Harden batch activation, dev refresh gating, Microsoft sync path
handling, and Jetski skill loading against command injection,
symlink traversal, and client-side star tampering.
Add regression coverage for the security-sensitive paths and
update the internal triage addendum for the Jetski loader fix.
Rename the dotnet backend example assets out of the C# source path so CodeQL no longer performs low-quality C# extraction on standalone template files with no project build context. Update the implementation playbook links to the new template filenames.
Keep the Radix component boilerplate as a template asset, but rename it out of the TSX parser path so CodeQL does not treat placeholder syntax as executable source. Update the example README link to the new template filename.
Tighten the remaining high-signal security findings by switching the todo example to a standard Express rate limiter, removing sensitive metadata from boilerplate logging, and replacing fragile HTML tag filtering with parser-based conversion.
Co-Authored-By: Claude <noreply@anthropic.com>
Harden template and example code paths, redact sensitive output, and pin safe transitive npm packages. Consolidate the todo backend on better-sqlite3 so the example no longer pulls the vulnerable sqlite3 chain and still passes build and CRUD smoke checks.
Co-Authored-By: Claude <noreply@anthropic.com>
Record that the merged landing-page-generator skill from PR #341
must be included in the next release because v8.2.0 was already
published before the PR landed.
Update the maintainer and user walkthroughs so they reflect the
completed 8.2.0 release publication instead of the pre-release ready
state.
Capture the final PR merge set, issue closure state, and the exact
release commands that were executed on main.
Accept the deterministic metadata updates produced by the release
preflight so the tracked tree matches the current package version and
skill count before the automated 8.2.0 release commit runs.
This keeps the README registry sync comment aligned with the current
package state while preserving the manual 8.2.0 release messaging.
Add the 8.2.0 changelog entry and align the release-facing user docs
with the current maintenance sweep so the release workflow has the
required notes and public version references in place.
Refresh README release messaging and contributor acknowledgements ahead
of the automated release commit and tag creation.
Update the Claude marketplace entry to use a schema-valid relative source path and add a regression test so invalid marketplace sources fail in the local suite. Also document the maintainer workflow used for stale PR metadata and fork-gated Actions runs.
Fixes#344
## Add faf-skills to Community Contributors
17 Claude Code skills for AI-context management, built on the IANA-registered
.faf format (`application/vnd.faf+yaml`).
**Skills include:** project DNA creation, AI-readiness scoring (0-100%),
bi-sync with CLAUDE.md/AGENTS.md, MCP server building, and championship-grade
testing.
- **Repo:** https://github.com/Wolfe-Jam/faf-skills
- **License:** MIT
- **Skills:** 17
* feat: add trpc-fullstack skill for end-to-end type-safe API development
* fix: separate App Router and server-side context factories per review feedback
- Replace createContext({ req } as any) in App Router handler with
createTRPCContext(opts: FetchCreateContextFnOptions) — the correct fetch adapter shape
- Add createServerContext() for Server Component callers so auth() is called
directly without an empty or synthetic request object cast
- Update SSR example to use createServerContext() instead of createContext({} as any)
- Add two new pitfall entries covering both auth failure scenarios
Replace malformed frontmatter lines that start with an extra YAML document separator with proper metadata fields. This keeps the skill metadata parseable by strict loaders that only accept a single YAML document in SKILL.md frontmatter.
Co-authored-by: Claude <noreply@anthropic.com>
