New articles:
- the-security-guide.md: "The Shorthand Guide to Securing Your Agent" (595 lines)
Attack vectors, sandboxing, sanitization, OWASP Top 10, observability
- the-openclaw-guide.md: "The Hidden Danger of OpenClaw" (470 lines)
Security analysis of OpenClaw, MiniClaw thesis, industry evidence
External link sanitization (22 files across EN, zh-CN, zh-TW, ja-JP, .cursor):
- Removed third-party GitHub links from skills and guides
- Replaced with inline descriptions to prevent transitive prompt injection
- Kept official org links (Anthropic, Google, Supabase, Mixedbread)
- Add do-catch error handling to SwiftUI streaming example in
foundation-models-on-device
- Add Auto Layout constraints to UIKit glass effect example in
liquid-glass-design
- Promote build settings prerequisite from code comment to visible
blockquote warning in swift-concurrency-6-2
- Add required name/description properties and @Generable to RecipeSearchTool
- Fix missing argument label in session.respond(to:) call
- Remove non-existent .scrollExtensionMode API, replace with correct guidance
- Change PhotoProcessor from struct to class for cache mutation support
- Fix method name mismatch in @concurrent example caller
Add skill covering Swift 6.2 Approachable Concurrency model including
single-threaded defaults, @concurrent for explicit background offloading,
isolated conformances, and MainActor default inference mode.
Add skill covering Apple's FoundationModels framework for on-device
language model integration, including @Generable guided generation,
tool calling, and snapshot streaming patterns.
Add origin field to all skill files to track their source repository.
This enables users to identify where distributed skills originated from.
Fixesaffaan-m/everything-claude-code#246
Changes based on CodeRabbit review feedback:
1. Remove entire .cursor/ directory — it was an identical copy of the
main skills/commands/agents/rules, causing maintenance drift.
Users of Cursor can reference the canonical files directly.
2. Use explicit `is not None` checks instead of truthiness for
parsed['input'] and parsed['output']. Empty strings or empty
dicts are valid values that should be preserved.
The observe.sh script receives "pre" or "post" as $1 from the hook
config, but the Python code was looking for a "hook_type" field in
the stdin JSON. Claude Code does NOT include "hook_type" in the
JSON payload passed to hooks, so it always defaulted to "unknown",
causing all observations to be recorded as "tool_complete" —
PreToolUse events were never distinguished from PostToolUse.
Fix: capture $1 as HOOK_PHASE and pass it to Python via env var.
This also fixes TIMESTAMP export in the .cursor copy where inline
`VAR=val cmd` syntax didn't propagate to the python subprocess.
Add automated visa document translation skill that:
- Supports multiple OCR methods (macOS Vision, EasyOCR, Tesseract)
- Translates documents to professional English
- Generates bilingual PDFs (original + translation)
- Handles various document types (bank statements, employment certificates, etc.)
- Perfect for visa applications to Australia, USA, Canada, UK, EU
Tested with retirement certificates and other official documents.
Fix ItemListView to accept viewModel via init with default parameter
so previews can inject mocks. Fix ExpensiveChartView Equatable to
compare full array instead of only count.
The inline environment variable syntax `TIMESTAMP="$timestamp" echo ...`
does not work correctly because:
1. The pipe creates a subshell that doesn't inherit the variable
2. The environment variable is set for echo, not for the piped python
Fixed by using `export` and separating the commands:
- export TIMESTAMP="$timestamp"
- echo "$INPUT_JSON" | python3 -c "..."
This ensures the TIMESTAMP variable is available to the python subprocess.
Fixes#227
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The observer agent creates instinct files as .md with YAML frontmatter,
but load_all_instincts() only globbed *.yaml and *.yml. Add *.md to the
glob so instinct-cli status discovers all instinct files.
- Load both .yaml and .yml files in load_all_instincts() (#216)
The *.yaml-only glob missed .yml files, causing 'No instincts found'
- Implement evolve --generate to create skill/command/agent files (#217)
Previously printed a stub message. Now generates SKILL.md, command .md,
and agent .md files from the clustering analysis into ~/.claude/homunculus/evolved/
Docker Compose for local dev, networking, volume strategies, container
security hardening, debugging commands, and anti-patterns.
Complements the existing deployment-patterns skill which covers CI/CD
and production Dockerfiles.
Closes#121
Integration tests were still passing CLAUDE_TRANSCRIPT_PATH as an env
var, but evaluate-session.js now reads transcript_path from stdin JSON.
Also improves strategic-compact skill with decision guide and survival table.
- Migrate session-end.js and evaluate-session.js from CLAUDE_TRANSCRIPT_PATH
env var to stdin JSON transcript_path (correct hook input mechanism)
- Remove duplicate main() calls that ran before stdin was read, causing
session files to be created with empty data
- Add range validation (1-10000) on COMPACT_THRESHOLD in suggest-compact.js
to prevent negative or absurdly large thresholds
- Add integration/hooks.test.js to tests/run-all.js so CI runs all 97 tests
- Update evaluate-session.sh to parse transcript_path from stdin JSON
- Update hooks.test.js to pass transcript_path via stdin instead of env var
- Sync .cursor/ copies
- New skills: api-design, database-migrations, deployment-patterns
- validate-hooks.js: validate inline JS syntax in node -e hook commands
- utils.test.js: edge case tests for findFiles with null/undefined inputs
- README: update skill count to 35, add new skills to directory tree
