- Fix path traversal regex prefix confusion in perl-security skill
- Revert v1.4.0 changelog entry (Perl not part of that release)
- Rename $a/$b to $x/$y to avoid shadowing sort globals
- Replace return undef with bare return per perlcritic rules
Add rules/perl/ with 5 rule files (coding-style, testing, patterns,
hooks, security) following the same structure as existing languages.
Update README.md, README.zh-CN.md, and rules/README.md to document
Perl support including badges, directory trees, install instructions,
and rule counts.
Revised the documentation for the `/save-session` command to reflect the actual resolved path to the session file, enhancing clarity for users regarding where their session data is stored. This change aligns with previous updates to session file management.
Revised the documentation for both the and commands to clarify that session files are saved and loaded from the project-level directory, rather than the global directory. This change enhances user understanding of session management and ensures consistency in file path references.
Updated the documentation for the `/resume-session` command to specify that session files are loaded from the project-level `.claude/sessions/` directory first, with a fallback to the global `~/.claude/sessions/` directory. Enhanced usage examples and clarified the process for locating session files, improving user understanding of session management.
Updated the documentation for the `/save-session` command to include detailed rules for generating the session short-id, including allowed characters, minimum length, and examples of valid and invalid formats. This improves clarity and helps users adhere to the required naming conventions.
Updated the documentation for the `/resume-session` and `/save-session` commands to reflect the correct file paths, changing references from `.claude/sessions/` to `~/.claude/sessions/`. This ensures clarity on the global directory used for session management and maintains consistency across commands.
Introduced two new commands: `/resume-session` and `/save-session`. The `/resume-session` command allows users to load the most recent session file or a specific session file, providing a structured briefing of the session's context. The `/save-session` command captures the current session state, saving it to a dated file for future reference. Both commands enhance user experience by enabling seamless session continuity and context preservation.
The Explore agent is a "Fast agent" optimized for codebase exploration,
not deep reasoning. The skill-stocktake V4 design requires holistic AI
judgment (actionability, scope fit, uniqueness, currency) which needs
the full reasoning capability of the conversation's main model.
Additionally, the Agent tool has no `model` parameter — specifying
`model: opus` was silently ignored, causing the evaluation to run on
the lightweight Explore model. This resulted in all skills receiving
"Keep" verdicts without genuine critical analysis.
Changing to `general-purpose` agent ensures evaluation runs on the
conversation's main model (e.g., Opus 4.6), enabling the holistic
judgment that V4 was designed for.
Replace the 5-dimension numeric scoring rubric with a checklist + holistic
verdict system (Save / Improve then Save / Absorb into [X] / Drop).
Key improvements:
- Explicit pre-save checklist: grep skills/ for duplicates, check MEMORY.md,
consider appending to existing skills, confirm reusability
- 4-way verdict instead of binary save/don't-save: adds "Absorb into [X]"
to prevent skill file proliferation, and "Improve then Save" for iterative
refinement
- Verdict-specific confirmation flows tailored to each outcome
- Design rationale explaining why holistic judgment outperforms numeric
scoring with modern frontier models
- Pin installation to specific commit hash (full SHA) to mitigate
supply-chain risk (cubic-dev-ai feedback)
- Add "When to Use", "How It Works", "Examples" sections to match
repo skill format conventions (coderabbitai feedback)
- Add review-before-update instructions for safe version upgrades
- Emphasize zero-runtime-risk: pure Markdown, no executable code
Claude Code sends tool output as `tool_response` in PostToolUse hook
payloads, but observe.sh only checked for `tool_output` and `output`.
This caused all observations to have empty output fields, making the
observer pipeline blind to tool results.
Adds `tool_response` as the primary field to check, with backward-
compatible fallback to the existing `tool_output` and `output` fields.
Extract BIOME_CONFIGS and PRETTIER_CONFIGS as shared constants to eliminate
duplication between PROJECT_ROOT_MARKERS and detectFormatter(). Unify the
biome/prettier branches in resolveFormatterBin() via a FORMATTER_PACKAGES
map. Remove redundant path.resolve() in quality-gate.js.
Handle Windows .cmd shim resolution via spawnSync with strict path
validation. Removes shell:true injection risk, uses strict equality,
and restores .cmd support with path injection guard.
Invoke hook scripts directly via require() when they export a
run(rawInput) function, eliminating one Node.js process spawn per
hook invocation (~50-100ms).
Includes path traversal guard, timeouts, error logging, PR review
feedback, legacy hooks guard, normalized filePath, and restored
findProjectRoot config detection with package manager support.
- Add get_anomaly_attr() helper that handles both dict and object
anomalies. The SDK's send_message() returns dicts, so getattr()
was silently returning defaults -- critical blocking never triggered.
- Fix field name: "detail" -> "details" (matches SDK schema).
- Make fail-open/fail-closed configurable via INSAITS_FAIL_MODE env var
(defaults to "open" for backward compatibility).
- Include exception type name in fail-open log for diagnostics.
- Normalize severity comparison with .upper() for case-insensitive matching.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
cubic-dev-ai P2: dev_mode now defaults to "false" (strict mode).
Users opt in to dev mode by setting INSAITS_DEV_MODE=true.
cubic-dev-ai P2: Move null-status check above stdout/stderr writes
in wrapper so partial/corrupt output is never leaked. Pass through
original raw input on signal kill, matching the result.error path.
coderabbit major: Wrap insAItsMonitor() and send_message() in
try/except so SDK errors don't crash the hook. Logs warning and
exits 0 (fail-open) on exception.
coderabbit nitpick: write_audit now creates a new dict (enriched)
instead of mutating the caller's event dict.
coderabbit nitpick: Extract magic numbers to named constants:
MIN_CONTENT_LENGTH=10, MAX_SCAN_LENGTH=4000, DEFAULT_MODEL.
Also: added env var documentation to module docstring.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Defaults to true (no API key needed) but can be disabled by setting
INSAITS_DEV_MODE=false for production deployments with an API key.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
P1: Log non-ENOENT spawn errors (timeout, signal kill) to stderr
instead of silently exiting 0. Separate handling for result.error
and null result.status so users know when the security monitor
failed to run.
P1: Remove "async": true from hooks.json — async hooks run in the
background and cannot block tool execution. The security hook needs
to be synchronous so exit(2) actually prevents credential exposure
and other critical findings from proceeding.
P2: Remove dead tool_response/tool_result code from extract_content.
In a PreToolUse hook the tool hasn't executed yet, so tool_response
is never populated. Removed the variable and the unreachable branch
that appended its content.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
