docs: record ECC Tools followup flood control

Record ECC-Tools PR #30 follow-up flood-control evidence in the ECC 2.0 GA roadmap.

.agents/plugins/marketplace.json

@@ -6,7 +6,7 @@
   "plugins": [
     {
       "name": "ecc",
-      "version": "1.10.0",
+      "version": "2.0.0-rc.1",
       "source": {
         "source": "local",
         "path": "../.."

.agents/skills/agent-introspection-debugging/SKILL.md

@@ -1,7 +1,6 @@
 ---
 name: agent-introspection-debugging
 description: Structured self-debugging workflow for AI agent failures using capture, diagnosis, contained recovery, and introspection reports.
-origin: ECC
 ---
 
 # Agent Introspection Debugging

.agents/skills/agent-introspection-debugging/agents/openai.yaml

@@ -0,0 +1,7 @@
+interface:
+  display_name: "Agent Introspection Debugging"
+  short_description: "Structured self-debugging for AI agent failures"
+  brand_color: "#0EA5E9"
+  default_prompt: "Use $agent-introspection-debugging to diagnose and recover from an AI agent failure."
+policy:
+  allow_implicit_invocation: true

.agents/skills/agent-sort/SKILL.md

@@ -1,7 +1,6 @@
 ---
 name: agent-sort
 description: Build an evidence-backed ECC install plan for a specific repo by sorting skills, commands, rules, hooks, and extras into DAILY vs LIBRARY buckets using parallel repo-aware review passes. Use when ECC should be trimmed to what a project actually needs instead of loading the full bundle.
-origin: ECC
 ---
 
 # Agent Sort

.agents/skills/agent-sort/agents/openai.yaml

@@ -0,0 +1,7 @@
+interface:
+  display_name: "Agent Sort"
+  short_description: "Evidence-backed ECC install planning"
+  brand_color: "#0EA5E9"
+  default_prompt: "Use $agent-sort to build an evidence-backed ECC install plan."
+policy:
+  allow_implicit_invocation: true

.agents/skills/api-design/SKILL.md

@@ -1,7 +1,6 @@
 ---
 name: api-design
 description: REST API design patterns including resource naming, status codes, pagination, filtering, error responses, versioning, and rate limiting for production APIs.
-origin: ECC
 ---
 
 # API Design Patterns

.agents/skills/api-design/agents/openai.yaml

@@ -2,6 +2,6 @@ interface:
   display_name: "API Design"
   short_description: "REST API design patterns and best practices"
   brand_color: "#F97316"
-  default_prompt: "Design REST API: resources, status codes, pagination"
+  default_prompt: "Use $api-design to design production REST API resources and responses."
 policy:
   allow_implicit_invocation: true

.agents/skills/article-writing/SKILL.md

@@ -1,7 +1,6 @@
 ---
 name: article-writing
 description: Write articles, guides, blog posts, tutorials, newsletter issues, and other long-form content in a distinctive voice derived from supplied examples or brand guidance. Use when the user wants polished written content longer than a paragraph, especially when voice consistency, structure, and credibility matter.
-origin: ECC
 ---
 
 # Article Writing

.agents/skills/article-writing/agents/openai.yaml

@@ -1,7 +1,7 @@
 interface:
   display_name: "Article Writing"
-  short_description: "Write long-form content in a supplied voice without sounding templated"
+  short_description: "Long-form content in a supplied voice"
   brand_color: "#B45309"
-  default_prompt: "Draft a sharp long-form article from these notes and examples"
+  default_prompt: "Use $article-writing to draft polished long-form content in the supplied voice."
 policy:
   allow_implicit_invocation: true

.agents/skills/backend-patterns/SKILL.md

@@ -1,7 +1,6 @@
 ---
 name: backend-patterns
 description: Backend architecture patterns, API design, database optimization, and server-side best practices for Node.js, Express, and Next.js API routes.
-origin: ECC
 ---
 
 # Backend Development Patterns

.agents/skills/backend-patterns/agents/openai.yaml

@@ -1,7 +1,7 @@
 interface:
   display_name: "Backend Patterns"
-  short_description: "API design, database, and server-side patterns"
+  short_description: "API, database, and server-side patterns"
   brand_color: "#F59E0B"
-  default_prompt: "Apply backend patterns: API design, repository, caching"
+  default_prompt: "Use $backend-patterns to apply backend architecture and API patterns."
 policy:
   allow_implicit_invocation: true

.agents/skills/brand-voice/SKILL.md

@@ -1,7 +1,6 @@
 ---
 name: brand-voice
 description: Build a source-derived writing style profile from real posts, essays, launch notes, docs, or site copy, then reuse that profile across content, outreach, and social workflows. Use when the user wants voice consistency without generic AI writing tropes.
-origin: ECC
 ---
 
 # Brand Voice

.agents/skills/brand-voice/agents/openai.yaml

@@ -0,0 +1,7 @@
+interface:
+  display_name: "Brand Voice"
+  short_description: "Source-derived writing style profiles"
+  brand_color: "#0EA5E9"
+  default_prompt: "Use $brand-voice to derive and reuse a source-grounded writing style."
+policy:
+  allow_implicit_invocation: true

.agents/skills/bun-runtime/SKILL.md

@@ -1,7 +1,6 @@
 ---
 name: bun-runtime
 description: Bun as runtime, package manager, bundler, and test runner. When to choose Bun vs Node, migration notes, and Vercel support.
-origin: ECC
 ---
 
 # Bun Runtime

.agents/skills/bun-runtime/agents/openai.yaml

@@ -1,7 +1,7 @@
 interface:
   display_name: "Bun Runtime"
-  short_description: "Bun as runtime, package manager, bundler, and test runner"
+  short_description: "Bun runtime, package manager, and test runner"
   brand_color: "#FBF0DF"
-  default_prompt: "Use Bun for scripts, install, or run"
+  default_prompt: "Use $bun-runtime to choose and apply Bun runtime workflows."
 policy:
   allow_implicit_invocation: true

.agents/skills/claude-api/SKILL.md

@@ -1,337 +0,0 @@
----
-name: claude-api
-description: Anthropic Claude API patterns for Python and TypeScript. Covers Messages API, streaming, tool use, vision, extended thinking, batches, prompt caching, and Claude Agent SDK. Use when building applications with the Claude API or Anthropic SDKs.
-origin: ECC
----
-
-# Claude API
-
-Build applications with the Anthropic Claude API and SDKs.
-
-## When to Activate
-
-- Building applications that call the Claude API
-- Code imports `anthropic` (Python) or `@anthropic-ai/sdk` (TypeScript)
-- User asks about Claude API patterns, tool use, streaming, or vision
-- Implementing agent workflows with Claude Agent SDK
-- Optimizing API costs, token usage, or latency
-
-## Model Selection
-
-| Model | ID | Best For |
-|-------|-----|----------|
-| Opus 4.6 | `claude-opus-4-6` | Complex reasoning, architecture, research |
-| Sonnet 4.6 | `claude-sonnet-4-6` | Balanced coding, most development tasks |
-| Haiku 4.5 | `claude-haiku-4-5-20251001` | Fast responses, high-volume, cost-sensitive |
-
-Default to Sonnet 4.6 unless the task requires deep reasoning (Opus) or speed/cost optimization (Haiku).
-
-## Python SDK
-
-### Installation
-
-```bash
-pip install anthropic
-```
-
-### Basic Message
-
-```python
-import anthropic
-
-client = anthropic.Anthropic()  # reads ANTHROPIC_API_KEY from env
-
-message = client.messages.create(
-    model="claude-sonnet-4-6",
-    max_tokens=1024,
-    messages=[
-        {"role": "user", "content": "Explain async/await in Python"}
-    ]
-)
-print(message.content[0].text)
-```
-
-### Streaming
-
-```python
-with client.messages.stream(
-    model="claude-sonnet-4-6",
-    max_tokens=1024,
-    messages=[{"role": "user", "content": "Write a haiku about coding"}]
-) as stream:
-    for text in stream.text_stream:
-        print(text, end="", flush=True)
-```
-
-### System Prompt
-
-```python
-message = client.messages.create(
-    model="claude-sonnet-4-6",
-    max_tokens=1024,
-    system="You are a senior Python developer. Be concise.",
-    messages=[{"role": "user", "content": "Review this function"}]
-)
-```
-
-## TypeScript SDK
-
-### Installation
-
-```bash
-npm install @anthropic-ai/sdk
-```
-
-### Basic Message
-
-```typescript
-import Anthropic from "@anthropic-ai/sdk";
-
-const client = new Anthropic(); // reads ANTHROPIC_API_KEY from env
-
-const message = await client.messages.create({
-  model: "claude-sonnet-4-6",
-  max_tokens: 1024,
-  messages: [
-    { role: "user", content: "Explain async/await in TypeScript" }
-  ],
-});
-console.log(message.content[0].text);
-```
-
-### Streaming
-
-```typescript
-const stream = client.messages.stream({
-  model: "claude-sonnet-4-6",
-  max_tokens: 1024,
-  messages: [{ role: "user", content: "Write a haiku" }],
-});
-
-for await (const event of stream) {
-  if (event.type === "content_block_delta" && event.delta.type === "text_delta") {
-    process.stdout.write(event.delta.text);
-  }
-}
-```
-
-## Tool Use
-
-Define tools and let Claude call them:
-
-```python
-tools = [
-    {
-        "name": "get_weather",
-        "description": "Get current weather for a location",
-        "input_schema": {
-            "type": "object",
-            "properties": {
-                "location": {"type": "string", "description": "City name"},
-                "unit": {"type": "string", "enum": ["celsius", "fahrenheit"]}
-            },
-            "required": ["location"]
-        }
-    }
-]
-
-message = client.messages.create(
-    model="claude-sonnet-4-6",
-    max_tokens=1024,
-    tools=tools,
-    messages=[{"role": "user", "content": "What's the weather in SF?"}]
-)
-
-# Handle tool use response
-for block in message.content:
-    if block.type == "tool_use":
-        # Execute the tool with block.input
-        result = get_weather(**block.input)
-        # Send result back
-        follow_up = client.messages.create(
-            model="claude-sonnet-4-6",
-            max_tokens=1024,
-            tools=tools,
-            messages=[
-                {"role": "user", "content": "What's the weather in SF?"},
-                {"role": "assistant", "content": message.content},
-                {"role": "user", "content": [
-                    {"type": "tool_result", "tool_use_id": block.id, "content": str(result)}
-                ]}
-            ]
-        )
-```
-
-## Vision
-
-Send images for analysis:
-
-```python
-import base64
-
-with open("diagram.png", "rb") as f:
-    image_data = base64.standard_b64encode(f.read()).decode("utf-8")
-
-message = client.messages.create(
-    model="claude-sonnet-4-6",
-    max_tokens=1024,
-    messages=[{
-        "role": "user",
-        "content": [
-            {"type": "image", "source": {"type": "base64", "media_type": "image/png", "data": image_data}},
-            {"type": "text", "text": "Describe this diagram"}
-        ]
-    }]
-)
-```
-
-## Extended Thinking
-
-For complex reasoning tasks:
-
-```python
-message = client.messages.create(
-    model="claude-sonnet-4-6",
-    max_tokens=16000,
-    thinking={
-        "type": "enabled",
-        "budget_tokens": 10000
-    },
-    messages=[{"role": "user", "content": "Solve this math problem step by step..."}]
-)
-
-for block in message.content:
-    if block.type == "thinking":
-        print(f"Thinking: {block.thinking}")
-    elif block.type == "text":
-        print(f"Answer: {block.text}")
-```
-
-## Prompt Caching
-
-Cache large system prompts or context to reduce costs:
-
-```python
-message = client.messages.create(
-    model="claude-sonnet-4-6",
-    max_tokens=1024,
-    system=[
-        {"type": "text", "text": large_system_prompt, "cache_control": {"type": "ephemeral"}}
-    ],
-    messages=[{"role": "user", "content": "Question about the cached context"}]
-)
-# Check cache usage
-print(f"Cache read: {message.usage.cache_read_input_tokens}")
-print(f"Cache creation: {message.usage.cache_creation_input_tokens}")
-```
-
-## Batches API
-
-Process large volumes asynchronously at 50% cost reduction:
-
-```python
-import time
-
-batch = client.messages.batches.create(
-    requests=[
-        {
-            "custom_id": f"request-{i}",
-            "params": {
-                "model": "claude-sonnet-4-6",
-                "max_tokens": 1024,
-                "messages": [{"role": "user", "content": prompt}]
-            }
-        }
-        for i, prompt in enumerate(prompts)
-    ]
-)
-
-# Poll for completion
-while True:
-    status = client.messages.batches.retrieve(batch.id)
-    if status.processing_status == "ended":
-        break
-    time.sleep(30)
-
-# Get results
-for result in client.messages.batches.results(batch.id):
-    print(result.result.message.content[0].text)
-```
-
-## Claude Agent SDK
-
-Build multi-step agents:
-
-```python
-# Note: Agent SDK API surface may change — check official docs
-import anthropic
-
-# Define tools as functions
-tools = [{
-    "name": "search_codebase",
-    "description": "Search the codebase for relevant code",
-    "input_schema": {
-        "type": "object",
-        "properties": {"query": {"type": "string"}},
-        "required": ["query"]
-    }
-}]
-
-# Run an agentic loop with tool use
-client = anthropic.Anthropic()
-messages = [{"role": "user", "content": "Review the auth module for security issues"}]
-
-while True:
-    response = client.messages.create(
-        model="claude-sonnet-4-6",
-        max_tokens=4096,
-        tools=tools,
-        messages=messages,
-    )
-    if response.stop_reason == "end_turn":
-        break
-    # Handle tool calls and continue the loop
-    messages.append({"role": "assistant", "content": response.content})
-    # ... execute tools and append tool_result messages
-```
-
-## Cost Optimization
-
-| Strategy | Savings | When to Use |
-|----------|---------|-------------|
-| Prompt caching | Up to 90% on cached tokens | Repeated system prompts or context |
-| Batches API | 50% | Non-time-sensitive bulk processing |
-| Haiku instead of Sonnet | ~75% | Simple tasks, classification, extraction |
-| Shorter max_tokens | Variable | When you know output will be short |
-| Streaming | None (same cost) | Better UX, same price |
-
-## Error Handling
-
-```python
-import time
-
-from anthropic import APIError, RateLimitError, APIConnectionError
-
-try:
-    message = client.messages.create(...)
-except RateLimitError:
-    # Back off and retry
-    time.sleep(60)
-except APIConnectionError:
-    # Network issue, retry with backoff
-    pass
-except APIError as e:
-    print(f"API error {e.status_code}: {e.message}")
-```
-
-## Environment Setup
-
-```bash
-# Required
-export ANTHROPIC_API_KEY="your-api-key-here"
-
-# Optional: set default model
-export ANTHROPIC_MODEL="claude-sonnet-4-6"
-```
-
-Never hardcode API keys. Always use environment variables.

.agents/skills/claude-api/agents/openai.yaml

@@ -1,7 +0,0 @@
-interface:
-  display_name: "Claude API"
-  short_description: "Anthropic Claude API patterns and SDKs"
-  brand_color: "#D97706"
-  default_prompt: "Build applications with the Claude API using Messages, tool use, streaming, and Agent SDK"
-policy:
-  allow_implicit_invocation: true

.agents/skills/coding-standards/SKILL.md

@@ -1,7 +1,6 @@
 ---
 name: coding-standards
 description: Baseline cross-project coding conventions for naming, readability, immutability, and code-quality review. Use detailed frontend or backend skills for framework-specific patterns.
-origin: ECC
 ---
 
 # Coding Standards & Best Practices

.agents/skills/coding-standards/agents/openai.yaml

@@ -1,7 +1,7 @@
 interface:
   display_name: "Coding Standards"
-  short_description: "Universal coding standards and best practices"
+  short_description: "Cross-project coding conventions and review"
   brand_color: "#3B82F6"
-  default_prompt: "Apply standards: immutability, error handling, type safety"
+  default_prompt: "Use $coding-standards to review code against cross-project standards."
 policy:
   allow_implicit_invocation: true

.agents/skills/content-engine/SKILL.md

@@ -1,7 +1,6 @@
 ---
 name: content-engine
 description: Create platform-native content systems for X, LinkedIn, TikTok, YouTube, newsletters, and repurposed multi-platform campaigns. Use when the user wants social posts, threads, scripts, content calendars, or one source asset adapted cleanly across platforms.
-origin: ECC
 ---
 
 # Content Engine

.agents/skills/content-engine/agents/openai.yaml

@@ -1,7 +1,7 @@
 interface:
   display_name: "Content Engine"
-  short_description: "Turn one idea into platform-native social and content outputs"
+  short_description: "Platform-native content systems and campaigns"
   brand_color: "#DC2626"
-  default_prompt: "Turn this source asset into strong multi-platform content"
+  default_prompt: "Use $content-engine to turn source material into platform-native content."
 policy:
   allow_implicit_invocation: true

.agents/skills/crosspost/SKILL.md

@@ -1,7 +1,6 @@
 ---
 name: crosspost
 description: Multi-platform content distribution across X, LinkedIn, Threads, and Bluesky. Adapts content per platform using content-engine patterns. Never posts identical content cross-platform. Use when the user wants to distribute content across social platforms.
-origin: ECC
 ---
 
 # Crosspost

.agents/skills/crosspost/agents/openai.yaml

@@ -1,7 +1,7 @@
 interface:
   display_name: "Crosspost"
-  short_description: "Multi-platform content distribution with native adaptation"
+  short_description: "Multi-platform social distribution"
   brand_color: "#EC4899"
-  default_prompt: "Distribute content across X, LinkedIn, Threads, and Bluesky with platform-native adaptation"
+  default_prompt: "Use $crosspost to adapt content for multiple social platforms."
 policy:
   allow_implicit_invocation: true

.agents/skills/deep-research/SKILL.md

@@ -1,7 +1,6 @@
 ---
 name: deep-research
 description: Multi-source deep research using firecrawl and exa MCPs. Searches the web, synthesizes findings, and delivers cited reports with source attribution. Use when the user wants thorough research on any topic with evidence and citations.
-origin: ECC
 ---
 
 # Deep Research

.agents/skills/deep-research/agents/openai.yaml

@@ -1,7 +1,7 @@
 interface:
   display_name: "Deep Research"
-  short_description: "Multi-source deep research with firecrawl and exa MCPs"
+  short_description: "Multi-source cited research reports"
   brand_color: "#6366F1"
-  default_prompt: "Research the given topic using firecrawl and exa, produce a cited report"
+  default_prompt: "Use $deep-research to produce a cited multi-source research report."
 policy:
   allow_implicit_invocation: true

.agents/skills/dmux-workflows/SKILL.md

@@ -1,7 +1,6 @@
 ---
 name: dmux-workflows
 description: Multi-agent orchestration using dmux (tmux pane manager for AI agents). Patterns for parallel agent workflows across Claude Code, Codex, OpenCode, and other harnesses. Use when running multiple agent sessions in parallel or coordinating multi-agent development workflows.
-origin: ECC
 ---
 
 # dmux Workflows

.agents/skills/dmux-workflows/agents/openai.yaml

@@ -2,6 +2,6 @@ interface:
   display_name: "dmux Workflows"
   short_description: "Multi-agent orchestration with dmux"
   brand_color: "#14B8A6"
-  default_prompt: "Orchestrate parallel agent sessions using dmux pane manager"
+  default_prompt: "Use $dmux-workflows to orchestrate parallel agent sessions with dmux."
 policy:
   allow_implicit_invocation: true

.agents/skills/documentation-lookup/SKILL.md

@@ -1,7 +1,6 @@
 ---
 name: documentation-lookup
 description: Use up-to-date library and framework docs via Context7 MCP instead of training data. Activates for setup questions, API references, code examples, or when the user names a framework (e.g. React, Next.js, Prisma).
-origin: ECC
 ---
 
 # Documentation Lookup (Context7)

.agents/skills/documentation-lookup/agents/openai.yaml

@@ -1,7 +1,7 @@
 interface:
   display_name: "Documentation Lookup"
-  short_description: "Fetch up-to-date library docs via Context7 MCP"
+  short_description: "Current library docs via Context7"
   brand_color: "#6366F1"
-  default_prompt: "Look up docs for a library or API"
+  default_prompt: "Use $documentation-lookup to fetch current library documentation via Context7."
 policy:
   allow_implicit_invocation: true

.agents/skills/e2e-testing/SKILL.md

@@ -1,7 +1,6 @@
 ---
 name: e2e-testing
 description: Playwright E2E testing patterns, Page Object Model, configuration, CI/CD integration, artifact management, and flaky test strategies.
-origin: ECC
 ---
 
 # E2E Testing Patterns

.agents/skills/e2e-testing/agents/openai.yaml

@@ -1,7 +1,7 @@
 interface:
   display_name: "E2E Testing"
-  short_description: "Playwright end-to-end testing"
+  short_description: "Playwright E2E testing patterns"
   brand_color: "#06B6D4"
-  default_prompt: "Generate Playwright E2E tests with Page Object Model"
+  default_prompt: "Use $e2e-testing to design Playwright end-to-end test coverage."
 policy:
   allow_implicit_invocation: true

.agents/skills/eval-harness/SKILL.md

@@ -1,8 +1,7 @@
 ---
 name: eval-harness
 description: Formal evaluation framework for Claude Code sessions implementing eval-driven development (EDD) principles
-origin: ECC
-tools: Read, Write, Edit, Bash, Grep, Glob
+allowed-tools: Read, Write, Edit, Bash, Grep, Glob
 ---
 
 # Eval Harness Skill

.agents/skills/eval-harness/agents/openai.yaml

@@ -1,7 +1,7 @@
 interface:
   display_name: "Eval Harness"
-  short_description: "Eval-driven development with pass/fail criteria"
+  short_description: "Eval-driven development harnesses"
   brand_color: "#EC4899"
-  default_prompt: "Set up eval-driven development with pass/fail criteria"
+  default_prompt: "Use $eval-harness to define eval-driven development checks."
 policy:
   allow_implicit_invocation: true

.agents/skills/everything-claude-code/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: everything-claude-code-conventions
+name: everything-claude-code
 description: Development conventions and patterns for everything-claude-code. JavaScript project with conventional commits.
 ---
 

.agents/skills/everything-claude-code/agents/openai.yaml

@@ -1,6 +1,7 @@
 interface:
   display_name: "Everything Claude Code"
-  short_description: "Repo-specific patterns and workflows for everything-claude-code"
-  default_prompt: "Use the everything-claude-code repo skill to follow existing architecture, testing, and workflow conventions."
+  short_description: "Repo workflows for everything-claude-code"
+  brand_color: "#0EA5E9"
+  default_prompt: "Use $everything-claude-code to follow this repository's conventions and workflows."
 policy:
-  allow_implicit_invocation: true
+  allow_implicit_invocation: true

.agents/skills/exa-search/SKILL.md

@@ -1,7 +1,6 @@
 ---
 name: exa-search
 description: Neural search via Exa MCP for web, code, and company research. Use when the user needs web search, code examples, company intel, people lookup, or AI-powered deep research with Exa's neural search engine.
-origin: ECC
 ---
 
 # Exa Search

.agents/skills/exa-search/agents/openai.yaml

@@ -1,7 +1,7 @@
 interface:
   display_name: "Exa Search"
-  short_description: "Neural search via Exa MCP for web, code, and companies"
+  short_description: "Neural search via Exa MCP"
   brand_color: "#8B5CF6"
-  default_prompt: "Search using Exa MCP tools for web content, code, or company research"
+  default_prompt: "Use $exa-search to search web, code, or company data through Exa."
 policy:
   allow_implicit_invocation: true

.agents/skills/fal-ai-media/SKILL.md

@@ -1,7 +1,6 @@
 ---
 name: fal-ai-media
 description: Unified media generation via fal.ai MCP — image, video, and audio. Covers text-to-image (Nano Banana), text/image-to-video (Seedance, Kling, Veo 3), text-to-speech (CSM-1B), and video-to-audio (ThinkSound). Use when the user wants to generate images, videos, or audio with AI.
-origin: ECC
 ---
 
 # fal.ai Media Generation

.agents/skills/fal-ai-media/agents/openai.yaml

@@ -1,7 +1,7 @@
 interface:
   display_name: "fal.ai Media"
-  short_description: "AI image, video, and audio generation via fal.ai"
+  short_description: "AI media generation via fal.ai"
   brand_color: "#F43F5E"
-  default_prompt: "Generate images, videos, or audio using fal.ai models"
+  default_prompt: "Use $fal-ai-media to generate image, video, or audio assets with fal.ai."
 policy:
   allow_implicit_invocation: true

.agents/skills/frontend-design/SKILL.md

@@ -1,145 +0,0 @@
----
-name: frontend-design
-description: Create distinctive, production-grade frontend interfaces with high design quality. Use when the user asks to build web components, pages, or applications and the visual direction matters as much as the code quality.
-origin: ECC
----
-
-# Frontend Design
-
-Use this when the task is not just "make it work" but "make it look designed."
-
-This skill is for product pages, dashboards, app shells, components, or visual systems that need a clear point of view instead of generic AI-looking UI.
-
-## When To Use
-
-- building a landing page, dashboard, or app surface from scratch
-- upgrading a bland interface into something intentional and memorable
-- translating a product concept into a concrete visual direction
-- implementing a frontend where typography, composition, and motion matter
-
-## Core Principle
-
-Pick a direction and commit to it.
-
-Safe-average UI is usually worse than a strong, coherent aesthetic with a few bold choices.
-
-## Design Workflow
-
-### 1. Frame the interface first
-
-Before coding, settle:
-
-- purpose
-- audience
-- emotional tone
-- visual direction
-- one thing the user should remember
-
-Possible directions:
-
-- brutally minimal
-- editorial
-- industrial
-- luxury
-- playful
-- geometric
-- retro-futurist
-- soft and organic
-- maximalist
-
-Do not mix directions casually. Choose one and execute it cleanly.
-
-### 2. Build the visual system
-
-Define:
-
-- type hierarchy
-- color variables
-- spacing rhythm
-- layout logic
-- motion rules
-- surface / border / shadow treatment
-
-Use CSS variables or the project's token system so the interface stays coherent as it grows.
-
-### 3. Compose with intention
-
-Prefer:
-
-- asymmetry when it sharpens hierarchy
-- overlap when it creates depth
-- strong whitespace when it clarifies focus
-- dense layouts only when the product benefits from density
-
-Avoid defaulting to a symmetrical card grid unless it is clearly the right fit.
-
-### 4. Make motion meaningful
-
-Use animation to:
-
-- reveal hierarchy
-- stage information
-- reinforce user action
-- create one or two memorable moments
-
-Do not scatter generic micro-interactions everywhere. One well-directed load sequence is usually stronger than twenty random hover effects.
-
-## Strong Defaults
-
-### Typography
-
-- pick fonts with character
-- pair a distinctive display face with a readable body face when appropriate
-- avoid generic defaults when the page is design-led
-
-### Color
-
-- commit to a clear palette
-- one dominant field with selective accents usually works better than evenly weighted rainbow palettes
-- avoid cliché purple-gradient-on-white unless the product genuinely calls for it
-
-### Background
-
-Use atmosphere:
-
-- gradients
-- meshes
-- textures
-- subtle noise
-- patterns
-- layered transparency
-
-Flat empty backgrounds are rarely the best answer for a product-facing page.
-
-### Layout
-
-- break the grid when the composition benefits from it
-- use diagonals, offsets, and grouping intentionally
-- keep reading flow obvious even when the layout is unconventional
-
-## Anti-Patterns
-
-Never default to:
-
-- interchangeable SaaS hero sections
-- generic card piles with no hierarchy
-- random accent colors without a system
-- placeholder-feeling typography
-- motion that exists only because animation was easy to add
-
-## Execution Rules
-
-- preserve the established design system when working inside an existing product
-- match technical complexity to the visual idea
-- keep accessibility and responsiveness intact
-- frontends should feel deliberate on desktop and mobile
-
-## Quality Gate
-
-Before delivering:
-
-- the interface has a clear visual point of view
-- typography and spacing feel intentional
-- color and motion support the product instead of decorating it randomly
-- the result does not read like generic AI UI
-- the implementation is production-grade, not just visually interesting

.agents/skills/frontend-patterns/SKILL.md

@@ -1,7 +1,6 @@
 ---
 name: frontend-patterns
 description: Frontend development patterns for React, Next.js, state management, performance optimization, and UI best practices.
-origin: ECC
 ---
 
 # Frontend Development Patterns
@@ -18,6 +17,12 @@ Modern frontend patterns for React, Next.js, and performant user interfaces.
 - Handling client-side routing and navigation
 - Building accessible, responsive UI patterns
 
+## Privacy and Data Boundaries
+
+Frontend examples should use synthetic or domain-generic data. Do not collect, log, persist, or display credentials, access tokens, SSNs, health data, payment details, private emails, phone numbers, or other sensitive personal data unless the user explicitly requests a scoped implementation with appropriate validation, redaction, and access controls.
+
+Avoid adding analytics, tracking pixels, third-party scripts, or external data sinks without explicit approval. When handling user data, prefer least-privilege APIs, client-side redaction before logging, and server-side validation for every boundary.
+
 ## Component Patterns
 
 ### Composition Over Inheritance

.agents/skills/frontend-patterns/agents/openai.yaml

@@ -1,7 +1,7 @@
 interface:
   display_name: "Frontend Patterns"
-  short_description: "React and Next.js patterns and best practices"
+  short_description: "React and Next.js frontend patterns"
   brand_color: "#8B5CF6"
-  default_prompt: "Apply React/Next.js patterns and best practices"
+  default_prompt: "Use $frontend-patterns to apply React and Next.js frontend patterns."
 policy:
   allow_implicit_invocation: true

.agents/skills/frontend-slides/SKILL.md

@@ -1,7 +1,6 @@
 ---
 name: frontend-slides
 description: Create stunning, animation-rich HTML presentations from scratch or by converting PowerPoint files. Use when the user wants to build a presentation, convert a PPT/PPTX to web, or create slides for a talk/pitch. Helps non-designers discover their aesthetic through visual exploration rather than abstract choices.
-origin: ECC
 ---
 
 # Frontend Slides

.agents/skills/frontend-slides/agents/openai.yaml

@@ -1,7 +1,7 @@
 interface:
   display_name: "Frontend Slides"
-  short_description: "Create distinctive HTML slide decks and convert PPTX to web"
+  short_description: "Animation-rich HTML presentation decks"
   brand_color: "#FF6B3D"
-  default_prompt: "Create a viewport-safe HTML presentation with strong visual direction"
+  default_prompt: "Use $frontend-slides to create an animation-rich HTML presentation deck."
 policy:
   allow_implicit_invocation: true

.agents/skills/investor-materials/SKILL.md

@@ -1,7 +1,6 @@
 ---
 name: investor-materials
 description: Create and update pitch decks, one-pagers, investor memos, accelerator applications, financial models, and fundraising materials. Use when the user needs investor-facing documents, projections, use-of-funds tables, milestone plans, or materials that must stay internally consistent across multiple fundraising assets.
-origin: ECC
 ---
 
 # Investor Materials

.agents/skills/investor-materials/agents/openai.yaml

@@ -1,7 +1,7 @@
 interface:
   display_name: "Investor Materials"
-  short_description: "Create decks, memos, and financial materials from one source of truth"
+  short_description: "Investor decks, memos, and financial materials"
   brand_color: "#7C3AED"
-  default_prompt: "Draft investor materials that stay numerically consistent across assets"
+  default_prompt: "Use $investor-materials to draft consistent investor-facing fundraising assets."
 policy:
   allow_implicit_invocation: true

.agents/skills/investor-outreach/SKILL.md

@@ -1,7 +1,6 @@
 ---
 name: investor-outreach
 description: Draft cold emails, warm intro blurbs, follow-ups, update emails, and investor communications for fundraising. Use when the user wants outreach to angels, VCs, strategic investors, or accelerators and needs concise, personalized, investor-facing messaging.
-origin: ECC
 ---
 
 # Investor Outreach

.agents/skills/investor-outreach/agents/openai.yaml

@@ -1,7 +1,7 @@
 interface:
   display_name: "Investor Outreach"
-  short_description: "Write concise, personalized outreach and follow-ups for fundraising"
+  short_description: "Personalized investor outreach and follow-ups"
   brand_color: "#059669"
-  default_prompt: "Draft a personalized investor outreach email with a clear low-friction ask"
+  default_prompt: "Use $investor-outreach to write concise personalized investor outreach."
 policy:
   allow_implicit_invocation: true

.agents/skills/market-research/SKILL.md

@@ -1,7 +1,6 @@
 ---
 name: market-research
 description: Conduct market research, competitive analysis, investor due diligence, and industry intelligence with source attribution and decision-oriented summaries. Use when the user wants market sizing, competitor comparisons, fund research, technology scans, or research that informs business decisions.
-origin: ECC
 ---
 
 # Market Research

.agents/skills/market-research/agents/openai.yaml

@@ -1,7 +1,7 @@
 interface:
   display_name: "Market Research"
-  short_description: "Source-attributed market, competitor, and investor research"
+  short_description: "Source-attributed market research"
   brand_color: "#2563EB"
-  default_prompt: "Research this market and summarize the decision-relevant findings"
+  default_prompt: "Use $market-research to research markets with source-attributed findings."
 policy:
   allow_implicit_invocation: true

.agents/skills/mcp-server-patterns/SKILL.md

@@ -1,7 +1,6 @@
 ---
 name: mcp-server-patterns
 description: Build MCP servers with Node/TypeScript SDK — tools, resources, prompts, Zod validation, stdio vs Streamable HTTP. Use Context7 or official MCP docs for latest API.
-origin: ECC
 ---
 
 # MCP Server Patterns

.agents/skills/mcp-server-patterns/agents/openai.yaml

@@ -0,0 +1,7 @@
+interface:
+  display_name: "MCP Server Patterns"
+  short_description: "MCP server tools, resources, and prompts"
+  brand_color: "#0EA5E9"
+  default_prompt: "Use $mcp-server-patterns to build MCP tools, resources, and prompts."
+policy:
+  allow_implicit_invocation: true

.agents/skills/mle-workflow/SKILL.md

@@ -0,0 +1,346 @@
+---
+name: mle-workflow
+description: Production machine-learning engineering workflow for data contracts, reproducible training, model evaluation, deployment, monitoring, and rollback. Use when building, reviewing, or hardening ML systems beyond one-off notebooks.
+allowed-tools: Read, Write, Edit, Bash, Grep, Glob
+---
+
+# Machine Learning Engineering Workflow
+
+Use this skill to turn model work into a production ML system with clear data contracts, repeatable training, measurable quality gates, deployable artifacts, and operational monitoring.
+
+## When to Activate
+
+- Planning or reviewing a production ML feature, model refresh, ranking system, recommender, classifier, embedding workflow, or forecasting pipeline
+- Converting notebook code into a reusable training, evaluation, batch inference, or online inference pipeline
+- Designing model promotion criteria, offline/online evals, experiment tracking, or rollback paths
+- Debugging failures caused by data drift, label leakage, stale features, artifact mismatch, or inconsistent training and serving logic
+- Adding model monitoring, canary rollout, shadow traffic, or post-deploy quality checks
+
+## Scope Calibration
+
+Use only the lanes that fit the system in front of you. This skill is useful for ranking, search, recommendations, classifiers, forecasting, embeddings, LLM workflows, anomaly detection, and batch analytics, but it should not force one architecture onto all of them.
+
+- Do not assume every model has supervised labels, online serving, a feature store, PyTorch, GPUs, human review, A/B tests, or real-time feedback.
+- Do not add heavyweight MLOps machinery when a data contract, baseline, eval script, and rollback note would make the change reviewable.
+- Do make assumptions explicit when the project lacks labels, delayed outcomes, slice definitions, production traffic, or monitoring ownership.
+- Treat examples as interchangeable scaffolds. Replace metrics, serving mode, data stores, and rollout mechanics with the project-native equivalents.
+
+## Related Skills
+
+- `python-patterns` and `python-testing` for Python implementation and pytest coverage
+- `pytorch-patterns` for deep learning models, data loaders, device handling, and training loops
+- `eval-harness` and `ai-regression-testing` for promotion gates and agent-assisted regression checks
+- `database-migrations`, `postgres-patterns`, and `clickhouse-io` for data storage and analytics surfaces
+- `deployment-patterns`, `docker-patterns`, and `security-review` for serving, secrets, containers, and production hardening
+
+## Reuse the SWE Surface
+
+Do not treat MLE as separate from software engineering. Most ECC SWE workflows apply directly to ML systems, often with stricter failure modes:
+
+The recommended `minimal --with capability:machine-learning` install keeps the core agent surface available alongside this skill. For skill-only or agent-limited harnesses, pair `skill:mle-workflow` with `agent:mle-reviewer` where the target supports agents.
+
+| SWE surface | MLE use |
+|-------------|---------|
+| `product-capability` / `architecture-decision-records` | Turn model work into explicit product contracts and record irreversible data, model, and rollout choices |
+| `repo-scan` / `codebase-onboarding` / `code-tour` | Find existing training, feature, serving, eval, and monitoring paths before introducing a parallel ML stack |
+| `plan` / `feature-dev` | Scope model changes as product capabilities with data, eval, serving, and rollback phases |
+| `tdd-workflow` / `python-testing` | Test feature transforms, split logic, metric calculations, artifact loading, and inference schemas before implementation |
+| `code-reviewer` / `mle-reviewer` | Review code quality plus ML-specific leakage, reproducibility, promotion, and monitoring risks |
+| `build-fix` / `pr-test-analyzer` | Diagnose broken CI, flaky evals, missing fixtures, and environment-specific model or dependency failures |
+| `quality-gate` / `test-coverage` | Require automated evidence for transforms, metrics, inference contracts, promotion gates, and rollback behavior |
+| `eval-harness` / `verification-loop` | Turn offline metrics, slice checks, latency budgets, and rollback drills into repeatable gates |
+| `ai-regression-testing` | Preserve every production bug as a regression: missing feature, stale label, bad artifact, schema drift, or serving mismatch |
+| `api-design` / `backend-patterns` | Design prediction APIs, batch jobs, idempotent retraining endpoints, and response envelopes |
+| `database-migrations` / `postgres-patterns` / `clickhouse-io` | Version labels, feature snapshots, prediction logs, experiment metrics, and drift analytics |
+| `deployment-patterns` / `docker-patterns` | Package reproducible training and serving images with health checks, resource limits, and rollback |
+| `canary-watch` / `dashboard-builder` | Make rollout health visible with model-version, slice, drift, latency, cost, and delayed-label dashboards |
+| `security-review` / `security-scan` | Check model artifacts, notebooks, prompts, datasets, and logs for secrets, PII, unsafe deserialization, and supply-chain risk |
+| `e2e-testing` / `browser-qa` / `accessibility` | Test critical product flows that consume predictions, including explainability and fallback UI states |
+| `benchmark` / `performance-optimizer` | Measure throughput, p95 latency, memory, GPU utilization, and cost per prediction or retrain |
+| `cost-aware-llm-pipeline` / `token-budget-advisor` | Route LLM/embedding workloads by quality, latency, and budget instead of defaulting to the largest model |
+| `documentation-lookup` / `search-first` | Verify current library behavior for model serving, feature stores, vector DBs, and eval tooling before coding |
+| `git-workflow` / `github-ops` / `opensource-pipeline` | Package MLE changes for review with crisp scope, generated artifacts excluded, and reproducible test evidence |
+| `strategic-compact` / `dmux-workflows` | Split long ML work into parallel tracks: data contract, eval harness, serving path, monitoring, and docs |
+
+## Ten MLE Task Simulations
+
+Use these simulations as coverage checks when planning or reviewing MLE work. A strong MLE workflow should reduce each task to explicit contracts, reusable SWE surfaces, automated evidence, and a reviewable artifact.
+
+| ID | Common MLE task | Streamlined ECC path | Required output | Pipeline lanes covered |
+|----|-----------------|----------------------|-----------------|------------------------|
+| MLE-01 | Frame an ambiguous prediction, ranking, recommender, classifier, embedding, or forecast capability | `product-capability`, `plan`, `architecture-decision-records`, `mle-workflow` | Iteration Compact naming who cares, decision owner, success metric, unacceptable mistakes, assumptions, constraints, and first experiment | product contract, stakeholder loss, risk, rollout |
+| MLE-02 | Define metric goals, labels, data sources, and the mistake budget | `repo-scan`, `database-reviewer`, `database-migrations`, `postgres-patterns`, `clickhouse-io` | Data and metric contract with entity grain, label timing, label confidence, feature timing, point-in-time joins, split policy, and dataset snapshot | data contract, metric design, leakage, reproducibility |
+| MLE-03 | Build a baseline model and scoring path before adding complexity | `tdd-workflow`, `python-testing`, `python-patterns`, `code-reviewer` | Baseline scorer with confusion matrix, calibration notes, latency/cost estimate, known weaknesses, and tests for score shape and determinism | baseline, scoring, testing, serving parity |
+| MLE-04 | Generate features from hypotheses about what separates outcomes | `python-patterns`, `pytorch-patterns`, `docker-patterns`, `deployment-patterns` | Feature plan and transform module covering signal source, missing values, outliers, correlations, leakage checks, and train/serve equivalence | feature pipeline, leakage, training, artifacts |
+| MLE-05 | Tune thresholds, configs, and model complexity under tradeoffs | `eval-harness`, `ai-regression-testing`, `quality-gate`, `test-coverage` | Threshold/config report comparing precision, recall, F1, AUC, calibration, group slices, latency, cost, complexity, and acceptable error classes | evaluation, threshold, promotion, regression |
+| MLE-06 | Run error analysis and turn mistakes into the next experiment | `eval-harness`, `ai-regression-testing`, `mle-reviewer`, `silent-failure-hunter` | Error cluster report for false positives, false negatives, ambiguous labels, stale features, missing signals, and bug traces with lessons captured | error analysis, bug trace, iteration, regression |
+| MLE-07 | Package a model artifact for batch or online inference | `api-design`, `backend-patterns`, `security-review`, `security-scan` | Versioned artifact bundle with preprocessing, config, dependency constraints, schema validation, safe loading, and PII-safe logs | artifact, security, inference contract |
+| MLE-08 | Ship online serving or batch scoring with feedback capture | `api-design`, `backend-patterns`, `e2e-testing`, `browser-qa`, `accessibility` | Prediction endpoint or batch job with response envelope, timeout, batching, fallback, model version, confidence, feedback logging, and product-flow tests | serving, batch inference, fallback, user workflow |
+| MLE-09 | Roll out a model with shadow traffic, canary, A/B test, or rollback | `canary-watch`, `dashboard-builder`, `verification-loop`, `performance-optimizer` | Rollout plan naming traffic split, dashboards, p95 latency, cost, quality guardrails, rollback artifact, and rollback trigger | deployment, canary, rollback |
+| MLE-10 | Operate, debug, and refresh a production model after launch | `silent-failure-hunter`, `dashboard-builder`, `mle-reviewer`, `doc-updater`, `github-ops` | Observation ledger and refresh plan with drift checks, delayed-label health, alert owners, runbook updates, retrain criteria, and PR evidence | monitoring, incident response, retraining |
+
+## Iteration Compact
+
+Before touching model code, compress the work into one reviewable artifact. This should be short enough to fit in a PR description and precise enough that another engineer can challenge the tradeoffs.
+
+```text
+Goal:
+Who cares:
+Decision owner:
+User or system action changed by the model:
+Success metric:
+Guardrail metrics:
+Mistake budget:
+Unacceptable mistakes:
+Acceptable mistakes:
+Assumptions:
+Constraints:
+Labels and data snapshot:
+Baseline:
+Candidate signals:
+Threshold or config plan:
+Eval slices:
+Known risks:
+Next experiment:
+Rollback or fallback:
+```
+
+This compact is the MLE equivalent of a strong SWE design note. It keeps the team from optimizing a metric no one trusts, adding features that do not address the real error mode, or shipping complexity without a rollback.
+
+## Decision Brain
+
+Use this loop whenever the task is ambiguous, high-impact, or metric-heavy:
+
+1. Start from the decision, not the model. Name the action that changes downstream behavior.
+2. Name who cares and why. Different stakeholders pay different costs for false positives, false negatives, latency, compute spend, opacity, or missed opportunities.
+3. Convert ambiguity into hypotheses. Ask what signal would separate outcomes, what evidence would disprove it, and what simple baseline should be hard to beat.
+4. Research prior art or a nearby known problem before inventing a bespoke system.
+5. Score choices with `(probability, confidence) x (cost, severity, importance, impact)`.
+6. Consider adversarial behavior, incentives, selective disclosure, distribution shift, and feedback loops.
+7. Prefer the simplest change that reduces the most important mistake. Simplicity is not laziness; it is a way to minimize blunders while preserving iteration speed.
+8. Capture the decision, evidence, counterargument, and next reversible step.
+
+## Metric and Mistake Economics
+
+Choose metrics from failure costs, not habit:
+
+- Use a confusion matrix early so the team can discuss concrete false positives and false negatives instead of abstract accuracy.
+- Favor precision when the cost of an incorrect positive decision dominates.
+- Favor recall when the cost of a missed positive dominates.
+- Use F1 only when the precision/recall tradeoff is genuinely balanced and explainable.
+- Use AUC or ranking metrics when ordering quality matters more than a single threshold.
+- Track latency, throughput, memory, and cost as first-class metrics because they shape feasible model complexity.
+- Compare against a baseline and the current production model before celebrating an offline gain.
+- Treat real-world feedback signals as delayed labels with bias, lag, and coverage gaps; do not treat them as ground truth without analysis.
+
+Every metric choice should state which mistake it makes cheaper, which mistake it makes more likely, and who absorbs that cost.
+
+## Data and Feature Hypotheses
+
+Features should come from a theory of separation:
+
+- Text, categorical fields, numeric histories, graph relationships, recency, frequency, and aggregates are candidate signal families, not automatic features.
+- For every feature family, state why it should separate outcomes and how it could leak future information.
+- For noisy labels, consider adjudication, label confidence, soft targets, or confidence weighting.
+- For class imbalance, compare weighted loss, resampling, threshold movement, and calibrated decision rules.
+- For missing values, decide whether absence is informative, imputable, or a reason to abstain.
+- For outliers, decide whether to clip, bucket, investigate, or preserve them as rare but important signal.
+- For correlated features, check whether they are redundant, unstable, or proxies for unavailable future state.
+
+Do not add model complexity until error analysis shows that the baseline is failing for a reason additional signal or capacity can plausibly fix.
+
+## Error Analysis Loop
+
+After each baseline, training run, threshold change, or config change:
+
+1. Split mistakes into false positives, false negatives, abstentions, low-confidence cases, and system failures.
+2. Cluster errors by shared traits: language, entity type, source, time, geography, device, sparsity, recency, feature freshness, label source, or model version.
+3. Separate model mistakes from data bugs, label ambiguity, product ambiguity, instrumentation gaps, and serving mismatches.
+4. Trace each major cluster to one of four moves: better labels, better features, better threshold/config, or better product fallback.
+5. Preserve every important mistake as a regression test, eval slice, dashboard panel, or runbook entry.
+6. Write the next iteration as a falsifiable experiment, not a vague "improve model" task.
+
+The strongest MLE loop is not train -> metric -> ship. It is mistake -> cluster -> hypothesis -> experiment -> evidence -> simpler system.
+
+## Observation Ledger
+
+Keep a compact decision and evidence trail beside the code, PR, experiment report, or runbook:
+
+```text
+Iteration:
+Change:
+Why this mattered:
+Metric movement:
+Slice movement:
+False positives:
+False negatives:
+Unexpected errors:
+Decision:
+Tradeoff accepted:
+Lesson captured:
+Regression added:
+Debt created:
+Next iteration:
+```
+
+Use the ledger to make model work cumulative. The goal is for each iteration to make the next decision easier, not merely to produce another artifact.
+
+## Core Workflow
+
+### 1. Define the Prediction Contract
+
+Capture the product-level contract before writing model code:
+
+- Prediction target and decision owner
+- Input entity, output schema, confidence/calibration fields, and allowed latency
+- Batch, online, streaming, or hybrid serving mode
+- Fallback behavior when the model, feature store, or dependency is unavailable
+- Human review or override path for high-impact decisions
+- Privacy, retention, and audit requirements for inputs, predictions, and labels
+
+Do not accept "improve the model" as a requirement. Tie the model to an observable product behavior and a measurable acceptance gate.
+
+### 2. Lock the Data Contract
+
+Every ML task needs an explicit data contract:
+
+- Entity grain and primary key
+- Label definition, label timestamp, and label availability delay
+- Feature timestamp, freshness SLA, and point-in-time join rules
+- Train, validation, test, and backtest split policy
+- Required columns, allowed nulls, ranges, categories, and units
+- PII or sensitive fields that must not enter training artifacts or logs
+- Dataset version or snapshot ID for reproducibility
+
+Guard against leakage first. If a feature is not available at prediction time, or is joined using future information, remove it or move it to an analysis-only path.
+
+### 3. Build a Reproducible Pipeline
+
+Training code should be runnable by another engineer without hidden notebook state:
+
+- Use typed config files or dataclasses for all hyperparameters and paths
+- Pin package and model dependencies
+- Set random seeds and document any nondeterministic GPU behavior
+- Record dataset version, code SHA, config hash, metrics, and artifact URI
+- Save preprocessing logic with the model artifact, not separately in a notebook
+- Keep train, eval, and inference transformations shared or generated from one source
+- Make every step idempotent so retries do not corrupt artifacts or metrics
+
+Prefer immutable values and pure transformation functions. Avoid mutating shared data frames or global config during feature generation.
+
+```python
+import hashlib
+from dataclasses import dataclass
+from pathlib import Path
+
+
+@dataclass(frozen=True)
+class TrainingConfig:
+    dataset_uri: str
+    model_dir: Path
+    seed: int
+    learning_rate: float
+    batch_size: int
+
+
+def artifact_name(config: TrainingConfig, code_sha: str) -> str:
+    config_key = f"{config.dataset_uri}:{config.seed}:{config.learning_rate}:{config.batch_size}"
+    config_hash = hashlib.sha256(config_key.encode("utf-8")).hexdigest()[:12]
+    return f"{code_sha[:12]}-{config_hash}"
+```
+
+### 4. Evaluate Before Promotion
+
+Promotion criteria should be declared before training finishes:
+
+- Baseline model and current production model comparison
+- Primary metric aligned to product behavior
+- Guardrail metrics for latency, calibration, fairness slices, cost, and error concentration
+- Slice metrics for important cohorts, geographies, devices, languages, or data sources
+- Confidence intervals or repeated-run variance when metrics are noisy
+- Failure examples reviewed by a human for high-impact models
+- Explicit "do not ship" thresholds
+
+```python
+PROMOTION_GATES = {
+    "auc": ("min", 0.82),
+    "calibration_error": ("max", 0.04),
+    "p95_latency_ms": ("max", 80),
+}
+
+
+def assert_promotion_ready(metrics: dict[str, float]) -> None:
+    missing = sorted(name for name in PROMOTION_GATES if name not in metrics)
+    if missing:
+        raise ValueError(f"Model promotion metrics missing required gates: {missing}")
+
+    failures = {
+        name: value
+        for name, (direction, threshold) in PROMOTION_GATES.items()
+        for value in [metrics[name]]
+        if (direction == "min" and value < threshold)
+        or (direction == "max" and value > threshold)
+    }
+    if failures:
+        raise ValueError(f"Model failed promotion gates: {failures}")
+```
+
+Use offline metrics as gates, not guarantees. When the model changes product behavior, plan shadow evaluation, canary rollout, or A/B testing before full rollout.
+
+### 5. Package for Serving
+
+An ML artifact is production-ready only when the serving contract is testable:
+
+- Model artifact includes version, training data reference, config, and preprocessing
+- Input schema rejects invalid, stale, or out-of-range features
+- Output schema includes model version and confidence or explanation fields when useful
+- Serving path has timeout, batching, resource limits, and fallback behavior
+- CPU/GPU requirements are explicit and tested
+- Prediction logs avoid PII and include enough identifiers for debugging and label joins
+- Integration tests cover missing features, stale features, bad types, empty batches, and fallback path
+
+Never let training-only feature code diverge from serving feature code without a test that proves equivalence.
+
+### 6. Operate the Model
+
+Model monitoring needs both system and quality signals:
+
+- Availability, error rate, timeout rate, queue depth, and p50/p95/p99 latency
+- Feature null rate, range drift, categorical drift, and freshness drift
+- Prediction distribution drift and confidence distribution drift
+- Label arrival health and delayed quality metrics
+- Business KPI guardrails and rollback triggers
+- Per-version dashboards for canaries and rollbacks
+
+Every deployment should have a rollback plan that names the previous artifact, config, data dependency, and traffic-switch mechanism.
+
+## Review Checklist
+
+- [ ] Prediction contract is explicit and testable
+- [ ] Data contract defines entity grain, label timing, feature timing, and snapshot/version
+- [ ] Leakage risks were checked against prediction-time availability
+- [ ] Training is reproducible from code, config, data version, and seed
+- [ ] Metrics compare against baseline and current production model
+- [ ] Slice metrics and guardrails are included for high-risk cohorts
+- [ ] Promotion gates are automated and fail closed
+- [ ] Training and serving transformations are shared or equivalence-tested
+- [ ] Model artifact carries version, config, dataset reference, and preprocessing
+- [ ] Serving path validates inputs and has timeout, fallback, and rollback behavior
+- [ ] Monitoring covers system health, feature drift, prediction drift, and delayed labels
+- [ ] Sensitive data is excluded from artifacts, logs, prompts, and examples
+
+## Anti-Patterns
+
+- Notebook state is required to reproduce the model
+- Random split leaks future data into validation or test sets
+- Feature joins ignore event time and label availability
+- Offline metric improves while important slices regress
+- Thresholds are tuned on the test set repeatedly
+- Training preprocessing is copied manually into serving code
+- Model version is missing from prediction logs
+- Monitoring only checks service uptime, not data or prediction quality
+- Rollback requires retraining instead of switching to a known-good artifact
+
+## Output Expectations
+
+When using this skill, return concrete artifacts: data contract, promotion gates, pipeline steps, test plan, deployment plan, or review findings. Call out unknowns that block production readiness instead of filling them with assumptions.

.agents/skills/mle-workflow/agents/openai.yaml

@@ -0,0 +1,7 @@
+interface:
+  display_name: "MLE Workflow"
+  short_description: "Production ML workflow and review gates"
+  brand_color: "#2563EB"
+  default_prompt: "Use $mle-workflow to plan or review a production ML pipeline."
+policy:
+  allow_implicit_invocation: true

.agents/skills/nextjs-turbopack/SKILL.md

@@ -1,7 +1,6 @@
 ---
 name: nextjs-turbopack
 description: Next.js 16+ and Turbopack — incremental bundling, FS caching, dev speed, and when to use Turbopack vs webpack.
-origin: ECC
 ---
 
 # Next.js and Turbopack

.agents/skills/nextjs-turbopack/agents/openai.yaml

@@ -1,7 +1,7 @@
 interface:
   display_name: "Next.js Turbopack"
-  short_description: "Next.js 16+ and Turbopack dev bundler"
+  short_description: "Next.js and Turbopack workflow guidance"
   brand_color: "#000000"
-  default_prompt: "Next.js dev, Turbopack, or bundle optimization"
+  default_prompt: "Use $nextjs-turbopack to work through Next.js and Turbopack decisions."
 policy:
   allow_implicit_invocation: true

.agents/skills/product-capability/SKILL.md

@@ -1,7 +1,6 @@
 ---
 name: product-capability
 description: Translate PRD intent, roadmap asks, or product discussions into an implementation-ready capability plan that exposes constraints, invariants, interfaces, and unresolved decisions before multi-service work starts. Use when the user needs an ECC-native PRD-to-SRS lane instead of vague planning prose.
-origin: ECC
 ---
 
 # Product Capability

.agents/skills/product-capability/agents/openai.yaml

@@ -0,0 +1,7 @@
+interface:
+  display_name: "Product Capability"
+  short_description: "Implementation-ready product capability plans"
+  brand_color: "#0EA5E9"
+  default_prompt: "Use $product-capability to turn product intent into an implementation plan."
+policy:
+  allow_implicit_invocation: true

.agents/skills/security-review/SKILL.md

@@ -1,7 +1,6 @@
 ---
 name: security-review
 description: Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features. Provides comprehensive security checklist and patterns.
-origin: ECC
 ---
 
 # Security Review Skill

.agents/skills/security-review/agents/openai.yaml

@@ -1,7 +1,7 @@
 interface:
   display_name: "Security Review"
-  short_description: "Comprehensive security checklist and vulnerability detection"
+  short_description: "Security checklist and vulnerability review"
   brand_color: "#EF4444"
-  default_prompt: "Run security checklist: secrets, input validation, injection prevention"
+  default_prompt: "Use $security-review to review sensitive code with the security checklist."
 policy:
   allow_implicit_invocation: true

.agents/skills/strategic-compact/SKILL.md

@@ -1,7 +1,6 @@
 ---
 name: strategic-compact
 description: Suggests manual context compaction at logical intervals to preserve context through task phases rather than arbitrary auto-compaction.
-origin: ECC
 ---
 
 # Strategic Compact Skill

.agents/skills/strategic-compact/agents/openai.yaml

@@ -2,6 +2,6 @@ interface:
   display_name: "Strategic Compact"
   short_description: "Context management via strategic compaction"
   brand_color: "#14B8A6"
-  default_prompt: "Suggest task boundary compaction for context management"
+  default_prompt: "Use $strategic-compact to choose a useful context compaction boundary."
 policy:
   allow_implicit_invocation: true

.agents/skills/tdd-workflow/SKILL.md

@@ -1,7 +1,6 @@
 ---
 name: tdd-workflow
 description: Use this skill when writing new features, fixing bugs, or refactoring code. Enforces test-driven development with 80%+ coverage including unit, integration, and E2E tests.
-origin: ECC
 ---
 
 # Test-Driven Development Workflow

.agents/skills/tdd-workflow/agents/openai.yaml

@@ -1,7 +1,7 @@
 interface:
   display_name: "TDD Workflow"
-  short_description: "Test-driven development with 80%+ coverage"
+  short_description: "Test-driven development with coverage gates"
   brand_color: "#22C55E"
-  default_prompt: "Follow TDD: write tests first, implement, verify 80%+ coverage"
+  default_prompt: "Use $tdd-workflow to drive the change with tests before implementation."
 policy:
   allow_implicit_invocation: true

.agents/skills/verification-loop/SKILL.md

@@ -1,7 +1,6 @@
 ---
 name: verification-loop
 description: "A comprehensive verification system for Claude Code sessions."
-origin: ECC
 ---
 
 # Verification Loop Skill

.agents/skills/verification-loop/agents/openai.yaml

@@ -1,7 +1,7 @@
 interface:
   display_name: "Verification Loop"
-  short_description: "Build, test, lint, typecheck verification"
+  short_description: "Build, test, lint, and typecheck verification"
   brand_color: "#10B981"
-  default_prompt: "Run verification: build, test, lint, typecheck, security"
+  default_prompt: "Use $verification-loop to run build, test, lint, and typecheck verification."
 policy:
   allow_implicit_invocation: true

.agents/skills/video-editing/SKILL.md

@@ -1,7 +1,6 @@
 ---
 name: video-editing
 description: AI-assisted video editing workflows for cutting, structuring, and augmenting real footage. Covers the full pipeline from raw capture through FFmpeg, Remotion, ElevenLabs, fal.ai, and final polish in Descript or CapCut. Use when the user wants to edit video, cut footage, create vlogs, or build video content.
-origin: ECC
 ---
 
 # Video Editing

.agents/skills/video-editing/agents/openai.yaml

@@ -1,7 +1,7 @@
 interface:
   display_name: "Video Editing"
-  short_description: "AI-assisted video editing for real footage"
+  short_description: "AI-assisted editing for real footage"
   brand_color: "#EF4444"
-  default_prompt: "Edit video using AI-assisted pipeline: organize, cut, compose, generate assets, polish"
+  default_prompt: "Use $video-editing to plan an AI-assisted edit for real footage."
 policy:
   allow_implicit_invocation: true

.agents/skills/x-api/SKILL.md

@@ -1,7 +1,6 @@
 ---
 name: x-api
 description: X/Twitter API integration for posting tweets, threads, reading timelines, search, and analytics. Covers OAuth auth patterns, rate limits, and platform-native content posting. Use when the user wants to interact with X programmatically.
-origin: ECC
 ---
 
 # X API

.agents/skills/x-api/agents/openai.yaml

@@ -1,7 +1,7 @@
 interface:
   display_name: "X API"
-  short_description: "X/Twitter API integration for posting, threads, and analytics"
+  short_description: "X API posting, timelines, and analytics"
   brand_color: "#000000"
-  default_prompt: "Use X API to post tweets, threads, or retrieve timeline and search data"
+  default_prompt: "Use $x-api to build X API posting, timeline, or analytics workflows."
 policy:
   allow_implicit_invocation: true

.claude-plugin/PLUGIN_SCHEMA_NOTES.md

@@ -45,60 +45,37 @@ Example:
 
 The following fields **must always be arrays**:
 
-* `agents`
 * `commands`
 * `skills`
 * `hooks` (if present)
 
 Even if there is only one entry, **strings are not accepted**.
 
-### Invalid
-
-```json
-{
-  "agents": "./agents"
-}
-```
-
-### Valid
-
-```json
-{
-  "agents": ["./agents/planner.md"]
-}
-```
-
 This applies consistently across all component path fields.
 
 ---
 
-## Path Resolution Rules (Critical)
+## The `agents` Field: DO NOT ADD
 
-### Agents MUST use explicit file paths
+> WARNING: **CRITICAL:** Do NOT add an `"agents"` field to `plugin.json`. The Claude Code plugin validator rejects it entirely.
 
-The validator **does not accept directory paths for `agents`**.
+### Why This Matters
 
-Even the following will fail:
+The `agents` field is not part of the Claude Code plugin manifest schema. Any form of it -- string path, array of paths, or array of directories -- causes a validation error:
 
-```json
-{
-  "agents": ["./agents/"]
-}
+```
+agents: Invalid input
 ```
 
-Instead, you must enumerate agent files explicitly:
+Agent `.md` files under `agents/` are discovered automatically by convention (similar to hooks). They do not need to be declared in the manifest.
 
-```json
-{
-  "agents": [
-    "./agents/planner.md",
-    "./agents/architect.md",
-    "./agents/code-reviewer.md"
-  ]
-}
-```
+### History
 
-This is the most common source of validation errors.
+Previously this repo listed agents explicitly in `plugin.json` as an array of file paths. This passed the repo's own schema but failed Claude Code's actual validator, which does not recognize the field. Removed in #1459.
+
+---
+
+## Path Resolution Rules
 
 ### Commands and Skills
 
@@ -155,16 +132,38 @@ The test `plugin.json does NOT have explicit hooks declaration` in `tests/hooks/
 
 ---
 
+## The `mcpServers` Field: Keep the Empty Opt-Out
+
+ECC keeps `.mcp.json` at the repository root for Codex plugin installs and manual MCP setup.
+Claude Code also auto-discovers plugin-root `.mcp.json` files by convention, which would bundle the same MCP servers into Claude plugin installs.
+The Claude plugin slug is intentionally short (`ecc`), but this opt-out is still required because legacy installs and strict provider gateways have failed on generated names from longer plugin identifiers.
+
+Keep this field in `.claude-plugin/plugin.json`:
+
+```json
+{
+  "mcpServers": {}
+}
+```
+
+This explicit empty object prevents Claude plugin installs from auto-loading ECC's root MCP definitions.
+Without the opt-out, strict OpenAI-compatible gateways can reject plugin MCP tool names such as `mcp__plugin_everything-claude-code_github__create_pull_request_review` because they exceed 64 characters.
+
+Users who want the bundled MCP servers should configure them manually from `.mcp.json` or `mcp-configs/mcp-servers.json`.
+
+---
+
 ## Known Anti-Patterns
 
 These look correct but are rejected:
 
 * String values instead of arrays
-* Arrays of directories for `agents`
+* **Adding `"agents"` in any form** - not a recognized manifest field, causes `Invalid input`
 * Missing `version`
 * Relying on inferred paths
 * Assuming marketplace behavior matches local validation
 * **Adding `"hooks": "./hooks/hooks.json"`** - auto-loaded by convention, causes duplicate error
+* Removing `"mcpServers": {}` - re-enables root `.mcp.json` auto-discovery for Claude plugin installs and can produce overlong MCP tool names
 
 Avoid cleverness. Be explicit.
 
@@ -175,10 +174,6 @@ Avoid cleverness. Be explicit.
 ```json
 {
   "version": "1.1.0",
-  "agents": [
-    "./agents/planner.md",
-    "./agents/code-reviewer.md"
-  ],
   "commands": ["./commands/"],
   "skills": ["./skills/"]
 }
@@ -186,7 +181,7 @@ Avoid cleverness. Be explicit.
 
 This structure has been validated against the Claude plugin validator.
 
-**Important:** Notice there is NO `"hooks"` field. The `hooks/hooks.json` file is loaded automatically by convention. Adding it explicitly causes a duplicate error.
+**Important:** Notice there is NO `"hooks"` field and NO `"agents"` field. Both are loaded automatically by convention. Adding either explicitly causes errors.
 
 ---
 
@@ -194,10 +189,11 @@ This structure has been validated against the Claude plugin validator.
 
 Before submitting changes that touch `plugin.json`:
 
-1. Use explicit file paths for agents
-2. Ensure all component fields are arrays
-3. Include a `version`
-4. Run:
+1. Ensure all component fields are arrays
+2. Include a `version`
+3. Do NOT add `agents` or `hooks` fields (both are auto-loaded by convention)
+4. Preserve `"mcpServers": {}` unless you are intentionally changing Claude plugin MCP bundling behavior
+5. Run:
 
 ```bash
 claude plugin validate .claude-plugin/plugin.json

.claude-plugin/README.md

@@ -1,6 +1,6 @@
 ### Plugin Manifest Gotchas
 
-If you plan to edit `.claude-plugin/plugin.json`, be aware that the Claude plugin validator enforces several **undocumented but strict constraints** that can cause installs to fail with vague errors (for example, `agents: Invalid input`). In particular, component fields must be arrays, `agents` must use explicit file paths rather than directories, and a `version` field is required for reliable validation and installation.
+If you plan to edit `.claude-plugin/plugin.json`, be aware that the Claude plugin validator enforces several **undocumented but strict constraints** that can cause installs to fail with vague errors (for example, `agents: Invalid input`). In particular, component fields must be arrays, `agents` is not a supported manifest field and must not be included in plugin.json, and a `version` field is required for reliable validation and installation.
 
 These constraints are not obvious from public examples and have caused repeated installation failures in the past. They are documented in detail in `.claude-plugin/PLUGIN_SCHEMA_NOTES.md`, which should be reviewed before making any changes to the plugin manifest.
 

.claude-plugin/marketplace.json

@@ -1,5 +1,5 @@
 {
-  "name": "everything-claude-code",
+  "name": "ecc",
   "owner": {
     "name": "Affaan Mustafa",
     "email": "me@affaanmustafa.com"
@@ -9,10 +9,10 @@
   },
   "plugins": [
     {
-      "name": "everything-claude-code",
+      "name": "ecc",
       "source": "./",
-      "description": "The most comprehensive Claude Code plugin — 38 agents, 156 skills, 72 legacy command shims, selective install profiles, and production-ready hooks for TDD, security scanning, code review, and continuous learning",
-      "version": "1.10.0",
+      "description": "The most comprehensive Claude Code plugin — 58 agents, 220 skills, 74 legacy command shims, selective install profiles, and production-ready hooks for TDD, security scanning, code review, and continuous learning",
+      "version": "2.0.0-rc.1",
       "author": {
         "name": "Affaan Mustafa",
         "email": "me@affaanmustafa.com"

.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
-  "name": "everything-claude-code",
-  "version": "1.10.0",
-  "description": "Battle-tested Claude Code plugin for engineering teams — 38 agents, 156 skills, 72 legacy command shims, production-ready hooks, and selective install workflows evolved through continuous real-world use",
+  "name": "ecc",
+  "version": "2.0.0-rc.1",
+  "description": "Battle-tested Claude Code plugin for engineering teams — 58 agents, 220 skills, 74 legacy command shims, production-ready hooks, and selective install workflows evolved through continuous real-world use",
   "author": {
     "name": "Affaan Mustafa",
     "url": "https://x.com/affaanmustafa"
@@ -22,46 +22,11 @@
     "automation",
     "best-practices"
   ],
-  "agents": [
-    "./agents/architect.md",
-    "./agents/build-error-resolver.md",
-    "./agents/chief-of-staff.md",
-    "./agents/code-reviewer.md",
-    "./agents/cpp-build-resolver.md",
-    "./agents/cpp-reviewer.md",
-    "./agents/csharp-reviewer.md",
-    "./agents/dart-build-resolver.md",
-    "./agents/database-reviewer.md",
-    "./agents/doc-updater.md",
-    "./agents/docs-lookup.md",
-    "./agents/e2e-runner.md",
-    "./agents/flutter-reviewer.md",
-    "./agents/gan-evaluator.md",
-    "./agents/gan-generator.md",
-    "./agents/gan-planner.md",
-    "./agents/go-build-resolver.md",
-    "./agents/go-reviewer.md",
-    "./agents/harness-optimizer.md",
-    "./agents/healthcare-reviewer.md",
-    "./agents/java-build-resolver.md",
-    "./agents/java-reviewer.md",
-    "./agents/kotlin-build-resolver.md",
-    "./agents/kotlin-reviewer.md",
-    "./agents/loop-operator.md",
-    "./agents/opensource-forker.md",
-    "./agents/opensource-packager.md",
-    "./agents/opensource-sanitizer.md",
-    "./agents/performance-optimizer.md",
-    "./agents/planner.md",
-    "./agents/python-reviewer.md",
-    "./agents/pytorch-build-resolver.md",
-    "./agents/refactor-cleaner.md",
-    "./agents/rust-build-resolver.md",
-    "./agents/rust-reviewer.md",
-    "./agents/security-reviewer.md",
-    "./agents/tdd-guide.md",
-    "./agents/typescript-reviewer.md"
+  "mcpServers": {},
+  "skills": [
+    "./skills/"
   ],
-  "skills": ["./skills/"],
-  "commands": ["./commands/"]
+  "commands": [
+    "./commands/"
+  ]
 }

.codex-plugin/README.md

@@ -12,7 +12,7 @@ This directory contains the **Codex plugin manifest** for Everything Claude Code
 
 ## What This Provides
 
-- **156 skills** from `./skills/` — reusable Codex workflows for TDD, security,
+- **200 skills** from `./skills/` — reusable Codex workflows for TDD, security,
   code review, architecture, and more
 - **6 MCP servers** — GitHub, Context7, Exa, Memory, Playwright, Sequential Thinking
 

.codex-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "ecc",
-  "version": "1.10.0",
-  "description": "Battle-tested Codex workflows — 156 shared ECC skills, production-ready MCP configs, and selective-install-aligned conventions for TDD, security scanning, code review, and autonomous development.",
+  "version": "2.0.0-rc.1",
+  "description": "Battle-tested Codex workflows — 207 shared ECC skills, production-ready MCP configs, and selective-install-aligned conventions for TDD, security scanning, code review, and autonomous development.",
   "author": {
     "name": "Affaan Mustafa",
     "email": "me@affaanmustafa.com",
@@ -15,7 +15,7 @@
   "mcpServers": "./.mcp.json",
   "interface": {
     "displayName": "Everything Claude Code",
-    "shortDescription": "156 battle-tested ECC skills plus MCP configs for TDD, security, code review, and autonomous development.",
+    "shortDescription": "207 battle-tested ECC skills plus MCP configs for TDD, security, code review, and autonomous development.",
     "longDescription": "Everything Claude Code (ECC) is a community-maintained collection of Codex-ready skills and MCP configs evolved over 10+ months of intensive daily use. It covers TDD workflows, security scanning, code review, architecture decisions, operator workflows, and more — all in one installable plugin.",
     "developerName": "Affaan Mustafa",
     "category": "Productivity",

.codex/AGENTS.md

@@ -60,6 +60,12 @@ The sync script (`scripts/sync-ecc-to-codex.sh`) uses a Node-based TOML parser t
 - **`--update-mcp`** — explicitly replaces all ECC-managed servers with the latest recommended config (safely removes subtables like `[mcp_servers.supabase.env]`).
 - **User config is always preserved** — custom servers, args, env vars, and credentials outside ECC-managed sections are never touched.
 
+## External Action Boundaries
+
+Treat networked tools as read-only by default. Search, inspect, and draft freely within the user's requested scope, but require explicit user approval before posting, publishing, pushing, merging, opening paid jobs, dispatching remote agents, changing third-party resources, or modifying credentials.
+
+When approval is ambiguous, produce a local plan or draft artifact instead of taking the external action. Preserve user config and private state unless the user specifically asks for a scoped change.
+
 ## Multi-Agent Support
 
 Codex now supports multi-agent workflows behind the experimental `features.multi_agent` flag.

.cursor/hooks.json

@@ -1,4 +1,5 @@
 {
+  "version": 1,
   "hooks": {
     "sessionStart": [
       {

.env.example

@@ -20,6 +20,16 @@ GITHUB_TOKEN=
 # ─── Optional: Package manager override ──────────────────────────────────────
 # CLAUDE_CODE_PACKAGE_MANAGER=npm  # npm | pnpm | yarn | bun
 
+# --- Optional: Astraflow / UModelVerse (OpenAI-compatible) -------------------
+# Global endpoint: https://api.umodelverse.ai/v1
+ASTRAFLOW_API_KEY=
+# ASTRAFLOW_MODEL=gpt-4o-mini
+# ASTRAFLOW_BASE_URL=https://api.umodelverse.ai/v1
+# China endpoint: https://api.modelverse.cn/v1
+ASTRAFLOW_CN_API_KEY=
+# ASTRAFLOW_CN_MODEL=gpt-4o-mini
+# ASTRAFLOW_CN_BASE_URL=https://api.modelverse.cn/v1
+
 # ─── Session & Security ─────────────────────────────────────────────────────
 # GitHub username (used by CI scripts for credential context)
 GITHUB_USER="your-github-username"

.github/workflows/ci.yml

@@ -2,7 +2,8 @@ name: CI
 
 on:
   push:
-    branches: [main]
+    branches: [main, 'release/**']
+    tags: ['v*']
   pull_request:
     branches: [main]
 
@@ -44,7 +45,7 @@ jobs:
       # Package manager setup
       - name: Setup pnpm
         if: matrix.pm == 'pnpm' && matrix.node != '18.x'
-        uses: pnpm/action-setup@08c4be7e2e672a47d11bd04269e27e5f3e8529cb # v6.0.0
+        uses: pnpm/action-setup@91ab88e2619ed1f46221f0ba42d1492c02baf788 # v6.0.6
         with:
           # Keep an explicit pnpm major because this repo's packageManager is Yarn.
           version: 10
@@ -76,7 +77,7 @@ jobs:
 
       - name: Cache npm
         if: matrix.pm == 'npm'
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: ${{ steps.npm-cache-dir.outputs.dir }}
           key: ${{ runner.os }}-node-${{ matrix.node }}-npm-${{ hashFiles('**/package-lock.json') }}
@@ -93,7 +94,7 @@ jobs:
 
       - name: Cache pnpm
         if: matrix.pm == 'pnpm'
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: ${{ steps.pnpm-cache-dir.outputs.dir }}
           key: ${{ runner.os }}-node-${{ matrix.node }}-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }}
@@ -114,7 +115,7 @@ jobs:
 
       - name: Cache yarn
         if: matrix.pm == 'yarn'
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: ${{ steps.yarn-cache-dir.outputs.dir }}
           key: ${{ runner.os }}-node-${{ matrix.node }}-yarn-${{ hashFiles('**/yarn.lock') }}
@@ -123,7 +124,7 @@ jobs:
 
       - name: Cache bun
         if: matrix.pm == 'bun'
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: ~/.bun/install/cache
           key: ${{ runner.os }}-bun-${{ hashFiles('**/bun.lockb') }}
@@ -140,7 +141,10 @@ jobs:
         run: |
           case "${{ matrix.pm }}" in
             npm) npm ci ;;
-            pnpm) pnpm install --no-frozen-lockfile ;;
+            # pnpm v10 can fail CI on ignored native build scripts
+            # (for example msgpackr-extract) even though this repo is Yarn-native
+            # and pnpm is only exercised here as a compatibility lane.
+            pnpm) pnpm install --config.strict-dep-builds=false --no-frozen-lockfile ;;
             # Yarn Berry (v4+) removed --ignore-engines; engine checking is no longer a core feature
             yarn) yarn install ;;
             bun) bun install ;;
@@ -216,6 +220,10 @@ jobs:
         run: node scripts/ci/check-unicode-safety.js
         continue-on-error: false
 
+      - name: Validate no personal paths
+        run: node scripts/ci/validate-no-personal-paths.js
+        continue-on-error: false
+
   security:
     name: Security Scan
     runs-on: ubuntu-latest

.github/workflows/release.yml

@@ -6,6 +6,7 @@ on:
 
 permissions:
   contents: write
+  id-token: write
 
 jobs:
   release:
@@ -22,6 +23,7 @@ jobs:
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: '20.x'
+          registry-url: 'https://registry.npmjs.org'
 
       - name: Install dependencies
         run: npm ci
@@ -31,8 +33,8 @@ jobs:
 
       - name: Validate version tag
         run: |
-          if ! [[ "${REF_NAME}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-            echo "Invalid version tag format. Expected vX.Y.Z"
+          if ! [[ "${REF_NAME}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[0-9A-Za-z.-]+)?$ ]]; then
+            echo "Invalid version tag format. Expected vX.Y.Z or vX.Y.Z-prerelease"
             exit 1
           fi
 
@@ -53,6 +55,19 @@ jobs:
       - name: Verify release metadata stays in sync
         run: node tests/plugin-manifest.test.js
 
+      - name: Check npm publish state
+        id: npm_publish_state
+        run: |
+          PACKAGE_NAME=$(node -p "require('./package.json').name")
+          PACKAGE_VERSION=$(node -p "require('./package.json').version")
+          NPM_DIST_TAG=$(node -p "require('./package.json').version.includes('-') ? 'next' : 'latest'")
+          if npm view "${PACKAGE_NAME}@${PACKAGE_VERSION}" version >/dev/null 2>&1; then
+            echo "already_published=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "already_published=false" >> "$GITHUB_OUTPUT"
+          fi
+          echo "dist_tag=${NPM_DIST_TAG}" >> "$GITHUB_OUTPUT"
+
       - name: Generate release highlights
         id: highlights
         env:
@@ -73,6 +88,8 @@ jobs:
           - Improved release-note generation and changelog hygiene
 
           ### Notes
+          - npm package: \`ecc-universal\`
+          - Claude marketplace/plugin identifier: \`everything-claude-code@everything-claude-code\`
           - For migration tips and compatibility notes, see README and CHANGELOG.
           EOF
 
@@ -81,3 +98,11 @@ jobs:
         with:
           body_path: release_body.md
           generate_release_notes: true
+          prerelease: ${{ contains(github.ref_name, '-') }}
+          make_latest: ${{ contains(github.ref_name, '-') && 'false' || 'true' }}
+
+      - name: Publish npm package
+        if: steps.npm_publish_state.outputs.already_published != 'true'
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: npm publish --access public --provenance --tag "${{ steps.npm_publish_state.outputs.dist_tag }}"

.github/workflows/reusable-release.yml

@@ -12,9 +12,24 @@ on:
         required: false
         type: boolean
         default: true
+    secrets:
+      NPM_TOKEN:
+        required: false
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Version tag to release or republish (e.g., v2.0.0-rc.1)'
+        required: true
+        type: string
+      generate-notes:
+        description: 'Auto-generate release notes'
+        required: false
+        type: boolean
+        default: true
 
 permissions:
   contents: write
+  id-token: write
 
 jobs:
   release:
@@ -26,11 +41,13 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          ref: ${{ inputs.tag }}
 
       - name: Setup Node.js
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: '20.x'
+          registry-url: 'https://registry.npmjs.org'
 
       - name: Install dependencies
         run: npm ci
@@ -42,8 +59,8 @@ jobs:
         env:
           INPUT_TAG: ${{ inputs.tag }}
         run: |
-          if ! [[ "$INPUT_TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-            echo "Invalid version tag format. Expected vX.Y.Z"
+          if ! [[ "$INPUT_TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[0-9A-Za-z.-]+)?$ ]]; then
+            echo "Invalid version tag format. Expected vX.Y.Z or vX.Y.Z-prerelease"
             exit 1
           fi
 
@@ -62,6 +79,19 @@ jobs:
       - name: Verify release metadata stays in sync
         run: node tests/plugin-manifest.test.js
 
+      - name: Check npm publish state
+        id: npm_publish_state
+        run: |
+          PACKAGE_NAME=$(node -p "require('./package.json').name")
+          PACKAGE_VERSION=$(node -p "require('./package.json').version")
+          NPM_DIST_TAG=$(node -p "require('./package.json').version.includes('-') ? 'next' : 'latest'")
+          if npm view "${PACKAGE_NAME}@${PACKAGE_VERSION}" version >/dev/null 2>&1; then
+            echo "already_published=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "already_published=false" >> "$GITHUB_OUTPUT"
+          fi
+          echo "dist_tag=${NPM_DIST_TAG}" >> "$GITHUB_OUTPUT"
+
       - name: Generate release highlights
         env:
           TAG_NAME: ${{ inputs.tag }}
@@ -74,6 +104,10 @@ jobs:
           - Harness reliability and cross-platform compatibility
           - Eval-driven quality improvements
           - Better workflow and operator ergonomics
+
+          ### Package Notes
+          - npm package: \`ecc-universal\`
+          - Claude marketplace/plugin identifier: \`everything-claude-code@everything-claude-code\`
           EOF
 
       - name: Create GitHub Release
@@ -82,3 +116,11 @@ jobs:
           tag_name: ${{ inputs.tag }}
           body_path: release_body.md
           generate_release_notes: ${{ inputs.generate-notes }}
+          prerelease: ${{ contains(inputs.tag, '-') }}
+          make_latest: ${{ contains(inputs.tag, '-') && 'false' || 'true' }}
+
+      - name: Publish npm package
+        if: steps.npm_publish_state.outputs.already_published != 'true'
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: npm publish --access public --provenance --tag "${{ steps.npm_publish_state.outputs.dist_tag }}"

.github/workflows/reusable-test.yml

@@ -36,7 +36,7 @@ jobs:
 
       - name: Setup pnpm
         if: inputs.package-manager == 'pnpm' && inputs.node-version != '18.x'
-        uses: pnpm/action-setup@08c4be7e2e672a47d11bd04269e27e5f3e8529cb # v6.0.0
+        uses: pnpm/action-setup@91ab88e2619ed1f46221f0ba42d1492c02baf788 # v6.0.6
         with:
           # Keep an explicit pnpm major because this repo's packageManager is Yarn.
           version: 10
@@ -67,7 +67,7 @@ jobs:
 
       - name: Cache npm
         if: inputs.package-manager == 'npm'
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: ${{ steps.npm-cache-dir.outputs.dir }}
           key: ${{ runner.os }}-node-${{ inputs.node-version }}-npm-${{ hashFiles('**/package-lock.json') }}
@@ -84,7 +84,7 @@ jobs:
 
       - name: Cache pnpm
         if: inputs.package-manager == 'pnpm'
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: ${{ steps.pnpm-cache-dir.outputs.dir }}
           key: ${{ runner.os }}-node-${{ inputs.node-version }}-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }}
@@ -105,7 +105,7 @@ jobs:
 
       - name: Cache yarn
         if: inputs.package-manager == 'yarn'
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: ${{ steps.yarn-cache-dir.outputs.dir }}
           key: ${{ runner.os }}-node-${{ inputs.node-version }}-yarn-${{ hashFiles('**/yarn.lock') }}
@@ -114,7 +114,7 @@ jobs:
 
       - name: Cache bun
         if: inputs.package-manager == 'bun'
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: ~/.bun/install/cache
           key: ${{ runner.os }}-bun-${{ hashFiles('**/bun.lockb') }}
@@ -130,7 +130,10 @@ jobs:
         run: |
           case "${{ inputs.package-manager }}" in
             npm) npm ci ;;
-            pnpm) pnpm install --no-frozen-lockfile ;;
+            # pnpm v10 can fail CI on ignored native build scripts
+            # (for example msgpackr-extract) even though this repo is Yarn-native
+            # and pnpm is only exercised here as a compatibility lane.
+            pnpm) pnpm install --config.strict-dep-builds=false --no-frozen-lockfile ;;
             # Yarn Berry (v4+) removed --ignore-engines; engine checking is no longer a core feature
             yarn) yarn install ;;
             bun) bun install ;;

.github/workflows/reusable-validate.yml

@@ -50,3 +50,6 @@ jobs:
 
       - name: Check unicode safety
         run: node scripts/ci/check-unicode-safety.js
+
+      - name: Validate no personal paths
+        run: node scripts/ci/validate-no-personal-paths.js

.kiro/skills/search-first/SKILL.md

@@ -21,6 +21,12 @@ Use this skill when:
 - The user asks "add X functionality" and you're about to write code
 - Before creating a new utility, helper, or abstraction
 
+## Scope and Approval Rules
+
+Default to read-only research: inspect the repo, package metadata, docs, and public examples before recommending a dependency or integration. Do not install packages, configure MCP servers, publish artifacts, open PRs, or make external write actions from this skill unless the user has explicitly approved that action in the current task.
+
+When a candidate requires credentials, paid services, network writes, or project-wide config changes, return a recommendation and approval checkpoint instead of applying it directly.
+
 ## Workflow
 
 ```
@@ -45,9 +51,9 @@ Use this skill when:
 │     │ as-is   │  │  /Wrap   │  │  Custom  │  │
 │     └─────────┘  └──────────┘  └─────────┘  │
 ├─────────────────────────────────────────────┤
-│  5. IMPLEMENT                               │
-│     Install package / Configure MCP /       │
-│     Write minimal custom code               │
+│  5. APPROVAL CHECKPOINT / IMPLEMENT         │
+│     Recommend package / MCP / custom code   │
+│     Apply only after explicit approval      │
 └─────────────────────────────────────────────┘
 ```
 
@@ -55,10 +61,10 @@ Use this skill when:
 
 | Signal | Action |
 |--------|--------|
-| Exact match, well-maintained, MIT/Apache | **Adopt** — install and use directly |
-| Partial match, good foundation | **Extend** — install + write thin wrapper |
-| Multiple weak matches | **Compose** — combine 2-3 small packages |
-| Nothing suitable found | **Build** — write custom, but informed by research |
+| Exact match, well-maintained, MIT/Apache | **Adopt** — recommend the package and request approval before install or config changes |
+| Partial match, good foundation | **Extend** — recommend the package plus a thin wrapper, then wait for approval before applying |
+| Multiple weak matches | **Compose** — propose 2-3 small packages and the integration plan before installing anything |
+| Nothing suitable found | **Build** — explain why custom code is warranted, then implement only within the approved task scope |
 
 ## How to Use
 
@@ -135,8 +141,8 @@ Combine for progressive discovery:
 Need: Check markdown files for broken links
 Search: npm "markdown dead link checker"
 Found: textlint-rule-no-dead-link (score: 9/10)
-Action: ADOPT — npm install textlint-rule-no-dead-link
-Result: Zero custom code, battle-tested solution
+Action: ADOPT — recommend `textlint-rule-no-dead-link` and ask before installing it
+Result: Zero custom code if approved, battle-tested solution
 ```
 
 ### Example 2: "Add HTTP client wrapper"
@@ -144,8 +150,8 @@ Result: Zero custom code, battle-tested solution
 Need: Resilient HTTP client with retries and timeout handling
 Search: npm "http client retry", PyPI "httpx retry"
 Found: got (Node) with retry plugin, httpx (Python) with built-in retry
-Action: ADOPT — use got/httpx directly with retry config
-Result: Zero custom code, production-proven libraries
+Action: ADOPT — recommend `got`/`httpx` directly with retry config and ask before changing dependencies
+Result: Zero custom code if approved, production-proven libraries
 ```
 
 ### Example 3: "Add config file linter"
@@ -153,8 +159,8 @@ Result: Zero custom code, production-proven libraries
 Need: Validate project config files against a schema
 Search: npm "config linter schema", "json schema validator cli"
 Found: ajv-cli (score: 8/10)
-Action: ADOPT + EXTEND — install ajv-cli, write project-specific schema
-Result: 1 package + 1 schema file, no custom validation logic
+Action: ADOPT + EXTEND — recommend `ajv-cli` plus a project-specific schema, then wait for approval before install/write
+Result: 1 package + 1 schema file if approved, no custom validation logic
 ```
 
 ## Anti-Patterns

.opencode/.npmignore

@@ -0,0 +1,2 @@
+node_modules
+bun.lock

.opencode/commands/harness-audit.md

@@ -1,3 +1,7 @@
+---
+description: Run a deterministic repository harness audit and return a prioritized scorecard.
+---
+
 # Harness Audit Command
 
 Run a deterministic repository harness audit and return a prioritized scorecard.

.opencode/commands/security-scan.md

@@ -0,0 +1,92 @@
+---
+description: Run AgentShield against agent, hook, MCP, permission, and secret surfaces.
+agent: everything-claude-code:security-reviewer
+subtask: true
+---
+
+# Security Scan Command
+
+Run AgentShield against the current project or a target path, then turn the findings into a prioritized remediation plan.
+
+## Usage
+
+`/security-scan [path] [--format text|json|markdown|html] [--min-severity low|medium|high|critical] [--fix]`
+
+- `path` (optional): defaults to the current project. Use a `.claude/` path, a repo root, or a checked-in template directory.
+- `--format`: output format. Use `json` for CI, `markdown` for handoffs, and `html` for standalone review reports.
+- `--min-severity`: filters lower-priority findings.
+- `--fix`: applies only AgentShield fixes explicitly marked as safe and auto-fixable.
+
+## Deterministic Engine
+
+Prefer the packaged scanner:
+
+```bash
+npx ecc-agentshield scan --path "${TARGET_PATH:-.}" --format text
+```
+
+For local AgentShield development, run from the AgentShield checkout:
+
+```bash
+npm run scan -- --path "${TARGET_PATH:-.}" --format text
+```
+
+Do not invent findings. Use AgentShield output as the source of truth and separate scanner facts from follow-up judgment.
+
+## Review Checklist
+
+1. Identify active runtime findings first:
+   - hardcoded secrets
+   - broad permissions
+   - executable hooks
+   - MCP servers with shell, filesystem, remote transport, or unpinned `npx`
+   - agent prompts that handle untrusted content without defenses
+2. Separate lower-confidence inventory:
+   - docs examples
+   - template examples
+   - plugin manifests
+   - project-local optional settings
+3. For each critical or high finding, return:
+   - file path
+   - severity
+   - runtime confidence
+   - why it matters
+   - exact remediation
+   - whether it is safe to auto-fix
+4. If `--fix` is requested, state the planned edits before applying fixes.
+5. Re-run the scan after fixes and report the before/after score.
+
+## Output Contract
+
+Return:
+
+1. Security grade and score.
+2. Counts by severity and runtime confidence.
+3. Critical/high findings with exact paths.
+4. Lower-confidence findings grouped separately.
+5. A remediation order.
+6. Commands run and whether the scan was local, CI, or npx-backed.
+
+## CI Pattern
+
+Use AgentShield in GitHub Actions for enforced gates:
+
+```yaml
+- uses: affaan-m/agentshield@v1
+  with:
+    path: "."
+    min-severity: "medium"
+    fail-on-findings: true
+```
+
+## Links
+
+- Skill: `skills/security-scan/SKILL.md`
+- Agent: `agents/security-reviewer.md`
+- Scanner: <https://github.com/affaan-m/agentshield>
+
+## Arguments
+
+$ARGUMENTS:
+- optional target path
+- optional AgentShield flags

.opencode/opencode.json

@@ -22,6 +22,11 @@
   "plugin": [
     "./plugins"
   ],
+  "skills": {
+    "paths": [
+      "../skills"
+    ]
+  },
   "agent": {
     "build": {
       "description": "Primary coding agent for development work",

.opencode/package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "ecc-universal",
-  "version": "1.10.0",
+  "version": "2.0.0-rc.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "ecc-universal",
-      "version": "1.10.0",
+      "version": "2.0.0-rc.1",
       "license": "MIT",
       "devDependencies": {
         "@opencode-ai/plugin": "^1.4.3",

.opencode/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ecc-universal",
-  "version": "1.10.0",
+  "version": "2.0.0-rc.1",
   "description": "Everything Claude Code (ECC) plugin for OpenCode - agents, commands, hooks, and skills",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

.opencode/plugins/ecc-hooks.ts

@@ -43,6 +43,14 @@ export const ECCHooksPlugin: ECCHooksPluginFn = async ({
     return path.join(worktreePath, p)
   }
 
+  function hasProjectFile(relativePath: string): boolean {
+    try {
+      return fs.statSync(resolvePath(relativePath)).isFile()
+    } catch {
+      return false
+    }
+  }
+
   const pendingToolChanges = new Map<string, { path: string; type: "added" | "modified" }>()
   let writeCounter = 0
 
@@ -275,13 +283,8 @@ export const ECCHooksPlugin: ECCHooksPluginFn = async ({
       log("info", `[ECC] Session started - profile=${currentProfile}`)
 
       // Check for project-specific context files
-      try {
-        const hasClaudeMd = await $`test -f ${worktree}/CLAUDE.md && echo "yes"`.text()
-        if (hasClaudeMd.trim() === "yes") {
-          log("info", "[ECC] Found CLAUDE.md - loading project context")
-        }
-      } catch {
-        // No CLAUDE.md found
+      if (hasProjectFile("CLAUDE.md")) {
+        log("info", "[ECC] Found CLAUDE.md - loading project context")
       }
     },
 
@@ -400,7 +403,7 @@ export const ECCHooksPlugin: ECCHooksPluginFn = async ({
         ECC_PLUGIN: "true",
         ECC_HOOK_PROFILE: currentProfile,
         ECC_DISABLED_HOOKS: process.env.ECC_DISABLED_HOOKS || "",
-        PROJECT_ROOT: worktree || directory,
+        PROJECT_ROOT: worktreePath,
       }
 
       // Detect package manager
@@ -411,12 +414,9 @@ export const ECCHooksPlugin: ECCHooksPluginFn = async ({
         "package-lock.json": "npm",
       }
       for (const [lockfile, pm] of Object.entries(lockfiles)) {
-        try {
-          await $`test -f ${worktree}/${lockfile}`
+        if (hasProjectFile(lockfile)) {
           env.PACKAGE_MANAGER = pm
           break
-        } catch {
-          // Not found, try next
         }
       }
 
@@ -430,11 +430,8 @@ export const ECCHooksPlugin: ECCHooksPluginFn = async ({
       }
       const detected: string[] = []
       for (const [file, lang] of Object.entries(langDetectors)) {
-        try {
-          await $`test -f ${worktree}/${file}`
+        if (hasProjectFile(file)) {
           detected.push(lang)
-        } catch {
-          // Not found
         }
       }
       if (detected.length > 0) {
@@ -456,7 +453,7 @@ export const ECCHooksPlugin: ECCHooksPluginFn = async ({
       const contextBlock = [
         "# ECC Context (preserve across compaction)",
         "",
-        "## Active Plugin: Everything Claude Code v1.10.0",
+        "## Active Plugin: Everything Claude Code v2.0.0-rc.1",
         "- Hooks: file.edited, tool.execute.before/after, session.created/idle/deleted, shell.env, compacting, permission.ask",
         "- Tools: run-tests, check-coverage, security-audit, format-code, lint-check, git-summary, changed-files",
         "- Agents: 13 specialized (planner, architect, tdd-guide, code-reviewer, security-reviewer, build-error-resolver, e2e-runner, refactor-cleaner, doc-updater, go-reviewer, go-build-resolver, database-reviewer, python-reviewer)",

.qwen/QWEN.md

@@ -0,0 +1,25 @@
+# Qwen CLI Configuration
+
+This directory contains ECC's Qwen CLI install template.
+
+## Runtime Location
+
+The source `.qwen/` directory in this repository is copied into a user's home-level `~/.qwen/` install root when running:
+
+```bash
+./install.sh --target qwen --profile minimal
+```
+
+The managed install also writes `~/.qwen/ecc-install-state.json` so future ECC updates and uninstalls can distinguish ECC-owned files from user-owned Qwen configuration.
+
+## Installed Surface
+
+The Qwen target installs the same managed manifest modules used by other harness adapters:
+
+- `rules/`
+- `agents/`
+- `commands/`
+- `skills/`
+- `mcp-configs/`
+
+Hook runtime files are intentionally not selected for Qwen until the Qwen hook/event contract is verified.

AGENTS.md

@@ -1,8 +1,8 @@
 # Everything Claude Code (ECC) — Agent Instructions
 
-This is a **production-ready AI coding plugin** providing 48 specialized agents, 183 skills, 79 commands, and automated hook workflows for software development.
+This is a **production-ready AI coding plugin** providing 58 specialized agents, 220 skills, 74 commands, and automated hook workflows for software development.
 
-**Version:** 1.10.0
+**Version:** 2.0.0-rc.1
 
 ## Core Principles
 
@@ -27,6 +27,7 @@ This is a **production-ready AI coding plugin** providing 48 specialized agents,
 | doc-updater | Documentation and codemaps | Updating docs |
 | cpp-reviewer | C/C++ code review | C and C++ projects |
 | cpp-build-resolver | C/C++ build errors | C and C++ build failures |
+| fsharp-reviewer | F# functional code review | F# projects |
 | docs-lookup | Documentation lookup via Context7 | API/docs questions |
 | go-reviewer | Go code review | Go projects |
 | go-build-resolver | Go build errors | Go build failures |
@@ -41,6 +42,7 @@ This is a **production-ready AI coding plugin** providing 48 specialized agents,
 | rust-reviewer | Rust code review | Rust projects |
 | rust-build-resolver | Rust build errors | Rust build failures |
 | pytorch-build-resolver | PyTorch runtime/CUDA/training errors | PyTorch build/training failures |
+| mle-reviewer | Production ML pipeline review | ML pipelines, evals, serving, monitoring, rollback |
 | typescript-reviewer | TypeScript/JavaScript code review | TypeScript/JavaScript projects |
 
 ## Agent Orchestration
@@ -145,9 +147,9 @@ Troubleshoot failures: check test isolation → verify mocks → fix implementat
 ## Project Structure
 
 ```
-agents/          — 48 specialized subagents
-skills/          — 183 workflow skills and domain knowledge
-commands/        — 79 slash commands
+agents/          — 58 specialized subagents
+skills/          — 220 workflow skills and domain knowledge
+commands/        — 74 slash commands
 hooks/           — Trigger-based automations
 rules/           — Always-follow guidelines (common + per-language)
 scripts/         — Cross-platform Node.js utilities

CHANGELOG.md

@@ -1,5 +1,25 @@
 # Changelog
 
+## 2.0.0-rc.1 - 2026-04-28
+
+### Highlights
+
+- Adds the public ECC 2.0 release-candidate surface for the Hermes operator story.
+- Documents ECC as the reusable cross-harness substrate across Claude Code, Codex, Cursor, OpenCode, and Gemini.
+- Adds a sanitized Hermes import skill surface instead of publishing private operator state.
+
+### Release Surface
+
+- Updated package, plugin, marketplace, OpenCode, agent, and README metadata to `2.0.0-rc.1`.
+- Added `docs/releases/2.0.0-rc.1/` with release notes, social drafts, launch checklist, handoff notes, and demo prompts.
+- Added `docs/architecture/cross-harness.md` and regression coverage for the ECC/Hermes boundary.
+- Kept `ecc2/` versioning independent for now; it remains an alpha control-plane scaffold unless release engineering decides otherwise.
+
+### Notes
+
+- This is a release candidate, not a GA claim for the full ECC 2.0 control-plane roadmap.
+- Prerelease npm publishing should use the `next` dist-tag unless release engineering explicitly chooses otherwise.
+
 ## 1.10.0 - 2026-04-05
 
 ### Highlights

CONTRIBUTING.md

@@ -167,6 +167,8 @@ Short version:
 - [ ] Tested with Claude Code
 - [ ] Links to related skills
 - [ ] No sensitive data (API keys, tokens, paths)
+- [ ] Frontmatter declares `name:` matching the directory name
+- [ ] Frontmatter `description:` is an inline string or folded (`>`) scalar — not a literal block (`|`, `|-`, or `|+`), which preserves internal newlines and breaks flat-table renderers
 
 ### Example Skills
 

README.md

@@ -1,7 +1,9 @@
-**Language:** English | [Português (Brasil)](docs/pt-BR/README.md) | [简体中文](README.zh-CN.md) | [繁體中文](docs/zh-TW/README.md) | [日本語](docs/ja-JP/README.md) | [한국어](docs/ko-KR/README.md) | [Türkçe](docs/tr/README.md)
+**Language:** English | [Português (Brasil)](docs/pt-BR/README.md) | [简体中文](README.zh-CN.md) | [繁體中文](docs/zh-TW/README.md) | [日本語](docs/ja-JP/README.md) | [한국어](docs/ko-KR/README.md) | [Türkçe](docs/tr/README.md) | [Русский](docs/ru/README.md) | [Tiếng Việt](docs/vi-VN/README.md)
 
 # Everything Claude Code
 
+![Everything Claude Code — the performance system for AI agent harnesses](assets/hero.png)
+
 [![Stars](https://img.shields.io/github/stars/affaan-m/everything-claude-code?style=flat)](https://github.com/affaan-m/everything-claude-code/stargazers)
 [![Forks](https://img.shields.io/github/forks/affaan-m/everything-claude-code?style=flat)](https://github.com/affaan-m/everything-claude-code/network/members)
 [![Contributors](https://img.shields.io/github/contributors/affaan-m/everything-claude-code?style=flat)](https://github.com/affaan-m/everything-claude-code/graphs/contributors)
@@ -23,10 +25,10 @@
 
 <div align="center">
 
-**Language / 语言 / 語言 / Dil**
+**Language / 语言 / 語言 / Dil / Язык / Ngôn ngữ**
 
 [**English**](README.md) | [Português (Brasil)](docs/pt-BR/README.md) | [简体中文](README.zh-CN.md) | [繁體中文](docs/zh-TW/README.md) | [日本語](docs/ja-JP/README.md) | [한국어](docs/ko-KR/README.md)
- | [Türkçe](docs/tr/README.md)
+ | [Türkçe](docs/tr/README.md) | [Русский](docs/ru/README.md) | [Tiếng Việt](docs/vi-VN/README.md)
 
 </div>
 
@@ -38,6 +40,8 @@ Not just configs. A complete system: skills, instincts, memory optimization, con
 
 Works across **Claude Code**, **Codex**, **Cursor**, **OpenCode**, **Gemini**, and other AI agent harnesses.
 
+ECC v2.0.0-rc.1 adds the public Hermes operator story on top of that reusable layer: start with the [Hermes setup guide](docs/HERMES-SETUP.md), then review the [rc.1 release notes](docs/releases/2.0.0-rc.1/release-notes.md) and [cross-harness architecture](docs/architecture/cross-harness.md).
+
 ---
 
 ## The Guides
@@ -82,14 +86,15 @@ This repo is the raw code only. The guides explain everything.
 
 ## What's New
 
-### v1.10.0 — Surface Refresh, Operator Workflows, and ECC 2.0 Alpha (Apr 2026)
+### v2.0.0-rc.1 — Surface Refresh, Operator Workflows, and ECC 2.0 Alpha (Apr 2026)
 
 - **Dashboard GUI** — New Tkinter-based desktop application (`ecc_dashboard.py` or `npm run dashboard`) with dark/light theme toggle, font customization, and project logo in header and taskbar.
-- **Public surface synced to the live repo** — metadata, catalog counts, plugin manifests, and install-facing docs now match the actual OSS surface: 38 agents, 156 skills, and 72 legacy command shims.
+- **Public surface synced to the live repo** — metadata, catalog counts, plugin manifests, and install-facing docs now match the actual OSS surface: 55 agents, 208 skills, and 72 legacy command shims.
 - **Operator and outbound workflow expansion** — `brand-voice`, `social-graph-ranker`, `connections-optimizer`, `customer-billing-ops`, `ecc-tools-cost-audit`, `google-workspace-ops`, `project-flow-ops`, and `workspace-surface-audit` round out the operator lane.
 - **Media and launch tooling** — `manim-video`, `remotion-video-creation`, and upgraded social publishing surfaces make technical explainers and launch content part of the same system.
 - **Framework and product surface growth** — `nestjs-patterns`, richer Codex/OpenCode install surfaces, and expanded cross-harness packaging keep the repo usable beyond Claude Code alone.
 - **ECC 2.0 alpha is in-tree** — the Rust control-plane prototype in `ecc2/` now builds locally and exposes `dashboard`, `start`, `sessions`, `status`, `stop`, `resume`, and `daemon` commands. It is usable as an alpha, not yet a general release.
+- **Operator status snapshots** — `ecc status --markdown --write status.md` turns the local state store into a portable handoff covering readiness, active sessions, skill-run health, install health, pending governance events, and linked work items from Linear/GitHub/handoffs. Use `ecc work-items upsert ...` for manual entries, `ecc work-items sync-github --repo owner/repo` for PR/issue queue state, and `ecc status --exit-code` to fail automation when readiness needs attention.
 - **Ecosystem hardening** — AgentShield, ECC Tools cost controls, billing portal work, and website refreshes continue to ship around the core plugin instead of drifting into separate silos.
 
 ### v1.9.0 — Selective Install & Language Expansion (Mar 2026)
@@ -165,7 +170,62 @@ See the full changelog in [Releases](https://github.com/affaan-m/everything-clau
 
 Get up and running in under 2 minutes:
 
-### Step 1: Install the Plugin
+### Pick one path only
+
+Most Claude Code users should use exactly one install path:
+
+- **Recommended default:** install the Claude Code plugin, then copy only the rule folders you actually want.
+- **Use the manual installer only if** you want finer-grained control, want to avoid the plugin path entirely, or your Claude Code build has trouble resolving the self-hosted marketplace entry.
+- **Do not stack install methods.** The most common broken setup is: `/plugin install` first, then `install.sh --profile full` or `npx ecc-install --profile full` afterward.
+
+If you already layered multiple installs and things look duplicated, skip straight to [Reset / Uninstall ECC](#reset--uninstall-ecc).
+
+### Low-context / no-hooks path
+
+If hooks feel too global or you only want ECC's rules, agents, commands, and core workflow skills, skip the plugin and use the minimal manual profile:
+
+```bash
+./install.sh --profile minimal --target claude
+```
+
+```powershell
+.\install.ps1 --profile minimal --target claude
+# or
+npx ecc-install --profile minimal --target claude
+```
+
+This profile intentionally excludes `hooks-runtime`.
+
+If you want the normal core profile but need hooks off, use:
+
+```bash
+./install.sh --profile core --without baseline:hooks --target claude
+```
+
+Add hooks later only if you want runtime enforcement:
+
+```bash
+./install.sh --target claude --modules hooks-runtime
+```
+
+### Find the right components first
+
+If you are not sure which ECC profile or component to install, ask the packaged advisor from any project:
+
+```bash
+npx ecc consult "security reviews" --target claude
+```
+
+It returns matching components, related profiles, and preview/install commands. Use the preview command before installing if you want to inspect the exact file plan.
+
+For production ML/MLOps workflows, keep the install opt-in and component-scoped:
+
+```bash
+npx ecc consult "mlops training model deployment" --target claude
+npx ecc install --profile minimal --target claude --with capability:machine-learning
+```
+
+### Step 1: Install the Plugin (Recommended)
 
 > NOTE: The plugin is convenient, but the OSS installer below is still the most reliable path if your Claude Code build has trouble resolving self-hosted marketplace entries.
 
@@ -174,16 +234,30 @@ Get up and running in under 2 minutes:
 /plugin marketplace add https://github.com/affaan-m/everything-claude-code
 
 # Install plugin
-/plugin install everything-claude-code
+/plugin install ecc@ecc
 ```
 
-> Install-name clarification: older posts may still show `ecc@ecc`. That shorthand is deprecated. Anthropic marketplace/plugin installs are keyed by a canonical plugin identifier, so ECC standardized on `everything-claude-code@everything-claude-code` to keep the listing name, install path, `/plugin list`, and repo docs aligned instead of maintaining two different public names for the same plugin.
+### Naming + Migration Note
 
-### Step 2: Install Rules (Required)
+ECC now has three public identifiers, and they are not interchangeable:
 
-> WARNING: **Important:** Claude Code plugins cannot distribute `rules` automatically. Install them manually:
+- GitHub source repo: `affaan-m/everything-claude-code`
+- Claude marketplace/plugin identifier: `ecc@ecc`
+- npm package: `ecc-universal`
+
+This is intentional. Anthropic marketplace/plugin installs are keyed by a canonical plugin identifier, so ECC uses `ecc@ecc` to keep tool names and slash-command namespaces short enough for strict Desktop/API validators. Older posts may still show the former long marketplace identifier; treat that as a legacy alias only. Separately, the npm package stayed on `ecc-universal`, so npm installs and marketplace installs intentionally use different names.
+
+### Step 2: Install Rules Only If You Need Them
+
+> WARNING: **Important:** Claude Code plugins cannot distribute `rules` automatically.
 >
-> If your local Claude setup was wiped or reset, that does not mean you need to repurchase ECC. Start with `ecc list-installed`, then run `ecc doctor` and `ecc repair` before reinstalling anything. That usually restores ECC-managed files without rebuilding your setup. If the problem is account or marketplace access for ECC Tools, handle billing/account recovery separately.
+> If you already installed ECC via `/plugin install`, **do not run `./install.sh --profile full`, `.\install.ps1 --profile full`, or `npx ecc-install --profile full` afterward**. The plugin already loads ECC skills, commands, and hooks. Running the full installer after a plugin install copies those same surfaces into your user directories and can create duplicate skills plus duplicate runtime behavior.
+>
+> For plugin installs, manually copy only the `rules/` directories you want under `~/.claude/rules/ecc/`. Start with `rules/common` plus one language or framework pack you actually use. Do not copy every rules directory unless you explicitly want all of that context in Claude.
+>
+> Use the full installer only when you are doing a fully manual ECC install instead of the plugin path.
+>
+> If your local Claude setup was wiped or reset, that does not mean you need to repurchase ECC. Start with `node scripts/ecc.js list-installed`, then run `node scripts/ecc.js doctor` and `node scripts/ecc.js repair` before reinstalling anything. That usually restores ECC-managed files without rebuilding your setup. If the problem is account or marketplace access for ECC Tools, handle billing/account recovery separately.
 
 ```bash
 # Clone the repo first
@@ -193,55 +267,98 @@ cd everything-claude-code
 # Install dependencies (pick your package manager)
 npm install        # or: pnpm install | yarn install | bun install
 
-# macOS/Linux
+# Plugin install path: copy only ECC rules into an ECC-owned namespace
+mkdir -p ~/.claude/rules/ecc
+cp -R rules/common ~/.claude/rules/ecc/
+cp -R rules/typescript ~/.claude/rules/ecc/
 
-# Recommended: install everything (full profile)
-./install.sh --profile full
-
-# Or install for specific languages only
-./install.sh typescript    # or python or golang or swift or php
-# ./install.sh typescript python golang swift php
-# ./install.sh --target cursor typescript
-# ./install.sh --target antigravity typescript
-# ./install.sh --target gemini --profile full
+# Fully manual ECC install path (use this instead of /plugin install)
+# ./install.sh --profile full
 ```
 
 ```powershell
 # Windows PowerShell
 
-# Recommended: install everything (full profile)
-.\install.ps1 --profile full
+# Plugin install path: copy only ECC rules into an ECC-owned namespace
+New-Item -ItemType Directory -Force -Path "$HOME/.claude/rules/ecc" | Out-Null
+Copy-Item -Recurse rules/common "$HOME/.claude/rules/ecc/"
+Copy-Item -Recurse rules/typescript "$HOME/.claude/rules/ecc/"
 
-# Or install for specific languages only
-.\install.ps1 typescript   # or python or golang or swift or php
-# .\install.ps1 typescript python golang swift php
-# .\install.ps1 --target cursor typescript
-# .\install.ps1 --target antigravity typescript
-# .\install.ps1 --target gemini --profile full
-
-# npm-installed compatibility entrypoint also works cross-platform
-npx ecc-install typescript
+# Fully manual ECC install path (use this instead of /plugin install)
+# .\install.ps1 --profile full
+# npx ecc-install --profile full
 ```
 
 For manual install instructions see the README in the `rules/` folder. When copying rules manually, copy the whole language directory (for example `rules/common` or `rules/golang`), not the files inside it, so relative references keep working and filenames do not collide.
 
+### Fully manual install (Fallback)
+
+Use this only if you are intentionally skipping the plugin path:
+
+```bash
+./install.sh --profile full
+```
+
+```powershell
+.\install.ps1 --profile full
+# or
+npx ecc-install --profile full
+```
+
+If you choose this path, stop there. Do not also run `/plugin install`.
+
+### Reset / Uninstall ECC
+
+If ECC feels duplicated, intrusive, or broken, do not keep reinstalling it on top of itself.
+
+- **Plugin path:** remove the plugin from Claude Code, then delete the specific rule folders you manually copied under `~/.claude/rules/ecc/`.
+- **Manual installer / CLI path:** from the repo root, preview removal first:
+
+```bash
+node scripts/uninstall.js --dry-run
+```
+
+Then remove ECC-managed files:
+
+```bash
+node scripts/uninstall.js
+```
+
+You can also use the lifecycle wrapper:
+
+```bash
+node scripts/ecc.js list-installed
+node scripts/ecc.js doctor
+node scripts/ecc.js repair
+node scripts/ecc.js uninstall --dry-run
+```
+
+ECC only removes files recorded in its install-state. It will not delete unrelated files it did not install.
+
+If you stacked methods, clean up in this order:
+
+1. Remove the Claude Code plugin install.
+2. Run the ECC uninstall command from the repo root to remove install-state-managed files.
+3. Delete any extra rule folders you copied manually and no longer want.
+4. Reinstall once, using a single path.
+
 ### Step 3: Start Using
 
 ```bash
 # Skills are the primary workflow surface.
 # Existing slash-style command names still work while ECC migrates off commands/.
 
-# Plugin install uses the namespaced form
+# Plugin install uses the canonical namespaced form
 /ecc:plan "Add user authentication"
 
 # Manual install keeps the shorter slash form:
 # /plan "Add user authentication"
 
 # Check available commands
-/plugin list everything-claude-code@everything-claude-code
+/plugin list ecc@ecc
 ```
 
-**That's it!** You now have access to 48 agents, 183 skills, and 79 legacy command shims.
+**That's it!** You now have access to 58 agents, 220 skills, and 74 legacy command shims.
 
 ### Dashboard GUI
 
@@ -319,6 +436,12 @@ export ECC_HOOK_PROFILE=standard
 
 # Comma-separated hook IDs to disable
 export ECC_DISABLED_HOOKS="pre:bash:tmux-reminder,post:edit:typecheck"
+
+# Cap SessionStart additional context (default: 8000 chars)
+export ECC_SESSION_START_MAX_CHARS=4000
+
+# Disable SessionStart additional context entirely for low-context/local-model setups
+export ECC_SESSION_START_CONTEXT=off
 ```
 
 ---
@@ -333,7 +456,7 @@ everything-claude-code/
 |   |-- plugin.json         # Plugin metadata and component paths
 |   |-- marketplace.json    # Marketplace catalog for /plugin marketplace add
 |
-|-- agents/           # 36 specialized subagents for delegation
+|-- agents/           # 58 specialized subagents for delegation
 |   |-- planner.md           # Feature implementation planning
 |   |-- architect.md         # System design decisions
 |   |-- tdd-guide.md         # Test-driven development
@@ -349,6 +472,7 @@ everything-claude-code/
 |   |-- harness-optimizer.md # Harness config tuning
 |   |-- cpp-reviewer.md      # C++ code review
 |   |-- cpp-build-resolver.md # C++ build error resolution
+|   |-- fsharp-reviewer.md   # F# functional code review
 |   |-- go-reviewer.md       # Go code review
 |   |-- go-build-resolver.md # Go build error resolution
 |   |-- python-reviewer.md   # Python code review
@@ -358,9 +482,11 @@ everything-claude-code/
 |   |-- java-build-resolver.md # Java/Maven/Gradle build errors
 |   |-- kotlin-reviewer.md   # Kotlin/Android/KMP code review
 |   |-- kotlin-build-resolver.md # Kotlin/Gradle build errors
+|   |-- harmonyos-app-resolver.md # HarmonyOS/ArkTS app development
 |   |-- rust-reviewer.md     # Rust code review
 |   |-- rust-build-resolver.md # Rust build error resolution
 |   |-- pytorch-build-resolver.md # PyTorch/CUDA training errors
+|   |-- mle-reviewer.md      # Production ML pipeline, eval, serving, and monitoring review
 |
 |-- skills/           # Workflow definitions and domain knowledge
 |   |-- coding-standards/           # Language best practices
@@ -400,6 +526,10 @@ everything-claude-code/
 |   |-- springboot-security/        # Spring Boot security (NEW)
 |   |-- springboot-tdd/             # Spring Boot TDD (NEW)
 |   |-- springboot-verification/    # Spring Boot verification (NEW)
+|   |-- quarkus-patterns/           # Quarkus REST, Panache, and messaging patterns (NEW)
+|   |-- quarkus-security/           # Quarkus JWT/OIDC and RBAC security (NEW)
+|   |-- quarkus-tdd/                # Quarkus testing with JUnit, REST Assured, and Dev Services (NEW)
+|   |-- quarkus-verification/       # Quarkus build, test, security, and native verification (NEW)
 |   |-- configure-ecc/              # Interactive installation wizard (NEW)
 |   |-- security-scan/              # AgentShield security auditor integration (NEW)
 |   |-- java-coding-standards/     # Java coding standards (NEW)
@@ -422,23 +552,22 @@ everything-claude-code/
 |   |-- liquid-glass-design/         # iOS 26 Liquid Glass design system (NEW)
 |   |-- foundation-models-on-device/ # Apple on-device LLM with FoundationModels (NEW)
 |   |-- swift-concurrency-6-2/       # Swift 6.2 Approachable Concurrency (NEW)
+|   |-- mle-workflow/               # Production ML data contracts, evals, deployment, monitoring (NEW)
 |   |-- perl-patterns/             # Modern Perl 5.36+ idioms and best practices (NEW)
 |   |-- perl-security/             # Perl security patterns, taint mode, safe I/O (NEW)
 |   |-- perl-testing/              # Perl TDD with Test2::V0, prove, Devel::Cover (NEW)
 |   |-- autonomous-loops/           # Autonomous loop patterns: sequential pipelines, PR loops, DAG orchestration (NEW)
 |   |-- plankton-code-quality/      # Write-time code quality enforcement with Plankton hooks (NEW)
 |
-|-- commands/         # Legacy slash-entry shims; prefer skills/
-|   |-- tdd.md              # /tdd - Test-driven development
+|-- commands/         # Maintained slash-entry compatibility; prefer skills/
 |   |-- plan.md             # /plan - Implementation planning
-|   |-- e2e.md              # /e2e - E2E test generation
 |   |-- code-review.md      # /code-review - Quality review
 |   |-- build-fix.md        # /build-fix - Fix build errors
 |   |-- refactor-clean.md   # /refactor-clean - Dead code removal
+|   |-- quality-gate.md     # /quality-gate - Verification gate
 |   |-- learn.md            # /learn - Extract patterns mid-session (Longform Guide)
 |   |-- learn-eval.md       # /learn-eval - Extract, evaluate, and save patterns (NEW)
 |   |-- checkpoint.md       # /checkpoint - Save verification state (Longform Guide)
-|   |-- verify.md           # /verify - Run verification loop (Longform Guide)
 |   |-- setup-pm.md         # /setup-pm - Configure package manager
 |   |-- go-review.md        # /go-review - Go code review (NEW)
 |   |-- go-test.md          # /go-test - Go TDD workflow (NEW)
@@ -455,15 +584,19 @@ everything-claude-code/
 |   |-- multi-backend.md    # /multi-backend - Backend multi-service orchestration (NEW)
 |   |-- multi-frontend.md   # /multi-frontend - Frontend multi-service orchestration (NEW)
 |   |-- multi-workflow.md   # /multi-workflow - General multi-service workflows (NEW)
-|   |-- orchestrate.md      # /orchestrate - Multi-agent coordination
 |   |-- sessions.md         # /sessions - Session history management
-|   |-- eval.md             # /eval - Evaluate against criteria
 |   |-- test-coverage.md    # /test-coverage - Test coverage analysis
 |   |-- update-docs.md      # /update-docs - Update documentation
 |   |-- update-codemaps.md  # /update-codemaps - Update codemaps
 |   |-- python-review.md    # /python-review - Python code review (NEW)
+|-- legacy-command-shims/   # Opt-in archive for retired shims such as /tdd and /eval
+|   |-- tdd.md              # /tdd - Prefer the tdd-workflow skill
+|   |-- e2e.md              # /e2e - Prefer the e2e-testing skill
+|   |-- eval.md             # /eval - Prefer the eval-harness skill
+|   |-- verify.md           # /verify - Prefer the verification-loop skill
+|   |-- orchestrate.md      # /orchestrate - Prefer dmux-workflows or multi-workflow
 |
-|-- rules/            # Always-follow guidelines (copy to ~/.claude/rules/)
+|-- rules/            # Always-follow guidelines (copy to ~/.claude/rules/ecc/)
 |   |-- README.md            # Structure overview and installation guide
 |   |-- common/              # Language-agnostic principles
 |   |   |-- coding-style.md    # Immutability, file organization
@@ -479,6 +612,7 @@ everything-claude-code/
 |   |-- golang/              # Go specific
 |   |-- swift/               # Swift specific
 |   |-- php/                 # PHP specific (NEW)
+|   |-- arkts/               # HarmonyOS / ArkTS specific
 |
 |-- hooks/            # Trigger-based automations
 |   |-- README.md                 # Hook documentation, recipes, and customization guide
@@ -650,7 +784,7 @@ The easiest way to use this repo - install as a Claude Code plugin:
 /plugin marketplace add https://github.com/affaan-m/everything-claude-code
 
 # Install the plugin
-/plugin install everything-claude-code
+/plugin install ecc@ecc
 ```
 
 Or add directly to your `~/.claude/settings.json`:
@@ -666,7 +800,7 @@ Or add directly to your `~/.claude/settings.json`:
     }
   },
   "enabledPlugins": {
-    "everything-claude-code@everything-claude-code": true
+    "ecc@ecc": true
   }
 }
 ```
@@ -680,17 +814,17 @@ This gives you instant access to all commands, agents, skills, and hooks.
 > git clone https://github.com/affaan-m/everything-claude-code.git
 >
 > # Option A: User-level rules (applies to all projects)
-> mkdir -p ~/.claude/rules
-> cp -r everything-claude-code/rules/common ~/.claude/rules/
-> cp -r everything-claude-code/rules/typescript ~/.claude/rules/   # pick your stack
-> cp -r everything-claude-code/rules/python ~/.claude/rules/
-> cp -r everything-claude-code/rules/golang ~/.claude/rules/
-> cp -r everything-claude-code/rules/php ~/.claude/rules/
+> mkdir -p ~/.claude/rules/ecc
+> cp -r everything-claude-code/rules/common ~/.claude/rules/ecc/
+> cp -r everything-claude-code/rules/typescript ~/.claude/rules/ecc/   # pick your stack
+> cp -r everything-claude-code/rules/python ~/.claude/rules/ecc/
+> cp -r everything-claude-code/rules/golang ~/.claude/rules/ecc/
+> cp -r everything-claude-code/rules/php ~/.claude/rules/ecc/
 >
 > # Option B: Project-level rules (applies to current project only)
-> mkdir -p .claude/rules
-> cp -r everything-claude-code/rules/common .claude/rules/
-> cp -r everything-claude-code/rules/typescript .claude/rules/     # pick your stack
+> mkdir -p .claude/rules/ecc
+> cp -r everything-claude-code/rules/common .claude/rules/ecc/
+> cp -r everything-claude-code/rules/typescript .claude/rules/ecc/     # pick your stack
 > ```
 
 ---
@@ -707,26 +841,31 @@ git clone https://github.com/affaan-m/everything-claude-code.git
 cp everything-claude-code/agents/*.md ~/.claude/agents/
 
 # Copy rules directories (common + language-specific)
-mkdir -p ~/.claude/rules
-cp -r everything-claude-code/rules/common ~/.claude/rules/
-cp -r everything-claude-code/rules/typescript ~/.claude/rules/   # pick your stack
-cp -r everything-claude-code/rules/python ~/.claude/rules/
-cp -r everything-claude-code/rules/golang ~/.claude/rules/
-cp -r everything-claude-code/rules/php ~/.claude/rules/
+mkdir -p ~/.claude/rules/ecc
+cp -r everything-claude-code/rules/common ~/.claude/rules/ecc/
+cp -r everything-claude-code/rules/typescript ~/.claude/rules/ecc/   # pick your stack
+cp -r everything-claude-code/rules/python ~/.claude/rules/ecc/
+cp -r everything-claude-code/rules/golang ~/.claude/rules/ecc/
+cp -r everything-claude-code/rules/php ~/.claude/rules/ecc/
+cp -r everything-claude-code/rules/arkts ~/.claude/rules/ecc/
 
 # Copy skills first (primary workflow surface)
 # Recommended (new users): core/general skills only
-cp -r everything-claude-code/.agents/skills/* ~/.claude/skills/
-cp -r everything-claude-code/skills/search-first ~/.claude/skills/
+mkdir -p ~/.claude/skills/ecc
+cp -r everything-claude-code/.agents/skills/* ~/.claude/skills/ecc/
+cp -r everything-claude-code/skills/search-first ~/.claude/skills/ecc/
 
 # Optional: add niche/framework-specific skills only when needed
 # for s in django-patterns django-tdd laravel-patterns springboot-patterns; do
-# cp -r everything-claude-code/skills/$s ~/.claude/skills/
+# cp -r everything-claude-code/skills/$s ~/.claude/skills/ecc/
 # done
 
-# Optional: keep legacy slash-command compatibility during migration
+# Optional: keep maintained slash-command compatibility during migration
 mkdir -p ~/.claude/commands
 cp everything-claude-code/commands/*.md ~/.claude/commands/
+
+# Retired shims live in legacy-command-shims/commands/.
+# Copy individual files from there only if you still need old names such as /tdd.
 ```
 
 #### Install hooks
@@ -753,7 +892,11 @@ Windows note: the Claude config directory is `%USERPROFILE%\\.claude`, not `~/cl
 
 #### Configure MCPs
 
-Copy desired MCP server definitions from `mcp-configs/mcp-servers.json` into your official Claude Code config in `~/.claude/settings.json`, or into a project-scoped `.mcp.json` if you want repo-local MCP access.
+Claude plugin installs intentionally do not auto-enable ECC's bundled MCP server definitions. This avoids overlong plugin MCP tool names on strict third-party gateways while keeping manual MCP setup available.
+
+Use Claude Code's `/mcp` command or CLI-managed MCP setup for live Claude Code server changes. Use `/mcp` for Claude Code runtime disables; Claude Code persists those choices in `~/.claude.json`.
+
+For repo-local MCP access, copy desired MCP server definitions from `mcp-configs/mcp-servers.json` into a project-scoped `.mcp.json`.
 
 If you already run your own copies of ECC-bundled MCPs, set:
 
@@ -761,7 +904,7 @@ If you already run your own copies of ECC-bundled MCPs, set:
 export ECC_DISABLED_MCPS="github,context7,exa,playwright,sequential-thinking,memory"
 ```
 
-ECC-managed install and Codex sync flows will skip or remove those bundled servers instead of re-adding duplicates.
+ECC-managed install and Codex sync flows will skip or remove those bundled servers instead of re-adding duplicates. `ECC_DISABLED_MCPS` is an ECC install/sync filter, not a live Claude Code toggle.
 
 **Important:** Replace `YOUR_*_HERE` placeholders with your actual API keys.
 
@@ -786,7 +929,7 @@ You are a senior code reviewer...
 
 ### Skills
 
-Skills are the primary workflow surface. They can be invoked directly, suggested automatically, and reused by agents. ECC still ships `commands/` during migration, but new workflow development should land in `skills/` first.
+Skills are the primary workflow surface. They can be invoked directly, suggested automatically, and reused by agents. ECC still ships maintained `commands/` during migration, while retired short-name shims live under `legacy-command-shims/` for explicit opt-in only. New workflow development should land in `skills/` first.
 
 ```markdown
 # TDD Workflow
@@ -824,6 +967,7 @@ rules/
   golang/          # Go specific patterns and tools
   swift/           # Swift specific patterns and tools
   php/             # PHP specific patterns and tools
+  arkts/           # HarmonyOS / ArkTS patterns and constraints
 ```
 
 See [`rules/README.md`](rules/README.md) for installation and structure details.
@@ -832,39 +976,42 @@ See [`rules/README.md`](rules/README.md) for installation and structure details.
 
 ## Which Agent Should I Use?
 
-Not sure where to start? Use this quick reference. Skills are the canonical workflow surface; slash entries below are the compatibility form most users already know.
+Not sure where to start? Use this quick reference. Skills are the canonical workflow surface; maintained slash entries stay available for command-first workflows.
 
-| I want to... | Use this command | Agent used |
+| I want to... | Use this surface | Agent used |
 |--------------|-----------------|------------|
 | Plan a new feature | `/ecc:plan "Add auth"` | planner |
 | Design system architecture | `/ecc:plan` + architect agent | architect |
-| Write code with tests first | `/tdd` | tdd-guide |
+| Write code with tests first | `tdd-workflow` skill | tdd-guide |
 | Review code I just wrote | `/code-review` | code-reviewer |
 | Fix a failing build | `/build-fix` | build-error-resolver |
-| Run end-to-end tests | `/e2e` | e2e-runner |
+| Run end-to-end tests | `e2e-testing` skill | e2e-runner |
 | Find security vulnerabilities | `/security-scan` | security-reviewer |
 | Remove dead code | `/refactor-clean` | refactor-cleaner |
 | Update documentation | `/update-docs` | doc-updater |
 | Review Go code | `/go-review` | go-reviewer |
 | Review Python code | `/python-review` | python-reviewer |
+| Review F# code | *(invoke `fsharp-reviewer` directly)* | fsharp-reviewer |
 | Review TypeScript/JavaScript code | *(invoke `typescript-reviewer` directly)* | typescript-reviewer |
+| Develop HarmonyOS apps | *(invoke `harmonyos-app-resolver` directly)* | harmonyos-app-resolver |
 | Audit database queries | *(auto-delegated)* | database-reviewer |
+| Review production ML changes | `mle-workflow` skill + `mle-reviewer` agent | mle-reviewer |
 
 ### Common Workflows
 
-Slash forms below are shown because they are still the fastest familiar entrypoint. Under the hood, ECC is shifting these workflows toward skills-first definitions.
+Slash forms below are shown where they remain part of the maintained command surface. Retired short-name shims such as `/tdd` and `/eval` live in `legacy-command-shims/` for explicit opt-in only.
 
 **Starting a new feature:**
 ```
 /ecc:plan "Add user authentication with OAuth"
                                               → planner creates implementation blueprint
-/tdd                                          → tdd-guide enforces write-tests-first
+tdd-workflow skill                            → tdd-guide enforces write-tests-first
 /code-review                                  → code-reviewer checks your work
 ```
 
 **Fixing a bug:**
 ```
-/tdd                                          → tdd-guide: write a failing test that reproduces it
+tdd-workflow skill                            → tdd-guide: write a failing test that reproduces it
                                               → implement the fix, verify test passes
 /code-review                                  → code-reviewer: catch regressions
 ```
@@ -872,7 +1019,7 @@ Slash forms below are shown because they are still the fastest familiar entrypoi
 **Preparing for production:**
 ```
 /security-scan                                → security-reviewer: OWASP Top 10 audit
-/e2e                                          → e2e-runner: critical user flow tests
+e2e-testing skill                             → e2e-runner: critical user flow tests
 /test-coverage                                → verify 80%+ coverage
 ```
 
@@ -884,7 +1031,7 @@ Slash forms below are shown because they are still the fastest familiar entrypoi
 <summary><b>How do I check which agents/commands are installed?</b></summary>
 
 ```bash
-/plugin list everything-claude-code@everything-claude-code
+/plugin list ecc@ecc
 ```
 
 This shows all available agents, commands, and skills from the plugin.
@@ -924,15 +1071,9 @@ Official references:
 <details>
 <summary><b>My context window is shrinking / Claude is running out of context</b></summary>
 
-Too many MCP servers eat your context. Each MCP tool description consumes tokens from your 200k window, potentially reducing it to ~70k.
+Too many MCP servers eat your context. Each MCP tool description consumes tokens from your 200k window, potentially reducing it to ~70k. SessionStart context is capped at 8000 characters by default; lower it with `ECC_SESSION_START_MAX_CHARS=4000` or disable it with `ECC_SESSION_START_CONTEXT=off` for local-model or low-context setups.
 
-**Fix:** Disable unused MCPs per project:
-```json
-// In your project's .claude/settings.json
-{
-  "disabledMcpServers": ["supabase", "railway", "vercel"]
-}
-```
+**Fix:** Disable unused MCPs from Claude Code with `/mcp`. Claude Code writes those runtime choices to `~/.claude.json`; `.claude/settings.json` and `.claude/settings.local.json` are not reliable toggles for already-loaded MCP servers.
 
 Keep under 10 MCPs enabled and under 80 tools active.
 </details>
@@ -947,8 +1088,8 @@ Yes. Use Option 2 (manual installation) and copy only what you need:
 cp everything-claude-code/agents/*.md ~/.claude/agents/
 
 # Just rules
-mkdir -p ~/.claude/rules/
-cp -r everything-claude-code/rules/common ~/.claude/rules/
+mkdir -p ~/.claude/rules/ecc/
+cp -r everything-claude-code/rules/common ~/.claude/rules/ecc/
 ```
 
 Each component is fully independent.
@@ -963,6 +1104,8 @@ Yes. ECC is cross-platform:
 - **OpenCode**: Full plugin support in `.opencode/`. See [OpenCode Support](#opencode-support).
 - **Codex**: First-class support for both macOS app and CLI, with adapter drift guards and SessionStart fallback. See PR [#257](https://github.com/affaan-m/everything-claude-code/pull/257).
 - **Antigravity**: Tightly integrated setup for workflows, skills, and flattened rules in `.agent/`. See [Antigravity Guide](docs/ANTIGRAVITY-GUIDE.md).
+- **JoyCode / CodeBuddy**: Project-local selective install adapters for commands, agents, skills, and flattened rules. See [JoyCode Adapter Guide](docs/JOYCODE-GUIDE.md).
+- **Qwen CLI**: Home-directory selective install adapter for commands, agents, skills, rules, and Qwen config. See [Qwen CLI Adapter Guide](docs/QWEN-GUIDE.md).
 - **Non-native harnesses**: Manual fallback path for Grok and similar interfaces. See [Manual Adaptation Guide](docs/MANUAL-ADAPTATION-GUIDE.md).
 - **Claude Code**: Native — this is the primary target.
 </details>
@@ -1009,7 +1152,7 @@ Please contribute! See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
 
 ### Ideas for Contributions
 
-- Language-specific skills (Rust, C#, Kotlin, Java) — Go, Python, Perl, Swift, and TypeScript already included
+- Language-specific skills (Rust, C#, Kotlin, Java) — Go, Python, Perl, Swift, TypeScript, and HarmonyOS/ArkTS already included
 - Framework-specific configs (Rails, FastAPI) — Django, NestJS, Spring Boot, and Laravel already included
 - DevOps agents (Kubernetes, Terraform, AWS, Docker)
 - Testing strategies (different frameworks, visual regression)
@@ -1027,7 +1170,7 @@ These are not bundled with ECC and are not audited by this repo, but they are wo
 
 ## Cursor IDE Support
 
-ECC provides **full Cursor IDE support** with hooks, rules, agents, skills, commands, and MCP configs adapted for Cursor's native format.
+ECC provides Cursor IDE support with hooks, rules, agents, skills, commands, and MCP configs adapted for Cursor's project layout.
 
 ### Quick Start (Cursor)
 
@@ -1050,11 +1193,17 @@ ECC provides **full Cursor IDE support** with hooks, rules, agents, skills, comm
 | Hook Events | 15 | sessionStart, beforeShellExecution, afterFileEdit, beforeMCPExecution, beforeSubmitPrompt, and 10 more |
 | Hook Scripts | 16 | Thin Node.js scripts delegating to `scripts/hooks/` via shared adapter |
 | Rules | 34 | 9 common (alwaysApply) + 25 language-specific (TypeScript, Python, Go, Swift, PHP) |
-| Agents | Shared | Via AGENTS.md at root (read by Cursor natively) |
-| Skills | Shared + Bundled | Via AGENTS.md at root and `.cursor/skills/` for translated additions |
+| Agents | 48 | `.cursor/agents/ecc-*.md` when installed; prefixed to avoid collisions with user or marketplace agents |
+| Skills | Shared + Bundled | `.cursor/skills/` for translated additions |
 | Commands | Shared | `.cursor/commands/` if installed |
 | MCP Config | Shared | `.cursor/mcp.json` if installed |
 
+### Cursor Loading Notes
+
+ECC does not install root `AGENTS.md` into `.cursor/`. Cursor treats nested `AGENTS.md` files as directory context, so copying ECC's repo identity into a host project would pollute that project.
+
+Cursor-native loading behavior can vary by Cursor build. ECC installs agents as `.cursor/agents/ecc-*.md`; if your Cursor build does not expose project agents, those files still work as explicit reference definitions instead of hidden global prompt context.
+
 ### Hook Architecture (DRY Adapter Pattern)
 
 Cursor has **more hook events than Claude Code** (20 vs 8). The `.cursor/hooks/adapter.js` module transforms Cursor's stdin JSON to Claude Code's format, allowing existing `scripts/hooks/*.js` to be reused without duplication.
@@ -1122,7 +1271,7 @@ Codex macOS app:
 |-----------|-------|---------|
 | Config | 1 | `.codex/config.toml` — top-level approvals/sandbox/web_search, MCP servers, notifications, profiles |
 | AGENTS.md | 2 | Root (universal) + `.codex/AGENTS.md` (Codex-specific supplement) |
-| Skills | 30 | `.agents/skills/` — SKILL.md + agents/openai.yaml per skill |
+| Skills | 32 | `.agents/skills/` — SKILL.md + agents/openai.yaml per skill |
 | MCP Servers | 6 | GitHub, Context7, Exa, Memory, Playwright, Sequential Thinking (7 with Supabase via `--update-mcp` sync) |
 | Profiles | 2 | `strict` (read-only sandbox) and `yolo` (full auto-approve) |
 | Agent Roles | 3 | `.codex/agents/` — explorer, reviewer, docs-researcher |
@@ -1131,14 +1280,17 @@ Codex macOS app:
 
 Skills at `.agents/skills/` are auto-loaded by Codex:
 
+Canonical Anthropic skills such as `claude-api`, `frontend-design`, and `skill-creator` are intentionally not re-bundled here. Install those from [`anthropics/skills`](https://github.com/anthropics/skills) when you want the official versions.
+
 | Skill | Description |
 |-------|-------------|
+| agent-introspection-debugging | Debug agent behavior, routing, and prompt boundaries |
+| agent-sort | Sort agent catalogs and assignment surfaces |
 | api-design | REST API design patterns |
 | article-writing | Long-form writing from notes and voice references |
 | backend-patterns | API design, database, caching |
 | brand-voice | Source-derived writing style profiles from real content |
 | bun-runtime | Bun as runtime, package manager, bundler, and test runner |
-| claude-api | Anthropic Claude API patterns for Python and TypeScript |
 | coding-standards | Universal coding standards |
 | content-engine | Platform-native social content and repurposing |
 | crosspost | Multi-platform content distribution across X, LinkedIn, Threads |
@@ -1157,6 +1309,7 @@ Skills at `.agents/skills/` are auto-loaded by Codex:
 | market-research | Source-attributed market and competitor research |
 | mcp-server-patterns | Build MCP servers with Node/TypeScript SDK |
 | nextjs-turbopack | Next.js 16+ and Turbopack incremental bundling |
+| product-capability | Translate product goals into scoped capability maps |
 | security-review | Comprehensive security checklist |
 | strategic-compact | Context management |
 | tdd-workflow | Test-driven development with 80%+ coverage |
@@ -1207,9 +1360,9 @@ The configuration is automatically detected from `.opencode/opencode.json`.
 
 | Feature | Claude Code | OpenCode | Status |
 |---------|-------------|----------|--------|
-| Agents | PASS: 48 agents | PASS: 12 agents | **Claude Code leads** |
-| Commands | PASS: 79 commands | PASS: 31 commands | **Claude Code leads** |
-| Skills | PASS: 183 skills | PASS: 37 skills | **Claude Code leads** |
+| Agents | PASS: 58 agents | PASS: 12 agents | **Claude Code leads** |
+| Commands | PASS: 74 commands | PASS: 35 commands | **Claude Code leads** |
+| Skills | PASS: 220 skills | PASS: 37 skills | **Claude Code leads** |
 | Hooks | PASS: 8 event types | PASS: 11 events | **OpenCode has more!** |
 | Rules | PASS: 29 rules | PASS: 13 instructions | **Claude Code leads** |
 | MCP Servers | PASS: 14 servers | PASS: Full | **Full parity** |
@@ -1229,21 +1382,17 @@ OpenCode's plugin system is MORE sophisticated than Claude Code with 20+ event t
 
 **Additional OpenCode events**: `file.edited`, `file.watcher.updated`, `message.updated`, `lsp.client.diagnostics`, `tui.toast.show`, and more.
 
-### Available Slash Entry Shims (31+)
+### Maintained Slash Entries
 
 | Command | Description |
 |---------|-------------|
 | `/plan` | Create implementation plan |
-| `/tdd` | Enforce TDD workflow |
 | `/code-review` | Review code changes |
 | `/build-fix` | Fix build errors |
-| `/e2e` | Generate E2E tests |
 | `/refactor-clean` | Remove dead code |
-| `/orchestrate` | Multi-agent workflow |
 | `/learn` | Extract patterns from session |
 | `/checkpoint` | Save verification state |
-| `/verify` | Run verification loop |
-| `/eval` | Evaluate against criteria |
+| `/quality-gate` | Run the maintained verification gate |
 | `/update-docs` | Update documentation |
 | `/update-codemaps` | Update codemaps |
 | `/test-coverage` | Analyze coverage |
@@ -1316,9 +1465,9 @@ ECC is the **first plugin to maximize every major AI coding tool**. Here's how e
 
 | Feature | Claude Code | Cursor IDE | Codex CLI | OpenCode |
 |---------|------------|------------|-----------|----------|
-| **Agents** | 48 | Shared (AGENTS.md) | Shared (AGENTS.md) | 12 |
-| **Commands** | 79 | Shared | Instruction-based | 31 |
-| **Skills** | 183 | Shared | 10 (native format) | 37 |
+| **Agents** | 58 | Shared (AGENTS.md) | Shared (AGENTS.md) | 12 |
+| **Commands** | 74 | Shared | Instruction-based | 35 |
+| **Skills** | 220 | Shared | 10 (native format) | 37 |
 | **Hook Events** | 8 types | 15 types | None yet | 11 types |
 | **Hook Scripts** | 20+ scripts | 16 scripts (DRY adapter) | N/A | Plugin hooks |
 | **Rules** | 34 (common + lang) | 34 (YAML frontmatter) | Instruction-based | 13 instructions |
@@ -1328,7 +1477,7 @@ ECC is the **first plugin to maximize every major AI coding tool**. Here's how e
 | **Context File** | CLAUDE.md + AGENTS.md | AGENTS.md | AGENTS.md | AGENTS.md |
 | **Secret Detection** | Hook-based | beforeSubmitPrompt hook | Sandbox-based | Hook-based |
 | **Auto-Format** | PostToolUse hook | afterFileEdit hook | N/A | file.edited hook |
-| **Version** | Plugin | Plugin | Reference config | 1.10.0 |
+| **Version** | Plugin | Plugin | Reference config | 2.0.0-rc.1 |
 
 **Key architectural decisions:**
 - **AGENTS.md** at root is the universal cross-tool file (read by all 4 tools)
@@ -1404,7 +1553,8 @@ The `strategic-compact` skill (included in this plugin) suggests `/compact` at l
 
 - Keep under 10 MCPs enabled per project
 - Keep under 80 tools active
-- Use `disabledMcpServers` in project config to disable unused ones
+- Use `/mcp` to disable unused Claude Code MCP servers; those runtime choices persist in `~/.claude.json`
+- Use `ECC_DISABLED_MCPS` only to filter ECC-generated MCP configs during install/sync flows
 
 ### Agent Teams Cost Warning
 
@@ -1451,6 +1601,7 @@ Projects built on or inspired by Everything Claude Code:
 | Project | Description |
 |---------|-------------|
 | [EVC](https://github.com/SaigonXIII/evc) | Marketing agent workspace — 42 commands for content operators, brand governance, and multi-channel publishing. [Visual overview](https://saigonxiii.github.io/evc). |
+| [trading-skills](https://github.com/VictorVVedtion/trading-skills) | 68 trading-themed Claude Code skills with pre-trade review prompts and risk gates inspired by market operators. |
 
 Built something with ECC? Open a PR to add it here.
 

README.zh-CN.md

@@ -21,9 +21,9 @@
 
 <div align="center">
 
-**Language / 语言 / 語言 / Dil**
+**Language / 语言 / 語言 / Dil / Язык / Ngôn ngữ**
 
-[**English**](README.md) | [Português (Brasil)](docs/pt-BR/README.md) | [简体中文](README.zh-CN.md) | [繁體中文](docs/zh-TW/README.md) | [日本語](docs/ja-JP/README.md) | [한국어](docs/ko-KR/README.md) | [Türkçe](docs/tr/README.md)
+[**English**](README.md) | [Português (Brasil)](docs/pt-BR/README.md) | [简体中文](README.zh-CN.md) | [繁體中文](docs/zh-TW/README.md) | [日本語](docs/ja-JP/README.md) | [한국어](docs/ko-KR/README.md) | [Türkçe](docs/tr/README.md) | [Русский](docs/ru/README.md) | [Tiếng Việt](docs/vi-VN/README.md)
 
 </div>
 
@@ -80,7 +80,7 @@
 
 ## 最新动态
 
-### v1.10.0 — 表面同步、运营工作流与 ECC 2.0 Alpha（2026年4月）
+### v2.0.0-rc.1 — 表面同步、运营工作流与 ECC 2.0 Alpha（2026年4月）
 
 - **公共表面已与真实仓库同步** —— 元数据、目录数量、插件清单以及安装文档现在都与实际开源表面保持一致。
 - **运营与外向型工作流扩展** —— `brand-voice`、`social-graph-ranker`、`customer-billing-ops`、`google-workspace-ops` 等运营型 skill 已纳入同一系统。
@@ -102,14 +102,18 @@
 /plugin marketplace add https://github.com/affaan-m/everything-claude-code
 
 # 安装插件
-/plugin install everything-claude-code
+/plugin install ecc@ecc
 ```
 
-> 安装名称说明：较早的帖子里可能还会出现 `ecc@ecc`。那个旧缩写现在已经废弃。Anthropic 的 marketplace/plugin 安装是按规范化插件标识符寻址的，因此 ECC 统一为 `everything-claude-code@everything-claude-code`，这样市场条目、安装命令、`/plugin list` 输出和仓库文档都使用同一个公开名称，不再出现两个名字指向同一插件的混乱。
+> 安装名称说明：较早的帖子里可能还会出现较长的旧标识符。Anthropic 的 marketplace/plugin 安装是按规范化插件标识符寻址的，因此 ECC 现在统一为 `ecc@ecc`，让工具名和 slash command 命名空间保持简短。
 
-### 第二步：安装规则（必需）
+### 第二步：仅在需要时安装规则
 
-> WARNING: **重要提示：** Claude Code 插件无法自动分发 `rules`，需要手动安装：
+> WARNING: **重要提示：** Claude Code 插件无法自动分发 `rules`。
+>
+> 如果你已经通过 `/plugin install` 安装了 ECC，**不要再运行 `./install.sh --profile full`、`.\install.ps1 --profile full` 或 `npx ecc-install --profile full`**。插件已经会自动加载 ECC 的技能、命令和 hooks；此时再执行完整安装，会把同一批内容再次复制到用户目录，导致技能重复以及运行时行为重复。
+>
+> 对于插件安装路径，请只手动复制你需要的 `rules/` 目录。只有在你完全不走插件安装、而是选择“纯手动安装 ECC”时，才应该使用完整安装器。
 
 ```bash
 # 首先克隆仓库
@@ -119,34 +123,26 @@ cd everything-claude-code
 # 安装依赖（选择你常用的包管理器）
 npm install        # 或：pnpm install | yarn install | bun install
 
-# macOS/Linux 系统
+# 插件安装路径：只复制规则
+mkdir -p ~/.claude/rules
+cp -R rules/common ~/.claude/rules/
+cp -R rules/typescript ~/.claude/rules/
 
-# 推荐方式：完整安装（完整配置文件）
-./install.sh --profile full
-
-# 或仅为指定编程语言安装
-./install.sh typescript    # 也可安装 python、golang、swift、php
-# ./install.sh typescript python golang swift php
-# ./install.sh --target cursor typescript
-# ./install.sh --target antigravity typescript
-# ./install.sh --target gemini --profile full
+# 纯手动安装 ECC（不要和 /plugin install 叠加）
+# ./install.sh --profile full
 ```
 
 ```powershell
 # Windows 系统（PowerShell）
 
-# 推荐方式：完整安装（完整配置文件）
-.\install.ps1 --profile full
+# 插件安装路径：只复制规则
+New-Item -ItemType Directory -Force -Path "$HOME/.claude/rules" | Out-Null
+Copy-Item -Recurse rules/common "$HOME/.claude/rules/"
+Copy-Item -Recurse rules/typescript "$HOME/.claude/rules/"
 
-# 或仅为指定编程语言安装
-.\install.ps1 typescript   # 也可安装 python、golang、swift、php
-# .\install.ps1 typescript python golang swift php
-# .\install.ps1 --target cursor typescript
-# .\install.ps1 --target antigravity typescript
-# .\install.ps1 --target gemini --profile full
-
-# 通过 npm 安装的兼容入口，支持全平台使用
-npx ecc-install typescript
+# 纯手动安装 ECC（不要和 /plugin install 叠加）
+# .\install.ps1 --profile full
+# npx ecc-install --profile full
 ```
 
 如需手动安装说明，请查看 `rules/` 文件夹中的 README 文档。手动复制规则文件时，请直接复制**整个语言目录**（例如 `rules/common` 或 `rules/golang`），而非目录内的单个文件，以保证相对路径引用正常、文件名不会冲突。
@@ -161,10 +157,10 @@ npx ecc-install typescript
 # /plan "添加用户认证"
 
 # 查看可用命令
-/plugin list everything-claude-code@everything-claude-code
+/plugin list ecc@ecc
 ```
 
-**完成！** 你现在可以使用 48 个代理、183 个技能和 79 个命令。
+**完成！** 你现在可以使用 58 个代理、220 个技能和 74 个命令。
 
 ### multi-* 命令需要额外配置
 
@@ -334,17 +330,15 @@ everything-claude-code/
 |   |-- autonomous-loops/           # 自主循环模式：顺序流水线、PR 循环、DAG 编排（新增）
 |   |-- plankton-code-quality/      # 基于 Plankton 钩子的实时代码质量管控（新增）
 |
-|-- commands/         # 传统斜杠命令兼容层；优先使用 skills/
-|   |-- tdd.md              # /tdd - 测试驱动开发
+|-- commands/         # 维护中的斜杠命令兼容层；优先使用 skills/
 |   |-- plan.md             # /plan - 实现规划
-|   |-- e2e.md              # /e2e - 生成端到端测试
 |   |-- code-review.md      # /code-review - 代码质量审查
 |   |-- build-fix.md        # /build-fix - 修复构建错误
+|   |-- quality-gate.md     # /quality-gate - 验证门禁
 |   |-- refactor-clean.md   # /refactor-clean - 清理无效代码
 |   |-- learn.md            # /learn - 会话中提取模式（长文本指南）
 |   |-- learn-eval.md       # /learn-eval - 提取、评估并保存模式（新增）
 |   |-- checkpoint.md       # /checkpoint - 保存验证状态（长文本指南）
-|   |-- verify.md           # /verify - 运行验证循环（长文本指南）
 |   |-- setup-pm.md         # /setup-pm - 配置包管理器
 |   |-- go-review.md        # /go-review - Go 代码审查（新增）
 |   |-- go-test.md          # /go-test - Go TDD 工作流（新增）
@@ -361,13 +355,17 @@ everything-claude-code/
 |   |-- multi-backend.md    # /multi-backend - 后端多服务编排（新增）
 |   |-- multi-frontend.md   # /multi-frontend - 前端多服务编排（新增）
 |   |-- multi-workflow.md   # /multi-workflow - 通用多服务工作流（新增）
-|   |-- orchestrate.md      # /orchestrate - 多智能体协同调度
 |   |-- sessions.md         # /sessions - 会话历史管理
-|   |-- eval.md             # /eval - 按标准评估
 |   |-- test-coverage.md    # /test-coverage - 测试覆盖率分析
 |   |-- update-docs.md      # /update-docs - 更新文档
 |   |-- update-codemaps.md  # /update-codemaps - 更新代码映射
 |   |-- python-review.md    # /python-review - Python 代码审查（新增）
+|-- legacy-command-shims/   # 已退役短命令的按需归档，例如 /tdd 和 /eval
+|   |-- tdd.md              # /tdd - 优先使用 tdd-workflow 技能
+|   |-- e2e.md              # /e2e - 优先使用 e2e-testing 技能
+|   |-- eval.md             # /eval - 优先使用 eval-harness 技能
+|   |-- verify.md           # /verify - 优先使用 verification-loop 技能
+|   |-- orchestrate.md      # /orchestrate - 优先使用 dmux-workflows 或 multi-workflow
 |
 |-- rules/            # 必须遵守的规范（复制到 ~/.claude/rules/）
 |   |-- README.md            # 结构概览与安装指南
@@ -548,7 +546,7 @@ Claude Code v2.1+ 会**按照约定自动加载**已安装插件中的 `hooks/ho
 /plugin marketplace add https://github.com/affaan-m/everything-claude-code
 
 # 安装插件
-/plugin install everything-claude-code
+/plugin install ecc@ecc
 ```
 
 或直接添加到你的 `~/.claude/settings.json`：
@@ -564,7 +562,7 @@ Claude Code v2.1+ 会**按照约定自动加载**已安装插件中的 `hooks/ho
     }
   },
   "enabledPlugins": {
-    "everything-claude-code@everything-claude-code": true
+    "ecc@ecc": true
   }
 }
 ```
@@ -622,9 +620,12 @@ cp -r everything-claude-code/skills/search-first ~/.claude/skills/
 # cp -r everything-claude-code/skills/$s ~/.claude/skills/
 # done
 
-# 可选：迁移期间保留传统斜杠命令兼容
+# 可选：迁移期间保留维护中的斜杠命令兼容
 mkdir -p ~/.claude/commands
 cp everything-claude-code/commands/*.md ~/.claude/commands/
+
+# 已退役短命令位于 legacy-command-shims/commands/。
+# 仅在仍需要 /tdd 等旧名称时，单独复制对应文件。
 ```
 
 #### 将钩子配置添加到 settings.json

SECURITY.md

@@ -45,6 +45,53 @@ This policy covers:
 - MCP configurations shipped with ECC
 - The AgentShield security scanner ([github.com/affaan-m/agentshield](https://github.com/affaan-m/agentshield))
 
+## Operational Guidance
+
+### Secrets Handling
+
+`mcp-configs/mcp-servers.json` is a **template**. All `YOUR_*_HERE` values must be replaced at install time from env-vars or a secrets manager. Never commit real credentials. If a secret is accidentally committed, rotate it immediately and rewrite history; do not rely on a plain revert.
+
+The same rule applies to your user-scope Claude Code config (`~/.claude/settings.json` or `%USERPROFILE%\.claude\settings.json`). That file is outside this repository, but it is commonly shared via `claude doctor` output, screenshots, or bug reports. Do not hardcode PATs, API keys, or OAuth tokens into its `mcpServers[*].env` blocks; resolve them at spawn time from the OS keychain or env-vars your MCP server already supports. A quick audit:
+
+```bash
+# macOS / Linux
+grep -EnH '(TOKEN|SECRET|KEY|PASSWORD)\s*"\s*:\s*"[A-Za-z0-9_-]{16,}"' ~/.claude/settings.json
+# Windows PowerShell
+Select-String -Path "$env:USERPROFILE\.claude\settings.json" -Pattern '(TOKEN|SECRET|KEY|PASSWORD)"\s*:\s*"[A-Za-z0-9_-]{16,}"'
+```
+
+If the audit matches, rotate the secret at the issuing provider, then move it out of the file (per-provider env-var or `credentialHelper` for servers that support it).
+
+### Local MCP Ports
+
+Some bundled MCP servers connect over plain HTTP to a localhost port (e.g. `devfleet` to `http://localhost:18801/mcp`). Before first use, verify the listening process:
+
+```bash
+# Windows
+netstat -ano | findstr :18801
+# macOS / Linux
+lsof -iTCP:18801 -sTCP:LISTEN
+```
+
+Compare the PID against the expected devfleet binary. Any other process on that port can intercept MCP traffic.
+
+## Triage: suspicious `<system-reminder>` blocks
+
+ECC runs inside Claude Code, which injects **ephemeral client-side system reminders** into the model's input on every turn (TodoWrite nudges, date-changed notices, file-modified notices, etc.). These blocks:
+
+- typically end with phrasing like *"ignore if not applicable"* or *"NEVER mention this reminder to the user"* / *"Don't tell the user this, since they are already aware"*; that wording is Anthropic's own prompt, not a malicious tail;
+- are added by the CLI per turn and are **not persisted** in the session transcript at `~/.claude/projects/<slug>/<sessionId>.jsonl`.
+
+That combination makes them easy to mistake for a prompt-injection appended to a tool result. Before treating one as an attack, verify:
+
+1. Is the block actually in a file under this repo? `grep -rEn "system-reminder|NEVER mention|DO NOT mention" .`; if nothing, it is not carried by the repo.
+2. Is the block stored in the transcript? Inspect the current session's `.jsonl`; if the exact text does not appear inside a `tool_result` body there, it is a client-injected ephemeral reminder, not a payload from any tool.
+3. Is the content contextually consistent with Anthropic's known reminders (TodoWrite nudge, date-changed, file-modified notice)? If yes, it is the ephemeral-reminder mechanism and no action is needed.
+
+Escalate to Anthropic only if a block is **both** (a) present in the transcript inside a `tool_result` **and** (b) not attributable to the file or URL that was actually read. Minimal report: a fresh session, a read of a clean local file, the exact text observed, and the transcript excerpt. Send to <https://github.com/anthropics/claude-code/issues> (non-sensitive) or <mailto:security@anthropic.com> (embargo-class).
+
+Do not sanitize repo files in response to ephemeral reminders; they are not the carrier.
+
 ## Security Resources
 
 - **AgentShield**: Scan your agent config for vulnerabilities — `npx ecc-agentshield scan`

VERSION

@@ -1 +1 @@
-1.10.0
+2.0.0-rc.1