Merge pull request #183 from moonlandar/feat/cpp-testing-skill

Feat/cpp testing skill

.github/workflows/security-scan.yml

@@ -0,0 +1,35 @@
+name: AgentShield Security Scan
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+# Prevent duplicate runs
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+# Minimal permissions
+permissions:
+  contents: read
+
+jobs:
+  agentshield:
+    name: AgentShield Scan
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20.x'
+
+      - name: Run AgentShield security scan
+        run: npx ecc-agentshield scan --path . --min-severity medium --format terminal
+        continue-on-error: true  # Informational only — ECC contains intentional config examples

README.md

@@ -218,6 +218,7 @@ everything-claude-code/
 |   |-- verification-loop/          # Continuous verification (Longform Guide)
 |   |-- golang-patterns/            # Go idioms and best practices
 |   |-- golang-testing/             # Go testing patterns, TDD, benchmarks
+|   |-- cpp-testing/                # C++ testing with GoogleTest, CMake/CTest (NEW)
 |   |-- django-patterns/            # Django patterns, models, views (NEW)
 |   |-- django-security/            # Django security best practices (NEW)
 |   |-- django-tdd/                 # Django TDD workflow (NEW)
@@ -229,6 +230,7 @@ everything-claude-code/
 |   |-- springboot-tdd/             # Spring Boot TDD (NEW)
 |   |-- springboot-verification/    # Spring Boot verification (NEW)
 |   |-- configure-ecc/              # Interactive installation wizard (NEW)
+|   |-- security-scan/              # AgentShield security auditor integration (NEW)
 |
 |-- commands/         # Slash commands for quick execution
 |   |-- tdd.md              # /tdd - Test-driven development
@@ -345,6 +347,30 @@ Both options create:
 - **Instinct collections** - For continuous-learning-v2
 - **Pattern extraction** - Learns from your commit history
 
+### AgentShield — Security Auditor
+
+Scan your Claude Code configuration for vulnerabilities, misconfigurations, and injection risks.
+
+```bash
+# Quick scan (no install needed)
+npx ecc-agentshield scan
+
+# Auto-fix safe issues
+npx ecc-agentshield scan --fix
+
+# Deep analysis with Opus 4.6
+npx ecc-agentshield scan --opus --stream
+
+# Generate secure config from scratch
+npx ecc-agentshield init
+```
+
+Checks CLAUDE.md, settings.json, MCP servers, hooks, and agent definitions. Produces a security grade (A-F) with actionable findings.
+
+Use `/security-scan` in Claude Code to run it, or add to CI with the [GitHub Action](https://github.com/affaan-m/agentshield).
+
+[GitHub](https://github.com/affaan-m/agentshield) | [npm](https://www.npmjs.com/package/ecc-agentshield)
+
 ### 🧠 Continuous Learning v2
 
 The instinct-based learning system automatically learns your patterns:
@@ -749,6 +775,7 @@ These configs work for my workflow. You should:
 - **Longform Guide (Advanced):** [The Longform Guide to Everything Claude Code](https://x.com/affaanmustafa/status/2014040193557471352)
 - **Follow:** [@affaanmustafa](https://x.com/affaanmustafa)
 - **zenith.chat:** [zenith.chat](https://zenith.chat)
+- **Skills Directory:** [awesome-agent-skills](https://github.com/JackyST0/awesome-agent-skills)
 
 ---
 

README.zh-CN.md

@@ -171,6 +171,7 @@ everything-claude-code/
 |   |-- verification-loop/          # 持续验证（详细指南）
 |   |-- golang-patterns/            # Go 惯用语和最佳实践（新增）
 |   |-- golang-testing/             # Go 测试模式、TDD、基准测试（新增）
+|   |-- cpp-testing/                # C++ 测试模式、GoogleTest、CMake/CTest（新增）
 |
 |-- commands/         # 用于快速执行的斜杠命令
 |   |-- tdd.md              # /tdd - 测试驱动开发

commands/multi-execute.md

@@ -78,7 +78,7 @@ EOF",
 ```
 
 **Model Parameter Notes**:
-- `{{GEMINI_MODEL_FLAG}}`: When using `--backend gemini`, replace with `--gemini-model gemini-3-pro-preview ` (note trailing space); use empty string for codex
+- `{{GEMINI_MODEL_FLAG}}`: When using `--backend gemini`, replace with `--gemini-model gemini-3-pro-preview` (note trailing space); use empty string for codex
 
 **Role Prompts**:
 

commands/multi-plan.md

@@ -37,7 +37,7 @@ EOF",
 ```
 
 **Model Parameter Notes**:
-- `{{GEMINI_MODEL_FLAG}}`: When using `--backend gemini`, replace with `--gemini-model gemini-3-pro-preview ` (note trailing space); use empty string for codex
+- `{{GEMINI_MODEL_FLAG}}`: When using `--backend gemini`, replace with `--gemini-model gemini-3-pro-preview` (note trailing space); use empty string for codex
 
 **Role Prompts**:
 

commands/multi-workflow.md

@@ -66,7 +66,7 @@ EOF",
 ```
 
 **Model Parameter Notes**:
-- `{{GEMINI_MODEL_FLAG}}`: When using `--backend gemini`, replace with `--gemini-model gemini-3-pro-preview ` (note trailing space); use empty string for codex
+- `{{GEMINI_MODEL_FLAG}}`: When using `--backend gemini`, replace with `--gemini-model gemini-3-pro-preview` (note trailing space); use empty string for codex
 
 **Role Prompts**:
 

commands/pm2.md

@@ -107,68 +107,68 @@ proc.on('close', (code) => process.exit(code));
 ## Command File Templates (Minimal Content)
 
 ### pm2-all.md (Start all + monit)
-```markdown
+````markdown
 Start all services and open PM2 monitor.
-\`\`\`bash
+```bash
 cd "{PROJECT_ROOT}" && pm2 start ecosystem.config.cjs && start wt.exe -d "{PROJECT_ROOT}" pwsh -NoExit -c "pm2 monit"
-\`\`\`
 ```
+````
 
 ### pm2-all-stop.md
-```markdown
+````markdown
 Stop all services.
-\`\`\`bash
+```bash
 cd "{PROJECT_ROOT}" && pm2 stop all
-\`\`\`
 ```
+````
 
 ### pm2-all-restart.md
-```markdown
+````markdown
 Restart all services.
-\`\`\`bash
+```bash
 cd "{PROJECT_ROOT}" && pm2 restart all
-\`\`\`
 ```
+````
 
 ### pm2-{port}.md (Start single + logs)
-```markdown
+````markdown
 Start {name} ({port}) and open logs.
-\`\`\`bash
+```bash
 cd "{PROJECT_ROOT}" && pm2 start ecosystem.config.cjs --only {name} && start wt.exe -d "{PROJECT_ROOT}" pwsh -NoExit -c "pm2 logs {name}"
-\`\`\`
 ```
+````
 
 ### pm2-{port}-stop.md
-```markdown
+````markdown
 Stop {name} ({port}).
-\`\`\`bash
+```bash
 cd "{PROJECT_ROOT}" && pm2 stop {name}
-\`\`\`
 ```
+````
 
 ### pm2-{port}-restart.md
-```markdown
+````markdown
 Restart {name} ({port}).
-\`\`\`bash
+```bash
 cd "{PROJECT_ROOT}" && pm2 restart {name}
-\`\`\`
 ```
+````
 
 ### pm2-logs.md
-```markdown
+````markdown
 View all PM2 logs.
-\`\`\`bash
+```bash
 cd "{PROJECT_ROOT}" && pm2 logs
-\`\`\`
 ```
+````
 
 ### pm2-status.md
-```markdown
+````markdown
 View PM2 status.
-\`\`\`bash
+```bash
 cd "{PROJECT_ROOT}" && pm2 status
-\`\`\`
 ```
+````
 
 ### PowerShell Scripts (pm2-logs-{port}.ps1)
 ```powershell
@@ -213,7 +213,7 @@ Based on `$ARGUMENTS`, execute init:
 
 After generating files, append PM2 section to project's `CLAUDE.md` (create if not exists):
 
-```markdown
+````markdown
 ## PM2 Services
 
 | Port | Name | Type |
@@ -230,7 +230,7 @@ pm2 logs / pm2 status / pm2 monit
 pm2 save                         # Save process list
 pm2 resurrect                    # Restore saved list
 ```
-```
+````
 
 **Rules for CLAUDE.md update:**
 - If PM2 section exists, replace it
@@ -247,6 +247,7 @@ After all files generated, output:
 ## PM2 Init Complete
 
 **Services:**
+
 | Port | Name | Type |
 |------|------|------|
 | {port} | {name} | {type} |
@@ -254,10 +255,10 @@ After all files generated, output:
 **Claude Commands:** /pm2-all, /pm2-all-stop, /pm2-{port}, /pm2-{port}-stop, /pm2-logs, /pm2-status
 
 **Terminal Commands:**
-# First time (with config file)
+## First time (with config file)
 pm2 start ecosystem.config.cjs && pm2 save
 
-# After first time (simplified)
+## After first time (simplified)
 pm2 start all          # Start all
 pm2 stop all           # Stop all
 pm2 restart all        # Restart all

skills/cpp-testing/SKILL.md

@@ -0,0 +1,322 @@
+---
+name: cpp-testing
+description: Use only when writing/updating/fixing C++ tests, configuring GoogleTest/CTest, diagnosing failing or flaky tests, or adding coverage/sanitizers.
+---
+
+# C++ Testing (Agent Skill)
+
+Agent-focused testing workflow for modern C++ (C++17/20) using GoogleTest/GoogleMock with CMake/CTest.
+
+## When to Use
+
+- Writing new C++ tests or fixing existing tests
+- Designing unit/integration test coverage for C++ components
+- Adding test coverage, CI gating, or regression protection
+- Configuring CMake/CTest workflows for consistent execution
+- Investigating test failures or flaky behavior
+- Enabling sanitizers for memory/race diagnostics
+
+### When NOT to Use
+
+- Implementing new product features without test changes
+- Large-scale refactors unrelated to test coverage or failures
+- Performance tuning without test regressions to validate
+- Non-C++ projects or non-test tasks
+
+## Core Concepts
+
+- **TDD loop**: red → green → refactor (tests first, minimal fix, then cleanups).
+- **Isolation**: prefer dependency injection and fakes over global state.
+- **Test layout**: `tests/unit`, `tests/integration`, `tests/testdata`.
+- **Mocks vs fakes**: mock for interactions, fake for stateful behavior.
+- **CTest discovery**: use `gtest_discover_tests()` for stable test discovery.
+- **CI signal**: run subset first, then full suite with `--output-on-failure`.
+
+## TDD Workflow
+
+Follow the RED → GREEN → REFACTOR loop:
+
+1. **RED**: write a failing test that captures the new behavior
+2. **GREEN**: implement the smallest change to pass
+3. **REFACTOR**: clean up while tests stay green
+
+```cpp
+// tests/add_test.cpp
+#include <gtest/gtest.h>
+
+int Add(int a, int b); // Provided by production code.
+
+TEST(AddTest, AddsTwoNumbers) { // RED
+  EXPECT_EQ(Add(2, 3), 5);
+}
+
+// src/add.cpp
+int Add(int a, int b) { // GREEN
+  return a + b;
+}
+
+// REFACTOR: simplify/rename once tests pass
+```
+
+## Code Examples
+
+### Basic Unit Test (gtest)
+
+```cpp
+// tests/calculator_test.cpp
+#include <gtest/gtest.h>
+
+int Add(int a, int b); // Provided by production code.
+
+TEST(CalculatorTest, AddsTwoNumbers) {
+    EXPECT_EQ(Add(2, 3), 5);
+}
+```
+
+### Fixture (gtest)
+
+```cpp
+// tests/user_store_test.cpp
+// Pseudocode stub: replace UserStore/User with project types.
+#include <gtest/gtest.h>
+#include <memory>
+#include <optional>
+#include <string>
+
+struct User { std::string name; };
+class UserStore {
+public:
+    explicit UserStore(std::string /*path*/) {}
+    void Seed(std::initializer_list<User> /*users*/) {}
+    std::optional<User> Find(const std::string &/*name*/) { return User{"alice"}; }
+};
+
+class UserStoreTest : public ::testing::Test {
+protected:
+    void SetUp() override {
+        store = std::make_unique<UserStore>(":memory:");
+        store->Seed({{"alice"}, {"bob"}});
+    }
+
+    std::unique_ptr<UserStore> store;
+};
+
+TEST_F(UserStoreTest, FindsExistingUser) {
+    auto user = store->Find("alice");
+    ASSERT_TRUE(user.has_value());
+    EXPECT_EQ(user->name, "alice");
+}
+```
+
+### Mock (gmock)
+
+```cpp
+// tests/notifier_test.cpp
+#include <gmock/gmock.h>
+#include <gtest/gtest.h>
+#include <string>
+
+class Notifier {
+public:
+    virtual ~Notifier() = default;
+    virtual void Send(const std::string &message) = 0;
+};
+
+class MockNotifier : public Notifier {
+public:
+    MOCK_METHOD(void, Send, (const std::string &message), (override));
+};
+
+class Service {
+public:
+    explicit Service(Notifier &notifier) : notifier_(notifier) {}
+    void Publish(const std::string &message) { notifier_.Send(message); }
+
+private:
+    Notifier &notifier_;
+};
+
+TEST(ServiceTest, SendsNotifications) {
+    MockNotifier notifier;
+    Service service(notifier);
+
+    EXPECT_CALL(notifier, Send("hello")).Times(1);
+    service.Publish("hello");
+}
+```
+
+### CMake/CTest Quickstart
+
+```cmake
+# CMakeLists.txt (excerpt)
+cmake_minimum_required(VERSION 3.20)
+project(example LANGUAGES CXX)
+
+set(CMAKE_CXX_STANDARD 20)
+set(CMAKE_CXX_STANDARD_REQUIRED ON)
+
+include(FetchContent)
+# Prefer project-locked versions. If using a tag, use a pinned version per project policy.
+set(GTEST_VERSION v1.17.0) # Adjust to project policy.
+FetchContent_Declare(
+  googletest
+  URL https://github.com/google/googletest/archive/refs/tags/${GTEST_VERSION}.zip
+)
+FetchContent_MakeAvailable(googletest)
+
+add_executable(example_tests
+  tests/calculator_test.cpp
+  src/calculator.cpp
+)
+target_link_libraries(example_tests GTest::gtest GTest::gmock GTest::gtest_main)
+
+enable_testing()
+include(GoogleTest)
+gtest_discover_tests(example_tests)
+```
+
+```bash
+cmake -S . -B build -DCMAKE_BUILD_TYPE=Debug
+cmake --build build -j
+ctest --test-dir build --output-on-failure
+```
+
+## Running Tests
+
+```bash
+ctest --test-dir build --output-on-failure
+ctest --test-dir build -R ClampTest
+ctest --test-dir build -R "UserStoreTest.*" --output-on-failure
+```
+
+```bash
+./build/example_tests --gtest_filter=ClampTest.*
+./build/example_tests --gtest_filter=UserStoreTest.FindsExistingUser
+```
+
+## Debugging Failures
+
+1. Re-run the single failing test with gtest filter.
+2. Add scoped logging around the failing assertion.
+3. Re-run with sanitizers enabled.
+4. Expand to full suite once the root cause is fixed.
+
+## Coverage
+
+Prefer target-level settings instead of global flags.
+
+```cmake
+option(ENABLE_COVERAGE "Enable coverage flags" OFF)
+
+if(ENABLE_COVERAGE)
+  if(CMAKE_CXX_COMPILER_ID MATCHES "GNU")
+    target_compile_options(example_tests PRIVATE --coverage)
+    target_link_options(example_tests PRIVATE --coverage)
+  elseif(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+    target_compile_options(example_tests PRIVATE -fprofile-instr-generate -fcoverage-mapping)
+    target_link_options(example_tests PRIVATE -fprofile-instr-generate)
+  endif()
+endif()
+```
+
+GCC + gcov + lcov:
+
+```bash
+cmake -S . -B build-cov -DENABLE_COVERAGE=ON
+cmake --build build-cov -j
+ctest --test-dir build-cov
+lcov --capture --directory build-cov --output-file coverage.info
+lcov --remove coverage.info '/usr/*' --output-file coverage.info
+genhtml coverage.info --output-directory coverage
+```
+
+Clang + llvm-cov:
+
+```bash
+cmake -S . -B build-llvm -DENABLE_COVERAGE=ON -DCMAKE_CXX_COMPILER=clang++
+cmake --build build-llvm -j
+LLVM_PROFILE_FILE="build-llvm/default.profraw" ctest --test-dir build-llvm
+llvm-profdata merge -sparse build-llvm/default.profraw -o build-llvm/default.profdata
+llvm-cov report build-llvm/example_tests -instr-profile=build-llvm/default.profdata
+```
+
+## Sanitizers
+
+```cmake
+option(ENABLE_ASAN "Enable AddressSanitizer" OFF)
+option(ENABLE_UBSAN "Enable UndefinedBehaviorSanitizer" OFF)
+option(ENABLE_TSAN "Enable ThreadSanitizer" OFF)
+
+if(ENABLE_ASAN)
+  add_compile_options(-fsanitize=address -fno-omit-frame-pointer)
+  add_link_options(-fsanitize=address)
+endif()
+if(ENABLE_UBSAN)
+  add_compile_options(-fsanitize=undefined -fno-omit-frame-pointer)
+  add_link_options(-fsanitize=undefined)
+endif()
+if(ENABLE_TSAN)
+  add_compile_options(-fsanitize=thread)
+  add_link_options(-fsanitize=thread)
+endif()
+```
+
+## Flaky Tests Guardrails
+
+- Never use `sleep` for synchronization; use condition variables or latches.
+- Make temp directories unique per test and always clean them.
+- Avoid real time, network, or filesystem dependencies in unit tests.
+- Use deterministic seeds for randomized inputs.
+
+## Best Practices
+
+### DO
+
+- Keep tests deterministic and isolated
+- Prefer dependency injection over globals
+- Use `ASSERT_*` for preconditions, `EXPECT_*` for multiple checks
+- Separate unit vs integration tests in CTest labels or directories
+- Run sanitizers in CI for memory and race detection
+
+### DON'T
+
+- Don't depend on real time or network in unit tests
+- Don't use sleeps as synchronization when a condition variable can be used
+- Don't over-mock simple value objects
+- Don't use brittle string matching for non-critical logs
+
+### Common Pitfalls
+
+- **Using fixed temp paths** → Generate unique temp directories per test and clean them.
+- **Relying on wall clock time** → Inject a clock or use fake time sources.
+- **Flaky concurrency tests** → Use condition variables/latches and bounded waits.
+- **Hidden global state** → Reset global state in fixtures or remove globals.
+- **Over-mocking** → Prefer fakes for stateful behavior and only mock interactions.
+- **Missing sanitizer runs** → Add ASan/UBSan/TSan builds in CI.
+- **Coverage on debug-only builds** → Ensure coverage targets use consistent flags.
+
+## Optional Appendix: Fuzzing / Property Testing
+
+Only use if the project already supports LLVM/libFuzzer or a property-testing library.
+
+- **libFuzzer**: best for pure functions with minimal I/O.
+- **RapidCheck**: property-based tests to validate invariants.
+
+Minimal libFuzzer harness (pseudocode: replace ParseConfig):
+
+```cpp
+#include <cstddef>
+#include <cstdint>
+#include <string>
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    std::string input(reinterpret_cast<const char *>(data), size);
+    // ParseConfig(input); // project function
+    return 0;
+}
+```
+
+## Alternatives to GoogleTest
+
+- **Catch2**: header-only, expressive matchers
+- **doctest**: lightweight, minimal compile overhead

skills/nutrient-document-processing/SKILL.md

@@ -9,7 +9,7 @@ Process documents with the [Nutrient DWS Processor API](https://www.nutrient.io/
 
 ## Setup
 
-Get a free API key at **https://dashboard.nutrient.io/sign_up/?product=processor**
+Get a free API key at **[nutrient.io](https://dashboard.nutrient.io/sign_up/?product=processor)**
 
 ```bash
 export NUTRIENT_API_KEY="pdf_live_..."

skills/security-scan/SKILL.md

@@ -0,0 +1,164 @@
+---
+name: security-scan
+description: Scan your Claude Code configuration (.claude/ directory) for security vulnerabilities, misconfigurations, and injection risks using AgentShield. Checks CLAUDE.md, settings.json, MCP servers, hooks, and agent definitions.
+---
+
+# Security Scan Skill
+
+Audit your Claude Code configuration for security issues using [AgentShield](https://github.com/affaan-m/agentshield).
+
+## When to Activate
+
+- Setting up a new Claude Code project
+- After modifying `.claude/settings.json`, `CLAUDE.md`, or MCP configs
+- Before committing configuration changes
+- When onboarding to a new repository with existing Claude Code configs
+- Periodic security hygiene checks
+
+## What It Scans
+
+| File | Checks |
+|------|--------|
+| `CLAUDE.md` | Hardcoded secrets, auto-run instructions, prompt injection patterns |
+| `settings.json` | Overly permissive allow lists, missing deny lists, dangerous bypass flags |
+| `mcp.json` | Risky MCP servers, hardcoded env secrets, npx supply chain risks |
+| `hooks/` | Command injection via interpolation, data exfiltration, silent error suppression |
+| `agents/*.md` | Unrestricted tool access, prompt injection surface, missing model specs |
+
+## Prerequisites
+
+AgentShield must be installed. Check and install if needed:
+
+```bash
+# Check if installed
+npx ecc-agentshield --version
+
+# Install globally (recommended)
+npm install -g ecc-agentshield
+
+# Or run directly via npx (no install needed)
+npx ecc-agentshield scan .
+```
+
+## Usage
+
+### Basic Scan
+
+Run against the current project's `.claude/` directory:
+
+```bash
+# Scan current project
+npx ecc-agentshield scan
+
+# Scan a specific path
+npx ecc-agentshield scan --path /path/to/.claude
+
+# Scan with minimum severity filter
+npx ecc-agentshield scan --min-severity medium
+```
+
+### Output Formats
+
+```bash
+# Terminal output (default) — colored report with grade
+npx ecc-agentshield scan
+
+# JSON — for CI/CD integration
+npx ecc-agentshield scan --format json
+
+# Markdown — for documentation
+npx ecc-agentshield scan --format markdown
+
+# HTML — self-contained dark-theme report
+npx ecc-agentshield scan --format html > security-report.html
+```
+
+### Auto-Fix
+
+Apply safe fixes automatically (only fixes marked as auto-fixable):
+
+```bash
+npx ecc-agentshield scan --fix
+```
+
+This will:
+- Replace hardcoded secrets with environment variable references
+- Tighten wildcard permissions to scoped alternatives
+- Never modify manual-only suggestions
+
+### Opus 4.6 Deep Analysis
+
+Run the adversarial three-agent pipeline for deeper analysis:
+
+```bash
+# Requires ANTHROPIC_API_KEY
+export ANTHROPIC_API_KEY=your-key
+npx ecc-agentshield scan --opus --stream
+```
+
+This runs:
+1. **Attacker (Red Team)** — finds attack vectors
+2. **Defender (Blue Team)** — recommends hardening
+3. **Auditor (Final Verdict)** — synthesizes both perspectives
+
+### Initialize Secure Config
+
+Scaffold a new secure `.claude/` configuration from scratch:
+
+```bash
+npx ecc-agentshield init
+```
+
+Creates:
+- `settings.json` with scoped permissions and deny list
+- `CLAUDE.md` with security best practices
+- `mcp.json` placeholder
+
+### GitHub Action
+
+Add to your CI pipeline:
+
+```yaml
+- uses: affaan-m/agentshield@v1
+  with:
+    path: '.'
+    min-severity: 'medium'
+    fail-on-findings: true
+```
+
+## Severity Levels
+
+| Grade | Score | Meaning |
+|-------|-------|---------|
+| A | 90-100 | Secure configuration |
+| B | 75-89 | Minor issues |
+| C | 60-74 | Needs attention |
+| D | 40-59 | Significant risks |
+| F | 0-39 | Critical vulnerabilities |
+
+## Interpreting Results
+
+### Critical Findings (fix immediately)
+- Hardcoded API keys or tokens in config files
+- `Bash(*)` in the allow list (unrestricted shell access)
+- Command injection in hooks via `${file}` interpolation
+- Shell-running MCP servers
+
+### High Findings (fix before production)
+- Auto-run instructions in CLAUDE.md (prompt injection vector)
+- Missing deny lists in permissions
+- Agents with unnecessary Bash access
+
+### Medium Findings (recommended)
+- Silent error suppression in hooks (`2>/dev/null`, `|| true`)
+- Missing PreToolUse security hooks
+- `npx -y` auto-install in MCP server configs
+
+### Info Findings (awareness)
+- Missing descriptions on MCP servers
+- Prohibitive instructions correctly flagged as good practice
+
+## Links
+
+- **GitHub**: [github.com/affaan-m/agentshield](https://github.com/affaan-m/agentshield)
+- **npm**: [npmjs.com/package/ecc-agentshield](https://www.npmjs.com/package/ecc-agentshield)