07 13:26:40 +08:00 -
feat: expand Kiro adapter to full language coverage (#2101)
* feat: expand Kiro adapter to full language coverage - Add 17 new agents (typescript, rust, kotlin, java, cpp, django, swift, fsharp, pytorch, mle, performance-optimizer) in both .md and .json formats - Add 25 new skills (rust, kotlin, java/spring, django, fastapi, nestjs, react, nextjs, cpp, swift, mle/pytorch, deep-research, strategic-compact, autonomous-loops, content-hash-cache-pattern) - Add 6 new language-specific steering files (rust, kotlin, java, cpp, php, ruby) - Add 3 new hooks (rust-check-on-edit, python-lint-on-edit, security-check-on-create) - Update README with expanded component inventory and documentation - Fix install.sh line endings for macOS compatibility Total Kiro components: 33 agents, 43 skills, 22 steering files, 13 hooks * fix: resolve P1/P2 violations in Kiro agents, skills, and steering - java-patterns.md: remove reference to non-existent quarkus-patterns skill - kotlin-patterns.md: fix insecure BuildConfig recommendation for secrets - swift-actor-persistence: fix Swift version claim (5.9+) and Dictionary crash - java-reviewer.md: add recursive framework detection + robust diff chain - kotlin-reviewer.md: replace unreliable diff detection with fallback chain - rust-reviewer.md: add diff fallback + make CI gating mandatory - jpa-patterns: add DISTINCT to fetch-join query to prevent duplicates - django-reviewer.md: add migration safety check, narrow save() rule, fix pytest-django behavior description * fix: resolve remaining violations in Kiro agents, skills, and docs Agents: - java-build-resolver.md: remove quarkus-patterns ref, fix 'Initialise' spelling - java-reviewer.json: remove quarkus-patterns ref from prompt - mle-reviewer.md, cpp-build-resolver.md, java-build-resolver.md, performance-optimizer.md: fix allowedTools 'read' -> 'fs_read' Hooks: - rust-check-on-edit: fix description to match askAgent behavior Skills: - content-hash-cache-pattern: hyphenate 'Content-Hash-Based' - cpp-testing: hyphenate 'real-time' - django-security: use placeholder secrets, fix CSRF_COOKIE_HTTPONLY=False - nestjs-patterns: add Logger to HttpExceptionFilter for non-Http errors - react-patterns: add React 19 compatibility note for useActionState - rust-patterns: remove edition-specific 'Rust 2024+' reference - springboot-patterns: cap exponential backoff, recommend Resilience4j - springboot-security: fix invalid @Query SQL injection example - swift-protocol-di-testing: add thread-safety doc comment to mock Docs: - README.md: fix Project Structure counts (33/43/22/13) * fix: sync README tree with counts, restore local diff in kotlin-reviewer, correct django FK index guidance - README.md: Project Structure tree now lists all 33 agents, 43 skills, 22 steering files, and 13 hooks (was showing old subset) - kotlin-reviewer.md: restore git diff --staged / git diff for local pre-commit review before falling back to HEAD~1 - django-reviewer.md: clarify that ForeignKey fields are indexed by default; only flag missing db_index on non-FK filter columns
Vu Thanh Tai ·
2026-06-07 13:26:37 +08:00 -
docs: fix typos in security guide (#2106)
Correct clear spelling mistakes in documentation without changing behavior. Confidence: high Scope-risk: narrow Tested: git diff --check; uvx codespell on changed files Not-tested: Full docs build not run; text-only changes
Zhao73 ·
2026-06-07 13:26:34 +08:00 -
feat(desktop-notify): route OSC 9 notifications through Ghostty (#2114)
Ghostty natively supports the OSC 9 desktop-notification escape (ESC ] 9 ; <message> BEL), the same sequence already used for iTerm2. Previously only TERM_PROGRAM === 'iTerm.app' took the escape path, so Ghostty users fell through to the osascript path. That makes Script Editor the notification owner, and clicking the notification just launches Script Editor instead of focusing the terminal. Adding 'ghostty' to the OSC 9-capable check makes Ghostty the owner, so clicking the notification focuses the Ghostty window/tab where Claude Code is running. Verified on Ghostty (TERM_PROGRAM=ghostty). Co-authored-by: 高野智史 <satoshitakano@takanosatoshinoMacBook-Pro-522.local> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
satoshi-takano-bloom ·
2026-06-07 13:26:32 +08:00 -
fix(hooks): stop false loop warnings and repeated identical context warnings (#2121)
* fix(hooks): stop false loop warnings and repeated identical context warnings Two PostToolUse monitor defects surfaced during a long single-turn session: 1. ecc-metrics-bridge hashToolCall fingerprinted Edit/Write/MultiEdit on file_path ONLY, so several distinct edits to the same file produced the same hash and tripped the loop detector ("stuck loop") even though every edit was different. Now the hash includes the edit content (old_string/new_string/content/edits) so distinct edits to one file hash differently; identical edits still collide as intended. 2. ecc-context-monitor re-emitted the SAME warning every DEBOUNCE_CALLS (5) tool calls even when nothing changed. Because the cost figure only refreshes at Stop (turn) boundaries, a single stale value printed the identical warning ~20 times within one turn. Dedupe on message content instead: a warning surfaces only when its text changes (cost moved, new file count, new loop) or on first escalation to critical, and is otherwise suppressed. Adds regression tests for the same-file/different-content hash case. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * fix(hooks): address CodeRabbit review (#2121) - ecc-context-monitor: clear dedupe state when warnings resolve, so the same warning text recurring in a later turn (context dips/recovers/dips, a loop that stops then restarts) is surfaced again instead of suppressed as a duplicate. Guarded so the no-warning hot path stays write-free. - ecc-metrics-bridge: hash the FULL serialized edit payload and truncate the digest, not the input. Slicing the serialized string to HASH_INPUT_LIMIT first could collapse large edits sharing their first 2048 chars, reviving the false-loop collision for big Write/edit payloads. - Add regression test for >2048-char edit divergence. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>AHNINE Amine ·
2026-06-07 13:26:30 +08:00 -
Add NEXUS to mcp-configs/mcp-servers.json (local cost/privacy proxy) (#2125)
* Add NEXUS to mcp-configs/mcp-servers.json NEXUS (github.com/lynuxis2026-pixel/nexus-proxy) is a local, single-binary cost/privacy proxy that sits under the harness. Adding it as an MCP server lets an ECC agent query its own usage/savings mid-session (nexus_stats, nexus_savings, nexus_recent, nexus_providers, nexus_cost_breakdown). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * Tighten nexus MCP description to ECC's concise house style Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> --------- Co-authored-by: ludicolijn1985-blip <ludicolijn1985@gmail.com> Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
lynuxis2026-pixel ·
2026-06-07 13:26:27 +08:00 -
fix(trae): strip trailing slash so skill manifest entries are single-slash (#2126)
The Trae installer recorded nested skill files with a doubled slash (e.g. `skills/skill-comply//pyproject.toml`). The skills loop used the glob variable `$d`, which carries a trailing slash, both as the `find` root and as the prefix removed from each file path. Under bash, BSD `find` with a trailing-slash argument emits `.../skill-comply//file`, so `${source_file#$d}` left a leading slash, producing double-slash manifest entries that did not match the single-slash paths uninstall.sh expects. Strip the trailing slash from `$d` and remove the `$d/` prefix so `find` emits clean paths and manifest entries are single-slash. Fixes the previously failing test in tests/scripts/trae-install.test.js ("records nested skill files and the full rules tree in the manifest"). Co-authored-by: affaan-m <tamiraw808@gmail.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>0xJayHK ·
2026-06-07 13:26:25 +08:00 -
fix: surface legacy data warning in instinct-cli status (#2127)
* fix: surface legacy data warning in instinct-cli status (#2036) When the data directory moved from ~/.claude/homunculus/ to the XDG-compliant ~/.local/share/ecc-homunculus/, legacy installs with data still in the old path saw "No instincts found" with no explanation. Add _warn_legacy_data() to cmd_status so users get a clear, actionable warning pointing them to the migration script or the CLV2_HOMUNCULUS_DIR override. Wrap the directory scan in try/except to handle permission errors gracefully. Closes #2036 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * fix: address review feedback — drop unused f-strings, resolve absolute migrate path Remove extraneous f-prefix from strings without interpolation (ruff F541). Resolve migrate-homunculus.sh path relative to instinct-cli.py instead of hard-coding a repo-relative path that only works from the repo root. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * fix: quote migrate script path to handle spaces Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> --------- Co-authored-by: kky <lingmu141592@gmail.com> Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
xiaoxi ·
2026-06-07 13:26:22 +08:00 -
docs: quote pip extras install example (#2130)
Co-authored-by: nyxst4ck <289980115+nyxst4ck@users.noreply.github.com>
nyxst4ck ·
2026-06-07 13:26:20 +08:00 -
fix: normalize POSIX CLAUDE_PLUGIN_ROOT to Windows path in hook bootstrap (#2139)
Co-authored-by: Matt Van Horn <455140+mvanhorn@users.noreply.github.com>
Matt Van Horn ·
2026-06-07 13:26:17 +08:00 -
fix: shrink default OpenCode install surface and gate hooks-runtime (#2140)
Co-authored-by: Matt Van Horn <455140+mvanhorn@users.noreply.github.com>
Matt Van Horn ·
2026-06-07 13:26:14 +08:00 -
Adilan Akhramovich ·
2026-06-07 13:26:11 +08:00 -
fix(gateguard): gate force/path git checkout as destructive (#2158)
* fix(gateguard): gate force/path git checkout as destructive The destructive-command gate's `checkout` handler only flagged `git checkout -- <path>`. It missed `git checkout --force` / `-f <branch>` and `git checkout .`, all of which discard uncommitted working-tree changes, so they bypassed the gate (once the once-per-session routine-Bash gate is satisfied, they ran with no challenge). The sibling `switch` handler already covers these force forms; mirror it for `checkout`. * test(gateguard): document Test 7b force-checkout case --------- Co-authored-by: bymle <229636660+bymle@users.noreply.github.com>
bymle ·
2026-06-07 13:26:08 +08:00 -
docs(claude): install manual skills at top level (#2160)
* docs(claude): install manual skills at top level * test(docs): guard Claude manual skill install path * test(docs): detect PowerShell/$HOME nested skill-install paths Address CodeRabbit on #2160: the nested-path regression guard only matched Unix `mkdir`/`cp` with `~`, so a reintroduced PowerShell `Copy-Item ... $HOME/.claude/skills/ecc` (or backslash-separated) form would have slipped through. Extend the pattern to also cover `Copy-Item`/`New-Item` (and the `md`/`copy`/`cpi` aliases), accept `$HOME` as an alternative to `~`, allow both `/` and `\` separators, and match case-insensitively. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Kumario ·
2026-06-07 13:26:06 +08:00 -
fix: truncate corrupted legacy command shims (#2167)
tdd.md, e2e.md, and orchestrate.md in legacy-command-shims/commands/ still carried their full pre-shim command bodies concatenated below the shim headers: a stray '})' and orphaned code fence in tdd.md, leftover Playwright test bodies plus a foreign project-specific 'PMX-Specific Critical Flows' section in e2e.md, and orphaned report-template fragments in orchestrate.md. The trailing bodies also contradicted the shim headers by claiming the commands invoke agents directly. Truncate each file at the end of its Delegation section. The other nine legacy shims are clean 20-23 line shims and are untouched.
konstapukarifastnetfi ·
2026-06-07 13:26:03 +08:00 -
fix: refresh stale technical content in agents, rules, and skills (#2168)
Several published examples contained APIs that no longer exist, code that does not run, or model versions that drifted from reality: - agents/performance-optimizer.md used the web-vitals v3 API (getCLS/getFID/getLCP/getFCP/getTTFB) and reported FID. web-vitals v4 renamed the imports to onCLS/onINP/onLCP/onFCP/onTTFB and FID was replaced by INP (target < 200ms) - rules/common/performance.md pinned stale model versions in the model-selection guidance; refresh to the versions the repo itself uses (agent.yaml pins claude-opus-4-6) and add the PowerShell variant for MAX_THINKING_TOKENS next to the bash export - skills/python-patterns/SKILL.md: both get_value examples referenced default_value without declaring the parameter (NameError); add default_value: Any = None to the EAFP and LBYL signatures - skills/frontend-patterns/SKILL.md: the custom useQuery example rebuilt refetch whenever callers passed inline fetchers/options, re-triggering the effect after every state update (infinite fetch loop). Keep the latest fetcher/options in refs so refetch stays referentially stable. The PASS-labelled useMemo example mutated its input with in-place sort; copy before sorting - skills/coding-standards/SKILL.md repeated the same PASS-labelled in-place-sort-in-useMemo example; same fix - rules/typescript/security.md used a vendor-specific OPENAI_API_KEY in generic guidance; switch to a neutral API_KEY Every hand-maintained copy of the affected content is synced in the same change: locale mirrors (ja-JP, ko-KR, pt-BR, tr, zh-CN, zh-TW - each only where it carries the affected file) and the .agents/.kiro/.cursor harness mirrors. Two structural divergences are left alone and noted here: .kiro/steering/performance.md has no extended-thinking control list to carry the PowerShell variant, and docs/zh-TW/rules/performance.md keeps an older condensed thinking section without the budget-cap line. rules/zh/performance.md is intentionally untouched - the rules/zh tree is being retired in a separate change
konstapukarifastnetfi ·
2026-06-07 13:26:01 +08:00 -
docs: align command docs with shipped behavior (#2169)
- multi-{plan,execute,backend,frontend,workflow}.md: add an in-file prerequisite note for the external ccg-workflow runtime. README.md already warns these commands need codeagent-wrapper and the .ccg prompt tree, but users meeting them via the installed slash commands never see the README; the commands-core module still installs all five by default - quality-gate.md: describe what scripts/hooks/quality-gate.js actually does. The doc advertised '/quality-gate [path] [--fix] [--strict]' with lint/type checks, but the script reads the file path from hook stdin JSON, toggles behavior via ECC_QUALITY_GATE_FIX / ECC_QUALITY_GATE_STRICT env vars, and runs formatters only (Biome/Prettier, gofmt, ruff format) - claude-devfleet SKILL.md: add a Setup section pointing at the DevFleet server repository (github.com/LEC-AI/claude-devfleet, already disclosed in mcp-configs/mcp-servers.json) plus the SECURITY.md port-verification note; the skill previously assumed a running instance with no way to obtain one - regenerate docs/COMMAND-REGISTRY.json for the quality-gate descriptionkonstapukarifastnetfi ·
2026-06-07 13:25:58 +08:00 -
fix: retire rules/zh from the always-loaded default rules install (#2170)
rules/zh shipped ~17KB of Chinese rule text into the auto-loaded rules tree of every default install (rules-core installs the bare 'rules' path with defaultInstall: true), with no paths: frontmatter gating. The content had also drifted behind both rules/common and the maintained translations in docs/zh-CN/rules/common (e.g. zh/coding-style.md 48 lines vs the 52-line docs/zh-CN copy), and 'zh' was already dropped from the installer's language help in favor of the gated docs-zh-cn locale module (--locale zh-CN). - move rules/zh/code-review.md to docs/zh-CN/rules/common/code-review.md: the only file with no counterpart in the maintained locale tree (fills a zh-CN parity gap with rules/common/code-review.md) - delete the remaining 10 rules/zh files, all older duplicates of docs/zh-CN/rules/common content - update trae-install test to assert the rules tree via rules/web instead Not addressed here: rules/README.md (~5.5KB of installer docs) still ships into the auto-loaded tree via the bare 'rules' module path; filtering README files from rule-tree expansion is a separate decision
konstapukarifastnetfi ·
2026-06-07 13:25:56 +08:00 -
test: skip chmod-based permission tests when running as root (#2171)
Two tests provoke EACCES via chmod (saveAliases backup double failure, appendSessionContent on a read-only file) and already skip on win32, but root ignores file modes so both fail when the suite runs as root (for example in a default Docker container). Every other chmod-based test in the repo already guards with process.getuid?.() === 0; these two were the only ones missing the guard. Apply the same skip condition and message.
konstapukarifastnetfi ·
2026-06-07 13:25:53 +08:00 -
fix: close install manifest packaging gaps (#2172)
- commands-core now ships scripts/harness-audit.js and scripts/skills-health.js: the module installs the whole commands/ dir, so /harness-audit and /skill-health were installed without their backing engines on manifest-driven installs (the original 1.10.0 failure mode) - agentic-patterns now ships scripts/claw.js: the module installs the nanoclaw-repl skill, whose workflow operates scripts/claw.js - package.json files array gains scripts/skills-health.js so the npm publish surface stays aligned with the module graph (claw.js and harness-audit.js were already listed) - orchestration drops commands/multi-workflow.md and commands/sessions.md from its explicit paths: both are already shipped by commands-core, which is a declared dependency of the module, so the duplicate ownership produced two copy operations per destination in install-state. The two scripts/lib entries are kept because hooks-runtime is NOT a declared dependency and a standalone orchestration install still needs them
konstapukarifastnetfi ·
2026-06-07 13:25:51 +08:00 -
fix: send claude prompt via stdin so Windows shell mode does not mangle it (#2174)
askClaude() passed the full multi-line prompt as a claude Fix: keep only the short, safe flags (--model, -p) as args and send the prompt over stdin via spawnSync input. The prompt never touches the shell command line, so multi-line/special-char prompts arrive intact. claude -p reads stdin on macOS/Linux too, so behavior is unchanged there. Verified on Windows 11 (Node 24, claude CLI via npm): real turns now return correct responses, and node tests/scripts/claw.test.js passes 19/19. Co-authored-by: skausage-ops <268783127+skausage-ops@users.noreply.github.com>
skausage-ops ·
2026-06-07 13:25:48 +08:00 -
fix(skills): keep curl credentials out of argv (#2175)
* fix(skills): avoid curl credential argv leaks * test(ci): guard secret curl examples
Kumario ·
2026-06-07 13:25:45 +08:00 -
test: guard broken-symlink tests so the suite passes on Windows (#2176)
* test: guard broken-symlink tests so the suite passes on Windows Four test cases create a dangling symlink with fs.symlinkSync() to exercise statSync catch branches, but did not guard for platforms where symlink creation is not permitted. On Windows without Developer Mode / admin rights, fs.symlinkSync throws EPERM, so these tests fail and `npm test` is red: - tests/ci/validators.test.js (Round 73, validate-commands skill entry) - tests/lib/session-manager.test.js (Round 83, getAllSessions) - tests/lib/session-manager.test.js (Round 84, getSessionById) - tests/lib/utils.test.js (Round 84, findFiles) Wrap each symlinkSync in try/catch and skip cleanly on failure, mirroring the existing convention already used in this repo (validators.test.js Round 57 and hooks/config-protection.test.js). On Linux/macOS and admin Windows the symlink still succeeds and the tests run unchanged; only the unsupported-symlink path now skips instead of failing. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * test: only skip symlink tests on EPERM/EACCES, rethrow other errors Address CodeRabbit review: the catch blocks swallowed every error, which could mask a real test/setup failure as a false skip. Inspect err.code and only take the skip path for EPERM/EACCES (symlink creation blocked, e.g. Windows without Developer Mode); rethrow anything else so genuine failures still surface. Per the repo coding guideline: never silently swallow errors. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Johnson K C ·
2026-06-07 13:25:43 +08:00 -
feat(skills): add kubernetes-patterns skill (#2178)
* feat(skills): add kubernetes-patterns skill * fix(skills): address CodeRabbit review on kubernetes-patterns - Add When to Use alias section (repo skill-format requirement) - Add How It Works overview section (required schema) - Add Examples quick-reference table (required schema) - Fix RBAC: split into Pattern A (no API, token disabled) and Pattern B (needs API, token enabled) to resolve contradiction between automountServiceAccountToken: false and Role/RoleBinding - Fix missing -n my-namespace flag on OOMKilled kubectl describe command
Sahil Aghara ·
2026-06-07 13:25:41 +08:00 -
fix(dev-server-block): stop blocking dev-<suffix> scripts (#2179)
`DEV_PATTERN`'s trailing `\b` treats a hyphen as a word boundary, so `dev\b` matched the `dev` prefix of distinct npm scripts like `dev-setup` / `dev-docs` / `dev-build` and blocked them with exit 2. Replace the trailing `\b` with `(?![\w-])` so the dev server still matches (`dev`, `dev;`, `dev:ssr`) but `dev-<suffix>` scripts pass. Adds regression tests for dev-setup/dev-docs/dev-build (allowed) and dev:ssr (still blocked). Co-authored-by: bymle <229636660+bymle@users.noreply.github.com>
bymle ·
2026-06-07 13:25:39 +08:00 -
fix(session-end): preserve $-sequences in user messages when rewriting summary (#2180)
The regenerated summary block embeds raw user-message text and was passed as the *replacement* argument to String.prototype.replace, where $-sequences ($&, $$, $`, $') are special. A user message containing $& re-injected the entire matched block (duplicating the summary markers) and $$ collapsed to $, silently corrupting the persisted session summary. buildSummarySection only escapes newlines and backticks, not $. Fix: use function replacers (() => summaryBlock) at both rewrite sites so the replacement text is treated literally. Adds an end-to-end regression test. Co-authored-by: bymle <229636660+bymle@users.noreply.github.com>
bymle ·
2026-06-07 13:25:36 +08:00 -
fix(project-detect): match packageKeys on boundaries, not substrings (#2181)
Framework detection matched a dependency against a framework's packageKeys with unbounded substring containment (dep.includes(key)), so any dependency whose name merely contained a key was misclassified: `preact` and even `reactive` were both detected as `react`. Match only when the dependency equals the key, or the key is a prefix immediately followed by a delimiter (/ . _ -). This still matches every real case (react-dom, @remix-run/node, spring-boot-starter, org.springframework.boot, github.com/labstack/echo/v4, phoenix_live_view) while excluding preact/reactive (and incidentally nextra). Adds regression tests. Co-authored-by: bymle <229636660+bymle@users.noreply.github.com>
bymle ·
2026-06-07 13:25:34 +08:00 -
chore(deps): bump actions/checkout from 6.0.2 to 6.0.3 (#2183)
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.2 to 6.0.3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/de0fac2e4500dabe0009e67214ff5f5447ce83dd...df4cb1c069e1874edd31b4311f1884172cec0e10) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
dependabot[bot] ·
2026-06-07 13:25:31 +08:00 -
fix(observer): auto-scale max_turns by analysis batch size (#2062)
* fix(observer): auto-scale max_turns by analysis batch size (#2035) The hardcoded default of MAX_TURNS=20 is insufficient when MAX_ANALYSIS_LINES=500 (also the default). Claude exhausts its turn budget before it can write all discovered instinct files, producing: Error: Reached max turns (20) Fix: when ECC_OBSERVER_MAX_TURNS is not explicitly set, compute max_turns proportionally to the actual analysis batch size: max_turns = clamp(analysis_count / 10, 20, 100) This gives: - 20–199 lines → 20 turns (existing floor, unchanged) - 500 lines → 50 turns (resolves the reported failure) - 1000 lines → 100 turns (cap) Explicitly setting ECC_OBSERVER_MAX_TURNS still overrides the auto-scaled value, preserving the existing escape hatch. * test(observer): update max_turns test for auto-scaling; document validation The max-turns budget test in tests/hooks/hooks.test.js still asserted the removed literal max_turns="${ECC_OBSERVER_MAX_TURNS:-20}", which would fail against the new auto-scaling logic. Assert the auto-scale formula and the 20/100 clamp bounds instead. Also add the explanatory comment CodeRabbit requested above the max_turns sanitization block, clarifying it guards the explicit ECC_OBSERVER_MAX_TURNS override path. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
zucchini ·
2026-06-07 13:25:29 +08:00 -
fix(.cursor/hooks): route block-no-verify through local hook to fix message-body false positives (#2107) (#2177)
Cursor hooks still called `npx block-no-verify@1.1.2`, the broken external package whose matcher over-matches: it blocks legitimate `git commit` whenever `--no-verify` (or `no-verify`) appears anywhere in the command string, including inside the commit message body. The Claude Code surface already routes through the in-repo `scripts/hooks/block-no-verify.js`, which performs flag-position-aware tokenisation and passes 25 regression tests covering every false-positive case from #2107. Add a thin Cursor wrapper (`before-shell-execution-block-no-verify.js`) that reads Cursor stdin, transforms to the Claude Code `tool_input.command` shape, delegates to the local hook's exported `run()`, and forwards exit code and stderr. Update `.cursor/hooks.json` to call the wrapper instead of the npx package. New 14-case test file pins the false-positive cases from the issue plus the still-blocked real bypass attempts. Fixes #2107
Gaurav Dubey ·
2026-06-07 13:01:36 +08:00 -
fix(session-start): support ECC_SESSION_RETENTION_DAYS opt-out + document env var (#2151) (#2163)
* fix(session-start): support ECC_SESSION_RETENTION_DAYS opt-out + document env var The retention pass for *-session.tmp files (issue #2151) landed previously, but the env var that controls it was undocumented in the README and rejected falsy values (0, off, disabled), silently falling back to the 30-day default. Users who want to keep all sessions for forensic or research workflows had no way to opt out. This patch: - Extends getSessionRetentionDays() so 0|off|false|disabled|never|none disables pruning entirely (returns null sentinel; default behavior unchanged). - Updates the call site in main() to skip pruneExpiredSessions when retention is null and emits a clear "[SessionStart] Pruning disabled via ECC_SESSION_RETENTION_DAYS" log line so the operator can tell pruning is off. - Documents ECC_SESSION_RETENTION_DAYS in the README "Hook Runtime Controls" section alongside the other ECC_SESSION_* knobs. - Adds three regression tests in tests/hooks/hooks.test.js covering opt-out via 0, opt-out via off, and garbage-value fallback to default 30. Verification: - node tests/hooks/hooks.test.js — 240/240 green (incl. 3 new retention tests) - node tests/run-all.js — 2622/2622 green - npx eslint scripts/hooks/session-start.js tests/hooks/hooks.test.js — clean - node scripts/ci/validate-no-personal-paths.js — clean - node scripts/ci/check-unicode-safety.js — clean - node scripts/ci/validate-hooks.js — 28 matchers validated - node scripts/ci/validate-rules.js — 115 files validated Fixes #2151 * docs(readme): list all ECC_SESSION_RETENTION_DAYS opt-out values + add Windows example Address reviewer feedback on PR #2163: - CodeRabbit and cubic both flagged that the README docs only listed 3 of 6 opt-out values accepted by getSessionRetentionDays() (0, off, disabled), while the implementation also accepts false, never, none. - cubic also flagged the missing Windows PowerShell example for the new variable, breaking the parallel structure of the existing ECC_CONTEXT_MONITOR_COST_WARNINGS example block. Updated the README to: - Spell out all six opt-out values (0, off, false, disabled, never, none) and clarify they "keep all sessions (disable pruning)". - Add an ECC_SESSION_RETENTION_DAYS line to the Windows PowerShell example. No behavior change. README only. Verification: - npx markdownlint README.md — clean - npx eslint scripts/hooks/session-start.js tests/hooks/hooks.test.js — clean
Gaurav Dubey ·
2026-06-07 13:01:33 +08:00 -
feat(gateguard): add env knobs for routine bash gate + extra destructive patterns (#2161)
* feat(gateguard): add env knobs for routine bash gate + extra destructive patterns The JS port of gateguard-fact-force has two bash gates: a destructive gate (rm -rf, drop table, git push --force, etc.) that operators want to keep, and a once-per-session routine gate that fires on the very first bash invocation regardless of intent. Operators on hosts where the routine gate is friction without signal (Cursor, OpenCode, etc.) have been maintaining local patches that get clobbered on every plugin update; the Python upstream gateguard-ai already exposes equivalent config via .gateguard.yml. Adds two env vars, both off-by-default so existing behavior is preserved: - GATEGUARD_BASH_ROUTINE_DISABLED — truthy values (1, true, on, yes, enabled) skip the routine bash gate. Destructive gate is unaffected. - GATEGUARD_BASH_EXTRA_DESTRUCTIVE — regex source string for additional destructive patterns. Matches against the same quote-stripped, subshell-flattened command the built-in DESTRUCTIVE_SQL_DD regex sees, so a custom phrase inside $(...) or backticks is also caught. A malformed regex is logged once to stderr and treated as not configured rather than crashing the hook (hooks must never block tool execution unexpectedly). Twelve new tests pin both env vars (truthy aliases, falsy values, unset baseline, destructive-gate-still-fires, alternation members, malformed regex degrades safely, custom phrase inside command substitution). Existing 2619/2619 tests still pass; eslint clean. Fixes #2078 * fix(gateguard): reset extra-destructive warn-once gate when env value changes Both reviewers (CodeRabbit + cubic) flagged that extraDestructiveWarnLogged was never reset when GATEGUARD_BASH_EXTRA_DESTRUCTIVE flipped from one invalid regex to a different invalid regex. The sticky boolean meant a long-running process saw bad-pattern-a's warning then silently swallowed bad-pattern-b's parse failure. Fix: clear extraDestructiveWarnLogged whenever the cache key changes (i.e. before the regex compile attempt). The warn-once-per-distinct- pattern invariant now matches the per-key cache invariant. Adds a same-process regression test via loadDirectHook() that spies on process.stderr.write and asserts: same bad pattern warns once across multiple invocations; switching to a different bad pattern emits a second warning; switching to a valid regex emits zero warnings.
Gaurav Dubey ·
2026-06-07 13:01:30 +08:00 -
fix(suggest-compact): clean up old counter temp files (#2159)
* fix(suggest-compact): clean up old counter temp files claude-tool-count-<sessionId> files were written into the OS temp dir on every hook run and never removed, accumulating one orphan per session indefinitely. Sweep stale counter files at the top of main() before opening the active counter. Retention is env-tunable via COMPACT_STATE_TTL_DAYS (default 14 days); invalid values fall back to the default. The active session's counter file is preserved unconditionally even if its mtime is past the cutoff. Failures during the sweep are swallowed to preserve the always-exit-0 hook contract. Adds 7 regression tests covering the sweep, env-var validation, and the always-exit-0 invariant under a populated temp dir. Fixes #2156 * fix(suggest-compact): preserve counter files at the TTL cutoff boundary The cleanup sweep used `mtimeMs > cutoffMs` to short-circuit, which matched files whose mtime sits exactly on the cutoff boundary and deleted them. The cleanupOldCounters docstring promises only files *older than* retentionDays are removed; a file at age == retentionDays is not older than retentionDays, so it must survive. Switch the comparison to `>=` so only strictly older files fall through to deletion. Add a regression test that pins boundary-aged files (mtimeMs sitting just past the projected cutoff) are preserved. Refs #2156
Gaurav Dubey ·
2026-06-07 13:01:27 +08:00 -
fix(continuous-learning-v2): accept claude-vscode as valid entrypoint (#2134)
The observe.sh Layer 1 entrypoint guard short-circuits with exit 0 when CLAUDE_CODE_ENTRYPOINT is not in {cli, sdk-ts, claude-desktop}. Claude Code's VS Code extension sets CLAUDE_CODE_ENTRYPOINT=claude-vscode, so VS Code users see no observations recorded — observations.jsonl never gets created and the instinct pipeline stays empty. Add claude-vscode to the allowlist, mirroring the precedent in #1522 which added claude-desktop the same way. Add a regression test that spawns observe.sh under bash -x for each allowed entrypoint (cli, sdk-ts, claude-desktop, claude-vscode) and each denied entrypoint (unknown-host, claude-cody, mcp), asserting that allowed entrypoints reach Layer 2's ECC_HOOK_PROFILE check while denied entrypoints stop at Layer 1. Fixes #2102Gaurav Dubey ·
2026-06-07 13:01:24 +08:00 -
fix: guard two script edge cases (tolerant package.json parse, set -u empty array) (#2088)
* fix: guard two script edge cases - scripts/harness-audit.js: getRepoChecks() parsed package.json with raw JSON.parse(readText(...)), while the rest of the file (lines 218, 822) uses the tolerant safeParseJson(safeRead(...)). In repo target mode a project lacking package.json — or with malformed JSON — threw an uncaught exception and crashed the audit instead of degrading. Match the existing convention so the audit tolerates a missing/invalid package.json. - skills/frontend-slides/scripts/export-pdf.sh: `set -- "${POSITIONAL[@]}"` expands an empty array under `set -u` on bash 3.2 (the macOS system bash), aborting with "POSITIONAL[@]: unbound variable" instead of printing the usage message when invoked with no positional args. Guard the expansion with ${POSITIONAL[@]+"${POSITIONAL[@]}"} (no-op safe under bash 3.2 set -u). Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude <noreply@anthropic.com> Co-Authored-By: Happy <yesreply@happy.engineering> * fix: null-safe package.json access in getRepoChecks Review follow-up (CodeRabbit + cubic): switching to safeParseJson at line 389 means packageJson can be null on a missing/malformed package.json, but the quality-ci-validations check dereferenced packageJson.scripts before the optional chaining could help — throwing TypeError instead of degrading. Guard the base object with packageJson?.scripts?.test at the access site, matching the file's existing convention (e.g. line 220 uses packageJson?.name). Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude <noreply@anthropic.com> Co-Authored-By: Happy <yesreply@happy.engineering> --------- Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Happy <yesreply@happy.engineering>Chris Yau ·
2026-06-07 13:01:21 +08:00 -
feat: worktree-lifecycle service (deterministic conflict prediction + safe GC) (#2164)
* feat: add worktree-lifecycle service (ecc.worktree-lifecycle.v1) The "unowned moat" from the orchestrator landscape research: no existing tool ships deterministic merge-conflict prediction or a safe worktree GC. - scripts/lib/worktree-lifecycle/git.js: injectable, hermetic git layer. Predicts merge conflicts WITHOUT touching the working tree via `git merge-tree`. Strips inherited GIT_* env so it is safe inside hooks. - scripts/lib/worktree-lifecycle/lifecycle.js: deterministic state machine (main/dirty/conflict/merge-ready/merged/stale/idle) + planCleanup that buckets worktrees into remove / salvage / keep. Only fully-merged trees are auto-removable; stale (unmerged+inactive) => salvage, never deleted. - scripts/worktree-lifecycle.js: CLI (--json/--conflicts/--stale/ --cleanup-plan/--base/--stale-days/--repo). - tests/lib/worktree-lifecycle.test.js: 11 tests (fake-git + real-git). Safety model mirrors the reference-arch salvage rule, validated by the 2026-06-05 MacBook->Mac Mini consolidation. Tests: 11/0. * fix: hermetic git env in session adapters + mcp-inventory lint - session adapters (codex-worktree, opencode): resolveGitBranch stripped no git env, so the "outside a repo" path returned the host branch when run inside a git hook (GIT_DIR set). Strip GIT_* before rev-parse. - mcp-inventory: fix eslint no-unused-vars (signatures) and a stale eslint-disable directive in the merged code. * test: run each test with inherited git env stripped (hermetic runner) When the suite runs inside a git hook (pre-push), git sets GIT_DIR/ GIT_WORK_TREE, which hijack 'git -C <dir>' calls in tests that exercise real git, making them operate on the host repo. Strip GIT_* before spawning each test so the suite is isolated from ambient git state. --------- Co-authored-by: ECC Test <ecc@example.test>
Affaan Mustafa ·
2026-06-07 13:00:08 +08:00 -
feat: MCP inventory (ecc.mcp.v1) — unified cross-harness MCP config view (#2146)
* feat: add MCP inventory (ecc.mcp.v1) across harnesses Read-only MCP-gateway groundwork: discover MCP server configs across every installed harness, normalize to a canonical ecc.mcp.v1 inventory, redact secrets, and report which servers are configured in 2+ harnesses (the configure-N-times pain). The read+dedup side of a unified gateway, mirroring how the session-adapter layer started read-only. Readers (per-harness config formats): - claude-code: ~/.claude.json mcpServers + project .mcp.json - codex: ~/.codex/config.toml [mcp_servers.*] TOML via @iarna/toml - opencode: ~/.config/opencode/opencode.json mcp block (command ARRAY) canonical-mcp.js: - normalize transport labels (local=>stdio, remote=>http) to stdio/http/sse - merge servers by name across harnesses; flag DRIFT when signatures differ - fragmentation report + aggregates - SECRET REDACTION: env values stripped to key names; secrets in args (--modelApiKey sk-ant-...), inline --flag=secret, and URL userinfo/token query params all redacted before storage AND before the dedup signature. scripts/mcp-inventory.js: CLI (--json, --fragmented, --help). tests/lib/mcp-inventory.test.js: 12 tests incl. a regression for the real arg-carried-secret leak found while smoke-testing on live configs. Tests: 12/0. Real-data smoke: 33 servers across 3 harnesses, 21 configured in 2+ harnesses (7 drift); secret-leak audit clean. * test: cover reader error paths, collect skip-logic, and CLI main() for mcp-inventory Lift global branch coverage past the 80% gate (was 79.86%). Adds 6 tests exercising: missing-file/malformed-JSON/missing-block reader fallbacks, codex no-parser path, collect skipping non-function readers and swallowing reader errors, CLI usage()/main() help+json+human paths, and formatHumanReport no-fragmentation + fragmented-only branches. Also scrub a real API-key fragment that had leaked into a test fixture; all secret-like fixtures are now obviously-fake FAKE... tokens. mcp-inventory.js branch 30%->93%, collect.js ->100%. Global branch 80.33%.
Affaan Mustafa ·
2026-06-06 03:55:17 +08:00 -
feat: extend session-adapter layer with codex-worktree + opencode adapters (#2145)
* feat: add codex-worktree session adapter Adds the third session adapter (after dmux-tmux and claude-history), normalizing Codex rollout sessions into the harness-neutral ecc.session.v1 snapshot. Reads ~/.codex/sessions rollout JSONL, derives objective (skipping the AGENTS.md preamble + leading message UUID), model, originator, worktree cwd, and best-effort git branch. This is step 1 of ECC-2.0-SESSION-ADAPTER-DISCOVERY (move the abstraction beyond tmux + Claude-history) and supports the wrap/adapt control-pane strategy: ECC reads sessions from any harness rather than owning one UX. - scripts/lib/session-adapters/codex-worktree.js: adapter + rollout parser - canonical-session.js: normalizeCodexWorktreeSession - registry.js: register adapter, codex/codex-worktree target types - tests/lib/session-adapters-codex.test.js: 4 tests (unit + registry routing) * feat: add opencode session adapter + allow empty intent objective Adds the fourth session adapter (after dmux-tmux, claude-history, codex-worktree), normalizing OpenCode sessions into ecc.session.v1. Reads ~/.local/share/opencode/storage: session/<project>/ses_*.json for metadata (id, directory, title, version, projectID, time) and message/<session>/msg_*.json to extract the model (modelID/providerID from the first assistant message). Derives objective from the session title, treating the auto-generated "New session - <date>" title as no objective. Recency-based active/recorded state. Schema: relax intent.objective from non-empty to allow empty string (ensureStringAllowEmpty). Sessions legitimately have no objective yet (fresh/auto-titled), and claude-history already emitted "" via metadata.title fallback. This fixes a latent over-strict validation. - scripts/lib/session-adapters/opencode.js: adapter + storage parser - canonical-session.js: normalizeOpencodeSession + ensureStringAllowEmpty - registry.js: register adapter + opencode target type - tests/lib/session-adapters-opencode.test.js: 5 tests Tests: opencode 5/0, codex 4/0, session-adapters 14/0, control-pane-state 10/0, session-inspect 8/0, control-pane 12/0. Smoke-tested on a real OpenCode session (140 messages, gpt-5.3-codex). * test: cover error/fallback branches for codex-worktree + opencode adapters Lift global branch coverage past the 80% gate (was 79.53%). Adds error and fallback path tests: missing-session/unknown-id throws, findRolloutById/ findSessionInfoById, direct file targets, objective truncation, model fallbacks, corrupt-line skip, mtime activity fallback, and the real resolveGitBranch path outside a repo. codex-worktree.js branch 52.8%->78.3%; global branch 80.04%.
Affaan Mustafa ·
2026-06-06 03:55:00 +08:00 -
feat: add dynamic workflow team orchestration surface
Adds dynamic workflow/team orchestration skills, the content pack, and control-pane work-item/Kanban state DB support. Includes reviewer hardening for state-db CLI validation, optional state DB failure handling, and mergeStateStatus projection.
Affaan Mustafa ·
2026-06-04 21:45:13 +08:00 -
feat: add ECC2 local control pane (#2131)
* feat: add ECC2 local control pane * fix: refresh control pane package locks * test: harden control pane coverage * test: allow portable control pane shutdown * test: retry local control pane fetches * fix: harden control pane error handling * fix: wrap control pane metadata
Affaan Mustafa ·
2026-06-03 21:54:30 +08:00