- Add $schema to marketplace.json (matches official Anthropic format)
- Add strict: false to marketplace entry so marketplace is authority
- Remove component declarations (agents, skills) from plugin.json to
avoid "conflicting manifests" error — auto-discovery handles these
- Add version, author email to marketplace plugin entry
- Passes `claude plugin validate .` with no warnings
- plugin.json version 1.4.1 → 1.6.0 to match npm/repo
- Add chief-of-staff.md to agents array (merged in PR #280)
- Fix marketplace.json owner email to me@affaanmustafa.com
When installed as a plugin, /plan triggers Claude Code's built-in plan
mode instead of the plugin's plan skill. Updated all 4 README files
(EN, zh-CN, zh-TW, ja-JP) to show the plugin-namespaced form with a
comment noting the shorter form works for manual installs.
Also fixes markdownlint MD012 violation in chief-of-staff.md (trailing
double blank line from #280 merge).
Fixes#297
The inline JS in the Write PreToolUse hook had a multi-layer escaping
bug: the regex [\\/\\] collapsed to [\/\] after the validator's
unescape chain, producing an invalid regex (Unmatched ')').
Fix: move the doc-file-warning hook to scripts/hooks/pre-write-doc-warn.js,
eliminating the inline escaping problem entirely. All 992 tests now pass.
Closes the 991/992 CI failure on main.
New articles:
- the-security-guide.md: "The Shorthand Guide to Securing Your Agent" (595 lines)
Attack vectors, sandboxing, sanitization, OWASP Top 10, observability
- the-openclaw-guide.md: "The Hidden Danger of OpenClaw" (470 lines)
Security analysis of OpenClaw, MiniClaw thesis, industry evidence
External link sanitization (22 files across EN, zh-CN, zh-TW, ja-JP, .cursor):
- Removed third-party GitHub links from skills and guides
- Replaced with inline descriptions to prevent transitive prompt injection
- Kept official org links (Anthropic, Google, Supabase, Mixedbread)
- Swap loadHistory/appendTurn order to prevent user message appearing
twice in the prompt (once in history, once as USER MESSAGE)
- Calculate actual loaded skill count via fs.existsSync instead of
counting requested skill names (banner now reflects reality)
- Add err.stack to test harness error output for better debugging
- Add do-catch error handling to SwiftUI streaming example in
foundation-models-on-device
- Add Auto Layout constraints to UIKit glass effect example in
liquid-glass-design
- Promote build settings prerequisite from code comment to visible
blockquote warning in swift-concurrency-6-2
- Add required name/description properties and @Generable to RecipeSearchTool
- Fix missing argument label in session.respond(to:) call
- Remove non-existent .scrollExtensionMode API, replace with correct guidance
- Change PhotoProcessor from struct to class for cache mutation support
- Fix method name mismatch in @concurrent example caller
Add skill covering Swift 6.2 Approachable Concurrency model including
single-threaded defaults, @concurrent for explicit background offloading,
isolated conformances, and MainActor default inference mode.
Add skill covering Apple's FoundationModels framework for on-device
language model integration, including @Generable guided generation,
tool calling, and snapshot streaming patterns.
Add origin field to all skill files to track their source repository.
This enables users to identify where distributed skills originated from.
Fixesaffaan-m/everything-claude-code#246
This script scans the current working directory and generates architectural codemap documentation in the specified output directory. It classifies files into areas such as frontend, backend, database, integrations, and workers, and creates markdown files for each area along with an index.
Changes based on CodeRabbit review feedback:
1. Remove entire .cursor/ directory — it was an identical copy of the
main skills/commands/agents/rules, causing maintenance drift.
Users of Cursor can reference the canonical files directly.
2. Use explicit `is not None` checks instead of truthiness for
parsed['input'] and parsed['output']. Empty strings or empty
dicts are valid values that should be preserved.
The observe.sh script receives "pre" or "post" as $1 from the hook
config, but the Python code was looking for a "hook_type" field in
the stdin JSON. Claude Code does NOT include "hook_type" in the
JSON payload passed to hooks, so it always defaulted to "unknown",
causing all observations to be recorded as "tool_complete" —
PreToolUse events were never distinguished from PostToolUse.
Fix: capture $1 as HOOK_PHASE and pass it to Python via env var.
This also fixes TIMESTAMP export in the .cursor copy where inline
`VAR=val cmd` syntax didn't propagate to the python subprocess.
