Force GitHub Pages workflows onto Node 24 while the pages actions
still emit Node 20 deprecation warnings. Relax the workflow guard test
so it validates fetch-depth on checkout without pinning a specific
checkout major version.
Add a short maintainer guide for merge:batch and link it from the
existing merge policy docs.
Lock in the source-validation CI fixes discovered during the
merge-batch end-to-end exercise so shallow checkout and missing
base-branch fetch regressions fail the workflow contract test.
Move yaml into runtime dependencies so the published npm installer
works in clean npx environments again. Bump the package to 9.5.1,
add the patch release notes, and keep README metadata aligned with
the release state.
Fixes#445
Add installer filters for risk, category, and tags so maintainers and
users can ship smaller skill surfaces to context-sensitive runtimes.
Document the reduced-install flow for OpenCode-style hosts, add the
humanize-chinese community skill, and sync the generated catalog and
plugin-safe artifacts that now reflect the release batch.
Refs #437
Refs #440
Refs #443
Allow the Claude and Codex marketplace tests to tolerate short-lived filesystem propagation delays while plugin skill directories are being rebuilt during release sync.
Handle transient ENOTEMPTY failures when rebuilding root and bundle plugin skill directories during the release sync flow, and cover the retry behavior with a unit test.
Replace the derived .claude-plugin directory entry with the concrete\nplugin manifest files so release:prepare can git-add them without\ntripping over the ignore rule for the directory itself.\n\nAdd matching test updates for the workflow contract.
Expand the conservative risk sync with explicit critical, offensive, and none patterns.\n\nAuto-apply high-confidence legacy label fixes, add the authorized-use notice when promoting offensive skills, and regenerate canonical and plugin artifacts so the unknown backlog keeps shrinking without loosening contributor input rules.
Add a maintainers script to safely promote high-confidence legacy risk labels from unknown to concrete values, cover it with tests, and regenerate the canonical skill artifacts and plugin copies. This reduces the legacy unknown backlog without forcing noisy classifications that still need manual review.
Treat generated plugin mirrors and marketplace outputs as managed
canonical artifacts so the main-branch sync bot can stage and commit
them instead of failing on unmanaged drift.
Ignore web-app coverage output during maintainer runs and update the
mirrored Office unpack scripts so plugin copies stay aligned with the
hardened source implementations.
Set PYTHONDONTWRITEBYTECODE for the shared Python runner and the
root test-suite launcher so local test runs do not create __pycache__
artifacts inside skills.
This keeps npm run test deterministic and avoids false negatives in the
editorial bundle inventory checks.
Tighten the repo-state automation so canonical bot commits remain
predictable while leaving main clean after each sync.
Make the public catalog UI more honest by hiding dev-only sync,
turning stars into explicit browser-local saves, aligning risk types,
and removing hardcoded catalog counts.
Add shared public asset URL helpers, risk suggestion plumbing,
safer unpack/sync guards, and CI coverage gates so release and
maintainer workflows catch drift earlier.
Sanitize WhatsApp Cloud API validator output across the root skill and plugin copies so code scanning no longer flags clear-text exposure.
Add a regression test that verifies successful and failed validation runs do not print sensitive response fields or API error details.
Make the Codex marketplace release test follow package.json instead of pinning the previous release version, so scripted release prepares can bump plugin manifests safely.
Add Codex marketplace metadata and a repo-local plugin scaffold so the repository can be installed as a Codex plugin without duplicating the skills catalog.
Document the new integration path and cover it with a regression test to keep the marketplace entry and plugin manifest in sync.
Restrict auto-apply to trusted review comments so spoofed issue comments
cannot write optimized SKILL.md content into pull request branches.
Reject activation symlinks that escape the source root and add
regression coverage for both security checks.
Install apps/web-app dependencies in the publish workflow before the\nfrontend build so CI matches the working Pages pipeline.\n\nHarden the maintainer release suite by adding the same install step\nbefore app:build, and switch the shared app:install helper to npm ci\nfor deterministic installs.\n\nDocument the follow-up patch release in the changelog so 8.7.1 can\npublish the 8.7.x line to npm after the 8.7.0 release failed before\nreaching the registry.
Refresh maintainer-owned artifacts after the PR merge batch, convert the\nJetski loader example to a directly importable Node ESM module, and add\nthe 8.7.0 changelog entry before release preparation.\n\nRefs #382\nRefs #388
Add a Unix activation script, Antigravity-specific installer guidance,
and cross-platform recovery documentation so users can reduce the
live skill set when truncation or context overload appears.
Regenerate the canonical bundle/catalog artifacts after merging the
stale goldrush-api removal so main stays release-ready.
Refs #381
Guard metadata repair and doc sync scripts against symlink targets so
repo maintenance tasks cannot overwrite arbitrary local files.
Replace recursive skill discovery with an iterative walk that skips
symlinked directories, and harden the VideoDB listener to write only
private regular files in the user-owned state directory.
Also fix the broken pr:preflight script entry and make the last30days
skill stop embedding raw user arguments directly in the shell command.
Freeze the accepted validation warning count at 135 so repo-state and release-state checks fail if the warning baseline grows silently while legacy warnings remain intentionally preserved.
Add a read-only maintainer audit command plus regression tests so maintainers can inspect repo health quickly without mutating files.
Unify main-branch maintenance around repo-state and release-state commands so generated docs, contributor acknowledgements, tracked web assets, and canonical artifacts stay aligned across CI and scheduled hygiene runs.
Harden release publication by reusing deterministic sync commands, adding package dry-run verification, and covering the new workflow contract with regression tests.
Add maintainer automation for repo-state hygiene so contributor acknowledgements, count-sensitive docs, and GitHub About metadata stay aligned from the same workflow.
Cover the new scripts with regression tests and wire them into the local test suite to keep future maintenance changes from drifting silently.
Expose an explicit sync:github-about workflow that updates the remote GitHub About description, homepage, and topics from the repository metadata source of truth.
Add regression coverage for the generated gh commands and document the new maintainer path in the changelog and walkthrough.
Extend repository metadata syncing so npm run chain now keeps count-sensitive docs and package copy aligned with the live skills catalog.
Add regression coverage for the curated-doc sync behavior and document the automation in the maintainer walkthrough and changelog.
* chore: implement ESM standardization and security attestation
Aligning root infrastructure with Node.js v24.14.0 standards.
- Set type: module in package.json to eliminate re-parsing overhead.
- Migrated Jetski Loader tests to .cjs to maintain legacy security audit compatibility.
- Verified path traversal and symlink protections with clean attestation.
* chore(ci): update pr_preflight path to .cjs for ESM compatibility
* feat(infra): surgical ESM modernization for Gemini suite
Resolved Codex P1 by reverting global root ESM shift to preserve installer stability.
- Implemented scoped 'type: module' in /docs/integrations/jetski-gemini-loader/ to eliminate re-parsing overhead.
- Updated test runner (run-test-suite.js) and CI (ci.yml) to track .cjs transitions.
- Verified zero-warning execution in Node v24.14.0.
Add a conservative metadata fixer for missing risk and source fields,
cover it with tests, and backfill the remaining skills using explicit
source inference only when the provenance is clear. Fall back to the
repo-documented defaults when the file does not support a stronger claim.
Refs #365
Make the skill filter helper treat the complete bundle as a
pass-through so categories missing from the hardcoded map are
not silently omitted.
Add a regression test to keep complete bundle behavior aligned
with its name.
Harden batch activation, dev refresh gating, Microsoft sync path
handling, and Jetski skill loading against command injection,
symlink traversal, and client-side star tampering.
Add regression coverage for the security-sensitive paths and
update the internal triage addendum for the Jetski loader fix.
Update the Claude marketplace entry to use a schema-valid relative source path and add a regression test so invalid marketplace sources fail in the local suite. Also document the maintainer workflow used for stale PR metadata and fork-gated Actions runs.
Fixes#344
Include tools/lib in the published npm files whitelist so the npx installer can resolve symlink-safety at runtime. Add a regression test that checks npm pack --dry-run --json for the expected packaged files.
Fixes#315
Co-Authored-By: Claude <noreply@anthropic.com>
