Reintroduce the Windows desktop E2E testing skill from stale PR #1334 with current manifest wiring, package publish coverage, catalog counts, and sanitized environment-path guidance.
Rebuild the useful homelab VLAN, DNS, and VPN planning surface from stale PR #1413 as a safety-first readiness checklist instead of raw router/firewall commands.
Sync the catalog count from 202 to 203 skills and include the skill in the devops-infra install module and npm publish surface.
- add a maintainer-reviewed MySQL/MariaDB production patterns skill based on PR #1727
- register the skill in database install module and npm publish allowlist
- sync catalog counts to 53 agents, 200 skills, and 69 commands
- add Vite and Redis pattern skills from closed stale PRs
- add frontend-slides support assets
- port skill-comply runner fixes and LLM prompt/provider regressions
- harden agent frontmatter validation and sync catalog counts
Port the safe, narrow pieces from contributor PR #1694 without taking the broad 11-skill rewrite.
- add drift-prone warnings to external research/media/API skills
- make search-first verify tool availability and use current agent naming
- remove unsafe in-memory rate limiter example from backend patterns
- tighten the CSP example in security-review
Validation: node scripts/ci/validate-skills.js --strict; npx markdownlint targeted skill files; node tests/ci/validators.test.js && node tests/ci/catalog.test.js; npm run lint; node tests/run-all.js
* feat(skills): add flox-environments skill
Add a skill for creating reproducible, cross-platform development
environments with Flox. Covers manifest structure, package installation
patterns, language-specific recipes (Python, Node, Rust, Go, C/C++),
hooks/profile configuration, anti-patterns, environment sharing, and
AI-assisted/vibe coding workflows.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(skills): address review feedback on flox-environments
- Add initdb guard to full-stack example so PostgreSQL works on first run
- Replace hardcoded /tmp path with mktemp in agent workflow snippet
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(skills): use variable for mktemp path in agent workflow
$_ resolves to the previous command's last argument (-c), not the
mktemp path. Use an explicit variable instead.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Update skills/flox-environments/SKILL.md
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
* feat: add ios-icon-gen skill for Xcode asset catalog icon generation
Add a skill that generates PNG icon imagesets (1x, 2x, 3x) for Xcode
asset catalogs from two sources:
- Iconify API: 275k+ open source icons from 200+ collections
(Material Design, Phosphor, Tabler, Lucide, etc.)
- SF Symbols: 5k+ Apple-native symbols (macOS only)
Includes search, preview, and generation scripts with customizable
size, color, weight, and direct output to asset catalogs.
* fix: address PR review feedback for ios-icon-gen skill
Security:
- Fix shell injection in iconify_gen.sh by passing query via sys.argv
instead of interpolating into Python string literal
Robustness:
- Replace all try!/force-unwrap with do/try/catch and guard let in
generate_icons.swift for graceful error handling
- Add option value validation (require_value/requireOptionValue) in
both scripts to prevent crashes on missing flag values
- Add curl timeouts (--connect-timeout 10, --max-time 30) to all
network calls
- Add sips conversion failure warnings instead of silent suppression
- Add error handling for curl in list_collections
Documentation:
- Rename SKILL.md sections to "When to Use", "How It Works", "Examples"
to match repo conventions
* fix: restore canonical SKILL.md headers and validate color/weight CLI inputs
- Revert SKILL.md section headers back to "When to Activate" and
"Core Principles" per CONTRIBUTING.md and SKILL-DEVELOPMENT-GUIDE.md
(the prior rename to "When to Use"/"How It Works" was incorrect)
- Validate --color as a 6-digit hex code at parse time instead of
silently falling back to the default gray
- Validate --weight against the known set of font weights instead of
silently falling back to thin
---------
Co-authored-by: Quang Tran <16215255+trmquang93@users.noreply.github.com>
The Hook Setup example pointed to
`~/.claude/skills/strategic-compact/suggest-compact.js`, which does not
exist in the current repo layout. The cross-platform Node.js hook ships
at `scripts/hooks/suggest-compact.js` and is installed to
`~/.claude/scripts/hooks/suggest-compact.js`.
Anyone copy-pasting the documented config hit a broken hook command.
Closes#1675
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
On Windows 10/11 without Python installed from the Microsoft Store, the
"App Execution Alias" stubs at %LOCALAPPDATA%\Microsoft\WindowsApps\python.exe
and python3.exe are symlinks to AppInstallerPythonRedirector.exe. These
stubs neither launch Python nor honor `-c`; calls print a bare "Python "
line and exit, silently breaking every JSON-parsing step in observe.sh.
Net effect: observations.jsonl is never written, CLV2 appears installed
correctly, and the only residual artifact is `.last-purge`.
This commit:
1. Adds `_is_windows_app_installer_stub` helper that detects the stub
via `command -v` output and optional `readlink -f` resolution.
2. Teaches `resolve_python_cmd` to skip stub candidates and fall
through to the next real interpreter (typically C:\...\Python3xx\python.exe).
3. Exports the stub-aware CLV2_PYTHON_CMD before sourcing
detect-project.sh, which already honors an already-set value,
so the shared helper does not re-resolve and re-select the stub.
POSIX-compatible. No behavior change on macOS / Linux / WSL where no
such stub exists.
Refs: observations.jsonl empty on Windows Claude Desktop users.
* fix(gateguard): rewrite routineBashMsg to use fact-presentation pattern
The imperative 'Quote user's instruction verbatim. Then retry.' phrasing
triggers Claude Code's runtime anti-prompt-injection filter, deadlocking
the first Bash call of every session. The sibling gates (edit, write,
destructive) use multi-point fact-list framing that the runtime accepts.
Align routineBashMsg with that pattern to restore the gate's intended
behavior without changing run(), state schema, or any public API.
Closes#1530
* docs(gateguard): sync SKILL.md routine gate spec with new message format
CodeRabbit flagged that skills/gateguard/SKILL.md still described the
pre-fix imperative message. Update the Routine Bash Gate section to
match the numbered fact-list format used by the new routineBashMsg().
Two bugs in skills/continuous-learning-v2/scripts/detect-project.sh that
silently split the same project into multiple project_id records:
1. Locale-dependent SHA-256 input (HIGH)
The project_id hash was computed with
printf '%s' "$hash_input" | python -c 'sys.stdin.buffer.read()'
which ships shell-locale-encoded bytes to Python. On a system with a
non-UTF-8 LC_ALL (e.g. ja_JP.CP932 / CP1252) the same project root
produced a different 12-char hash than the UTF-8 locale would produce,
so observations/instincts were silently written under a separate
project directory. Fixed by passing the value via an env var and
encoding as UTF-8 inside Python, making the hash locale-independent.
2. basename cannot split Windows backslash paths (MEDIUM)
basename "C:\Users\...\ECC作成" returns the whole string on POSIX
bash, so project_name was garbled whenever CLAUDE_PROJECT_DIR was
passed as a native Windows path. Normalize backslashes to forward
slashes before calling basename.
Both the primary project_id hash and the legacy-compat fallback hash
are updated to use the env-var / UTF-8 approach.
Verified: id is stable across en_US.UTF-8, ja_JP.UTF-8, ja_JP.CP932, C,
and POSIX locales; Windows-path input yields project_name=ECC作成;
ASCII-only paths regress-free.
P2: Description now says "Edit/Write/Bash (including MultiEdit)"
instead of listing MultiEdit as a separate top-level gate
P2: Write Gate and Anti-Patterns now use same "redacted or synthetic
values" wording as Edit Gate (was still "cat one real record")
All 3 gate doc sections now consistent. 9/9 tests pass.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
P1: Gate message asked for raw production data records — changed to
"redacted or synthetic values" to prevent sensitive data exfiltration
P2: SKILL.md description now includes MultiEdit (was missing after
MultiEdit gate was added in previous commit)
P2: Session key pruning now caps __prefixed keys at 50 to prevent
unbounded growth even in theoretical edge cases
9/9 tests pass.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
