ROOT CAUSE: hooks load plugin-hook-bootstrap.js via
`node -e "...; process.argv.splice(1,0,s); require(s)"`. On Node 21+,
require.main is `undefined` under --eval, so the `if (require.main === module)`
guard was false and main() never ran — every plugin hook silently no-op'd
(e.g. the MCP-health PreToolUse hook stopped blocking). CI (Node 18/20) hid
this; it only surfaces on Node 21+. Fix: also run main() when require.main is
undefined (the eval-bootstrap case), while staying dormant on real imports.
Also clears pre-existing main debt the full local suite enforces:
- catalog:sync — README/docs agent+skill counts drifted after recent merges
- tests/ci/supply-chain-watch-workflow: update checkout SHA to the merged v6.0.3 (#2183)
- markdownlint + check-unicode-safety --write across docs/skills
Suite: 2683/2683 green under Node v25; lint + unicode clean.
Co-authored-by: ECC Test <ecc@example.test>
Several published examples contained APIs that no longer exist, code that
does not run, or model versions that drifted from reality:
- agents/performance-optimizer.md used the web-vitals v3 API
(getCLS/getFID/getLCP/getFCP/getTTFB) and reported FID. web-vitals v4
renamed the imports to onCLS/onINP/onLCP/onFCP/onTTFB and FID was
replaced by INP (target < 200ms)
- rules/common/performance.md pinned stale model versions in the
model-selection guidance; refresh to the versions the repo itself uses
(agent.yaml pins claude-opus-4-6) and add the PowerShell variant for
MAX_THINKING_TOKENS next to the bash export
- skills/python-patterns/SKILL.md: both get_value examples referenced
default_value without declaring the parameter (NameError); add
default_value: Any = None to the EAFP and LBYL signatures
- skills/frontend-patterns/SKILL.md: the custom useQuery example rebuilt
refetch whenever callers passed inline fetchers/options, re-triggering
the effect after every state update (infinite fetch loop). Keep the
latest fetcher/options in refs so refetch stays referentially stable.
The PASS-labelled useMemo example mutated its input with in-place sort;
copy before sorting
- skills/coding-standards/SKILL.md repeated the same PASS-labelled
in-place-sort-in-useMemo example; same fix
- rules/typescript/security.md used a vendor-specific OPENAI_API_KEY in
generic guidance; switch to a neutral API_KEY
Every hand-maintained copy of the affected content is synced in the same
change: locale mirrors (ja-JP, ko-KR, pt-BR, tr, zh-CN, zh-TW - each only
where it carries the affected file) and the .agents/.kiro/.cursor harness
mirrors. Two structural divergences are left alone and noted here:
.kiro/steering/performance.md has no extended-thinking control list to
carry the PowerShell variant, and docs/zh-TW/rules/performance.md keeps an
older condensed thinking section without the budget-cap line.
rules/zh/performance.md is intentionally untouched - the rules/zh tree is
being retired in a separate change
Extends the hook command path correction from PR #1682 (English source) to
the zh-CN, zh-TW, and ja-JP translated mirrors so the PreToolUse hook
example matches the actual script location at
~/.claude/scripts/hooks/suggest-compact.js.
Changes per locale:
- docs/zh-CN/skills/strategic-compact/SKILL.md: update both command strings
from ~/.claude/skills/strategic-compact/suggest-compact.js to
~/.claude/scripts/hooks/suggest-compact.js.
- docs/zh-TW/skills/strategic-compact/SKILL.md: replace the outdated
suggest-compact.sh reference (the .sh variant was removed in merged PR
#41) with the current node-invoked suggest-compact.js, and align the
matcher block structure with the English canonical SKILL.md post-#1682.
- docs/ja-JP/skills/strategic-compact/SKILL.md: same .sh -> .js migration
and matcher alignment as zh-TW.
The ko-KR mirror already uses the correct CLAUDE_PLUGIN_ROOT-based hook
path and needs no change.
Refs #1675
Translate English prose inside plain text code blocks (```text, ```)
across ja-JP documentation to Japanese, following the same approach
as PR #753 (zh-CN translation).
Translated content includes:
- Output template labels and status messages
- Folder tree inline comments
- CLI workflow descriptions
- Error/warning message examples
- Commit message templates and PR title examples
Technical identifiers, file paths, and actual code remain untranslated.
New articles:
- the-security-guide.md: "The Shorthand Guide to Securing Your Agent" (595 lines)
Attack vectors, sandboxing, sanitization, OWASP Top 10, observability
- the-openclaw-guide.md: "The Hidden Danger of OpenClaw" (470 lines)
Security analysis of OpenClaw, MiniClaw thesis, industry evidence
External link sanitization (22 files across EN, zh-CN, zh-TW, ja-JP, .cursor):
- Removed third-party GitHub links from skills and guides
- Replaced with inline descriptions to prevent transitive prompt injection
- Kept official org links (Anthropic, Google, Supabase, Mixedbread)
