Skip to content

Releases: Jamkris/everything-gemini-code

v1.3.15

Choose a tag to compare

@github-actions github-actions released this 26 May 03:59

What's Changed in v1.3.15

docs(upstream): sync round 6 — advance baseline to 1e8c7e7 (2026-05-26) (#88) by @Jamkris

Summary

Sixth upstream sync round. Advances the recorded baseline from 3b7e0ba3 (2026-05-18) to 1e8c7e7 (2026-05-20 UTC, evaluated 2026-05-26), closing tracker issue #87 on the next upstream-drift.yml tick. 102 commits triaged; per-commit dispositions land in upstream/sync-rounds/2026-05-26.md.

Headlines:

  • Two EGC-authored PRs landed upstream during this window, both ECC-only surface (not back-portable):
    • ECC PR #1982 — Unicode Tag block (U+E0000–U+E007F) + six other invisible code points added to check-unicode-safety.js denylist. Canonical "ASCII smuggling" / "Tag Smuggling" LLM prompt-injection vector. Validator does not exist in EGC's port surface.
    • ECC PR #1983writeBridgeAtomic / writeWarnState ENOENT race + Windows EPERM/EACCES/EBUSY rename retry. Touches the ecc-metrics-bridge / ecc-context-monitor cost-observability surface, which is not part of EGC.
  • 78 of 102 commits are ECC release-readiness / billing-readback / dashboard refresh / video-suite operations log (May 18–20 RC1 publication cycle, ECC 2.0 hypergrowth lane) with no EGC analogue — clean skip.
  • 9 out-of-surface fixes skip cleanly: claude-project install-target trio, Python LLM providers (OpenAI/AstraFlow empty-choices guard), MCP health-check 406 handling, gateguard-fact-force quoting, IOC deny-rule filter, resolve-ecc-root.js plugin bootstrap.
  • Three substantial net-new items deferred to focused follow-up PRs:
    • Blender motion-state inspection skill (community contribution)
    • Harness-audit integration scoring extension (ECC PR #1990, +214 LOC in script / +192 LOC in tests / .md→.toml command translation needed)
    • continuous-learning-v2 project-registry maintenance (757-line change; EGC missing detect-project.sh)
  • One trivial clean-delete portable candidate (812d4d0 — delete skills/strategic-compact/suggest-compact.sh, unreferenced in EGC's runtime path) filed for a small follow-up PR rather than bundled here, so a regression there does not block the baseline cycle.

No new EGC→ECC PR opens this round — the two high-value targets are already merged into ECC main, and the remaining commits are out-of-surface or substantial enough to need focused PRs.

Files changed

  • upstream/.upstream-sync.jsonlastSyncedSha / lastSyncedAt / notes advanced to round 6.
  • upstream/README.md — Baseline badge, last-synced commit link, last-synced date, round-notes pointer list extended.
  • upstream/ko-KR/README.md, upstream/zh-CN/README.mdcatch-up update: localised mirrors had been left on the round-3 baseline 393d397e (2026-05-13); both now point at the round-6 SHA and list the full pointer chain (5 rounds).
  • upstream/sync-rounds/2026-05-26.md — new round-6 inventory.

Test plan

  • npm run lint — clean
  • npm test — 308/308 pass (includes ci/validate-upstream-sync.test.js 9/9, all 5 fixture tests)
  • node scripts/ci/validate-upstream-sync.js — both files reference 1e8c7e7
  • Compare endpoint 3b7e0ba..1e8c7e7 returns ahead_by: 102 (matches tracker issue #87)
  • Baseline badge URL renders against shields.io
  • Round-notes pointer paths all resolve from upstream/README.md and from both localised READMEs

Related

  • Closes #87 (Upstream Sync tracker — 102 commits ahead since 3b7e0ba)
  • Prior round: #86 (Round 5, baseline 3b7e0ba3)

Summary by cubic

Advance the upstream baseline and publish round‑6 notes to keep EGC in sync with ECC. Tidy the round‑6 notes (rename the “Detailed dispositions” section and correct the footer date to 2026‑05‑20), update upstream/.upstream-sync.json and localized READMEs (ko‑KR, zh‑CN), and add upstream/sync-rounds/2026-05-26.md; no runtime changes; closes #87.

Written for commit aa1eae7. Summary will update on new commits. Review in cubic

Summary by CodeRabbit

  • Documentation

    • Updated upstream synchronization docs across languages (en, ko-KR, zh-CN) and added the 2026-05-26 sync round report detailing drift, dispositions, and follow-up items.
  • Chores

    • Advanced upstream synchronization to round six and updated baseline tracking metadata and round notes to reflect the latest sync.

Review Change Stack


chore: release v1.3.14 (#86) by @Jamkris

Bump version to 1.3.14


Summary by cubic

Bump everything-gemini-code to v1.3.14 across package.json, .gemini-plugin/plugin.json, and gemini-extension.json to prepare the release and keep manifests in sync.

Written for commit c5fd746. Summary will update on new commits. Review in cubic

v1.3.14

Choose a tag to compare

@github-actions github-actions released this 18 May 04:11

What's Changed in v1.3.14

docs(upstream): sync round 2026-05-18 — advance baseline to 3b7e0ba3 (#85) by @Jamkris

Summary

Fifth upstream sync round. Inventories 137 commits between baseline f7315016 (2026-05-15) and ECC HEAD 3b7e0ba3 (2026-05-18) and advances the baseline files.

Bucket Count Disposition
EGC-authored, already in ECC main 10 already in EGC (ECC PR #1970 + #1971)
ECC ops logs (Tools / AgentShield / rc1 / readiness) ~92 skip
ja-JP localization batch ~15 deferred
Net-new skills / locales / installer flag / deps bumps ~14 deferred
Out-of-port-surface (cost-monitor / IOC scanner / etc.) ~6 skip
Total 137

Full per-commit table in upstream/sync-rounds/2026-05-18.md.

What's notable

No new EGC-authored ECC PR opens this round. The two PRs that would have been this round's top targets — workflow-security validator hardening + ecc-metrics-bridge cost-reporting — were opened upstream during round 4 and merged during this round's window. They ARE the backport, in the other direction.

The remaining 127 commits split into ECC operations log (no EGC analogue), substantial deferred candidates (ja-JP locale, new skills, installer --locale flag), and out-of-port-surface ECC hooks (ecc-context-monitor, gh-token-monitor, supply-chain IOC scanner, Zed install target).

Commit layout

Same shape as round 4: two commits so the narrative artefact and the baseline flip stay separable.

  1. docs(upstream): add sync round note for 2026-05-18 — adds the new round file only.
  2. docs(upstream): advance baseline to 3b7e0ba3 (2026-05-18) — flips upstream/.upstream-sync.json AND upstream/README.md atomically (the validator requires the SHA to match).

Validation

  • node scripts/ci/validate-upstream-sync.jsOK — both files reference 3b7e0ba
  • npm run lint — clean
  • No code changes; npm test unaffected

Closes #77 on the next upstream-drift.yml cron tick.

Deferred net-new ECC features (carry forward)

New to the queue from this round:

  • uncloud skill (community contribution)
  • recsys-pipeline-architect skill (community contribution)
  • Thai (th) README + docs locale
  • Japanese (ja-JP) full documentation translation
  • Installer --locale flag for selective translated-docs installation
  • TypeScript 6 + @types/node 25 toolchain bumps
  • Zed install target (likely permanent-skip given EGC's Gemini-only positioning)

Plus all items already deferred from rounds 1–4.

Test plan

  • CI lint passes
  • CI validate-upstream-sync.js confirms both files reference the same SHA
  • Round note renders correctly on GitHub (tables, links)
  • Baseline badge in upstream/README.md shows the new SHA
  • Issue #77 auto-closes on next upstream-drift.yml run

Summary by cubic

Advances the upstream baseline to 3b7e0ba3 (2026-05-18) and records the round‑5 inventory to keep EGC in sync with ECC. Updates upstream/.upstream-sync.json and upstream/README.md; adds upstream/sync-rounds/2026-05-18.md; no code changes.

Written for commit 2a11811. Summary will update on new commits. Review in cubic

Summary by CodeRabbit

  • Chores

    • Completed fifth upstream sync round with updated metadata and baseline references.
  • Documentation

    • Updated upstream baseline information and added sync round documentation including disposition summaries and feature tracking details.

Review Change Stack


chore: release v1.3.13 (#84) by @Jamkris

Bump version to 1.3.13


Summary by cubic

Prepare the v1.3.13 release by bumping the everything-gemini-code version in package.json, .gemini-plugin/plugin.json, and gemini-extension.json. No code changes; metadata only.

Written for commit 0bbecd4. Summary will update on new commits.

v1.3.13

Choose a tag to compare

@github-actions github-actions released this 15 May 05:46

What's Changed in v1.3.13

docs(upstream): sync round 2026-05-15 — advance baseline to f7315016 (#83) by @Jamkris

Summary

Fourth upstream sync round. Inventories the 46 commits between EGC's previously-recorded ECC baseline 393d397e (2026-05-13) and ECC main HEAD f7315016 (2026-05-15), records per-commit dispositions, and advances the baseline files.

Same path-based bucketing as rounds 2026-05-12 and 2026-05-13. Buckets are mutually exclusive; the first matching rule wins.

Inventory

Bucket Count Notable items
E:shared-logic / D:other-harness 4 375d750b (ECC PR #1905 integrating EGC-authored #1889 — being ported in branch feat/port-dev-server-block-from-ecc)
F:ci/packaging 5 f7315016 command registry, 7d15a228 IOC scanner — both deferred to net-new round
A:skills / A:rules 2 c2762dd5 Ruby/Rails rules — deferred
A:docs / H:meta 32 ECC-Tools / AgentShield roadmap sync — skip (no EGC equivalent)
X:needs-review 3 6be241a4 (= ECC PR #1843, EGC-authored, already in EGC), 24867327 analyzer hardening (deferred)
Total 46

Full per-commit table with SHAs and disposition rationale is in upstream/sync-rounds/2026-05-15.md.

What landed in EGC because of this round

This round catalyses three EGC-side PRs, opened as separate branches to keep review surfaces focused:

  1. In-flight port (this round's primary output): feat/port-dev-server-block-from-ecc — picks up scripts/lib/shell-substitution.js, scripts/lib/shell-split.js, and scripts/hooks/pre-bash-dev-server-block.js from ECC main (where they landed via #1905 integrating EGC-authored #1889) and switches the hooks/hooks.json dev-server matcher from inline regex to the new script. Closes 4 false-negative variants and 3 false-positive quote-literal cases the inline matcher couldn't distinguish.

  2. Adjacent EGC-only fix: fix/inline-matcher-quote-literal-false-positives — tightens the three remaining inline matchers (tmux reminder, git push reminder, build analysis) with ^\s* anchors and missing variants.

  3. Adjacent EGC-only fix: fix/md-block-hook-whitelist — expands the md-block hook whitelist with standard OSS files (SECURITY, CHANGELOG, etc.) and EGC convention directories (agents/, skills/, workflows/, rules/, …) that were previously over-blocked.

This PR is the recording PR — it does not include the code changes from those three branches. Once the three land, this round's baseline advance is consistent with what's in main; if any of them stays open, the deferred items list in the next sync round will record that explicitly.

Commit layout

Two commits so the narrative artefact and the baseline flip stay separable:

  1. docs(upstream): add sync round note for 2026-05-15 — adds the new round file (upstream/sync-rounds/2026-05-15.md) only. No baseline change.
  2. docs(upstream): advance baseline to f7315016 (2026-05-15) — flips upstream/.upstream-sync.json (lastSyncedSha, lastSyncedAt, notes) and the matching lines in upstream/README.md (baseline badge, last-synced commit link, last-synced date, round-notes pointer list) atomically.

The two-file update in commit (2) is done atomically because scripts/ci/validate-upstream-sync.js requires the SHA in the JSON and the SHA in the README to match — splitting them would briefly fail validation.

Validation

  • node scripts/ci/validate-upstream-sync.jsOK — both files reference f731501.
  • npm run lint — clean (markdownlint passes on the new round note).
  • No code changes; npm test not affected.

Deferred net-new ECC features (carry forward)

New items added to the deferred queue from this round:

  • Ruby / Rails rules (c2762dd5)
  • supply-chain IOC scanner (7d15a228)
  • command registry / coverage checks (f7315016) — needs EGC-native equivalent because EGC's command format is .toml, not .md
  • GitHub Copilot prompt support (766f4ee1)

Plus all items already deferred from rounds 1–3.

Test plan

  • CI lint passes
  • CI validate-upstream-sync.js confirms both files reference the same SHA
  • Round note renders correctly on GitHub (tables, links, headings)
  • Baseline badge in upstream/README.md shows the new SHA

Summary by cubic

Advance the recorded ECC baseline to f7315016 (2026-05-15) and add the round‑4 upstream sync inventory note.
Updates upstream/.upstream-sync.json and upstream/README.md to the new SHA/date and adds upstream/sync-rounds/2026-05-15.md; CI validator (scripts/ci/validate-upstream-sync.js) confirms both files reference the same SHA.

Written for commit 38c75ac. Summary will update on new commits.


fix(hooks): expand md-block whitelist with OSS standards + EGC convention dirs (#82) by @Jamkris

Summary

hooks/hooks.json has a "block random .md file creation" hook that allowed exactly four filenames: README, CLAUDE, AGENTS, CONTRIBUTING. Everything else gets BLOCKED with [Hook] BLOCKED: Unnecessary documentation file creation.

That whitelist is too narrow on two axes:

  1. Standard OSS files that this repo already contains and every other OSS repo expects (SECURITY.md, CODE_OF_CONDUCT.md, CHANGELOG.md, LICENSE.md, SUPPORT.md) all get blocked. GEMINI.md — the Gemini CLI analogue of CLAUDE.md — is also missing despite living at this repo's root.

  2. EGC convention directories. Every contribution path EGC actively encourages — skills/<name>/SKILL.md, agents/<name>.md, workflows/<name>.md, rules/<lang>/<name>.md, commands/<name>.md, translated docs under docs/<locale>/, etc. — gets blocked. EGC has 51 workflow files and 48 agent files, so a contributor adding a 49th agent currently gets denied by EGC's own hook.

This PR fixes both classes.

Behavior matrix (before → after)

File path Before After Why
README.md allow allow unchanged
CLAUDE.md, AGENTS.md, CONTRIBUTING.md allow allow unchanged
GEMINI.md BLOCK allow added — Gemini CLI's CLAUDE.md analogue
SECURITY.md BLOCK allow already exists in this repo
CODE_OF_CONDUCT.md BLOCK allow already exists in this repo
CHANGELOG.md, LICENSE.md, SUPPORT.md BLOCK allow standard OSS community-health files
skills/python-patterns/SKILL.md BLOCK allow EGC skill bundle entry point
skills/python-patterns/references/django.md BLOCK allow EGC skill reference doc
agents/planner.md BLOCK allow EGC agent file
workflows/tdd.md BLOCK allow EGC workflow file
rules/typescript.md BLOCK allow EGC rule file
commands/egc-grok.md BLOCK allow EGC command file
docs/ko-KR/README.md allow allow unchanged (already worked)
examples/foo.md BLOCK allow EGC examples dir
templates/foo.md BLOCK allow EGC templates dir
mcp-configs/README.md allow allow unchanged (README name)
upstream/sync-rounds/2026-05-15.md BLOCK allow upstream sync notes
TODO.md, NOTES.md, MEETING.md, random.md, random.txt BLOCK BLOCK still blocked — intended target
src/foo.md BLOCK BLOCK non-convention path, still blocked
tests/upstream-fixtures.md BLOCK BLOCK upstream as filename substring (not directory) — `(^

Commit layout

Two commits so each axis can be reviewed independently:

  1. fix(hooks): expand md-block whitelist with standard OSS docs — adds GEMINI, CHANGELOG, SECURITY, LICENSE, CODE_OF_CONDUCT, SUPPORT to the filename whitelist (regex (README|CLAUDE|AGENTS|GEMINI|CONTRIBUTING|CHANGELOG|SECURITY|LICENSE|CODE_OF_CONDUCT|SUPPORT)\.md$). 3-line diff. Reference: GitHub's community-standards list.

  2. fix(hooks): allow EGC convention directories in md-block hook — adds a second exclusion clause for files under any path matching (^|/)(agents|skills|workflows|rules|commands|docs|examples|mcp-configs|templates|upstream)/. The (^|/) anchor prevents false matches on filenames that happen to contain those words (upstream-fixtures.md is not upstream/fixtures.md).

Both the matcher (line 46) and the inline script's regex (line 50) are kept in sync — the matcher decides whether the hook fires, the script decides whether to block, so they must agree.

Tests

  • node scripts/ci/validate-hooks.js — clean.
  • npm test — 279/279 pass.
  • npm run lint — clean.

No new test file because the hook is inline node -e JavaScript. The behaviour is verified against the table above via a direct regex check in the commit body, and the same regexes are validated by the JSON-schema hook validator.

Test plan

  • CI lint passes
  • CI tests pass
  • Manual: write each "Before BLOCK → After allow" path above through write_file, confirm the hook no longer blocks
  • Manual: write each "still BLOCK" path, confirm the hook still blocks

Summary by cubic

Expand the .md/.txt blocking hook to allow standard OSS docs and files inside EGC convention directories. This prevents false blocks for valid docs like SECURITY.md, GEMINI.md, and skills/.../SKILL.md.

  • Bug Fixes
    • Whitelist standard filenames: README, CLAUDE, AGENTS, GEMINI, CONTRIBUTING, CHANGELOG, SECURITY, LICENSE, CODE_OF_CONDUCT, `SUPP...
Read more

v1.3.12

Choose a tag to compare

@github-actions github-actions released this 13 May 05:20

What's Changed in v1.3.12

docs: sync upstream baseline to 393d397 (#76) by @Jamkris

Summary

Final PR of the 2026-05-13 upstream sync round. Advances the recorded baseline from e9c88458 (2026-05-11) to 393d397 (2026-05-12) — the upstream HEAD at triage time and the last commit evaluated this round.

Round 3 PRs

  • #74 — triage / audit log (upstream/sync-rounds/2026-05-13.md)
  • #75 — port: code-reviewer guardrails + prompt defense baselines

Of 67 commits in the focused range: 2 ported, 8 deferred (net-new feature additions: PRD command, network architect agents, motion skills, Quarkus, Django Celery, cost tracking, frontend design, homelab configs), 57 skipped with rationale.

Files updated (4)

  • upstream/.upstream-sync.jsonlastSyncedSha + lastSyncedAt + round notes pointing at the new audit log.
  • upstream/README.md — baseline badge, Last-synced commit, date, round-notes pointer (now references both 2026-05-13 and 2026-05-12).
  • upstream/ko-KR/README.md + upstream/zh-CN/README.md — mirrored.

Expected post-merge behaviour

  • The validator passes — the prose SHA and JSON SHA agree on 393d397.
  • Next scheduled or manually-dispatched upstream-drift workflow run will compute the delta against ECC's current HEAD. If ECC has moved past 393d397 (likely — they merge daily), issue #71 updates with the new (small) count. If no new ECC commits since 393d397, #71 auto-closes.

Test plan

  • node scripts/ci/validate-upstream-sync.js — "OK — both files reference 393d397"
  • npm run lint clean
  • npm test 279/279
  • Manual link check — README baseline → ECC commit, audit log links → 2026-05-13.md + 2026-05-12.md

Round end

This PR closes round 3.

Related to #71.


port: code-reviewer guardrails + prompt defense baselines from ECC (#75) by @Jamkris

Summary

Two ports from the 2026-05-13 sync round:

  • df60af9 — code-reviewer false-positive guardrails
  • 393d397 — prompt defense baselines

agents/code-reviewer.md (df60af9)

Adds false-positive guardrails directly to the agent prompt:

  • Pre-Report Gate — 4-question filter before writing any finding (cite line, name failure mode, read context, defensible severity).
  • HIGH / CRITICAL require proof — exact snippet + scenario + why existing guards don't catch it. Demote or drop otherwise.
  • "Zero findings is valid" — explicit license to APPROVE clean diffs instead of manufacturing nits.
  • Common False Positives catalog — 12 patterns LLM reviewers consistently mis-flag (error handling already at framework level, magic numbers for well-known constants, missing JSDoc on self-describing helpers, security theater on Math.random(), etc.).
  • Approval criteria updated — clean review is valid; don't withhold APPROVE to appear rigorous.

The intent is to reduce the kind of noise this very repo has been seeing in PR reviews — pattern-match nits with no concrete failure scenario.

GEMINI.md + 48 agent files (393d397)

Prepends a uniform Prompt Defense Baseline 6-bullet block:

  • role / persona / identity protection
  • confidential-data / secret protection
  • executable-code output restraint
  • unicode / homoglyph / encoded-trick suspicion
  • external / untrusted data validation
  • harmful-content prohibition

Block content is harness-agnostic; same text as upstream ECC. Inserted right after the closing frontmatter --- on every agent, and after the H1 + intro paragraph on GEMINI.md.

Applied via a one-shot script (idempotent — skips files already containing the block).

ECC commit in scope that did not port

  • cb2a70c (motion skill fix) — EGC has remotion-video-creation but not motion-advanced / motion-foundations. The upstream motion skills are deferred net-new candidates for a future "ECC net-new" round.

Files changed (49)

Group Count Source
agents/code-reviewer.md 1 (both ports) df60af9 + 393d397
agents/*.md (other 47) 47 393d397
GEMINI.md 1 393d397

Total: +520 lines / -1 line.

Test plan

  • npm run lint clean
  • npm test 279/279
  • node scripts/ci/validate-agents.js — 48 agent files validated
  • Spot-checked 3 agents (architect, tdd-guide, code-reviewer) — block correctly inserted after frontmatter
  • Spot-checked GEMINI.md — block inserted between intro paragraph and Guidelines section

Summary by cubic

Adds strict false-positive guardrails to the code-reviewer and applies a 6-point Prompt Defense Baseline to all agents and GEMINI.md to reduce review noise and strengthen prompt safety. This cuts low-signal findings and hardens prompts against injection and unsafe outputs.

  • New Features

    • Code reviewer guardrails: 4-question pre-report gate; proof required for HIGH/CRITICAL; zero-findings APPROVE; skip common false positives; updated approval criteria.
    • Prompt Defense Baseline: 6 rules (role/identity protection, secret protection, executable-output restraint, Unicode/encoding trick suspicion, untrusted-data validation, harmful-content ban) inserted across 48 agents and GEMINI.md.
  • Migration

    • No action needed. The baseline is auto-inserted after frontmatter; the script is idempotent and avoids duplicates.

Written for commit 92a84ba. Summary will update on new commits.

Summary by CodeRabbit

  • Documentation
    • Added comprehensive safety baselines to agent instructions, enforcing explicit constraints for identity preservation, data confidentiality, restricted output formats, and validation of untrusted inputs to ensure consistent secure behavior across all agents.

Review Change Stack


docs: triage ECC upstream commits e9c8845..393d397 (#74) by @Jamkris

Summary

Round 3 audit log. ECC moved 67 commits forward of the baseline recorded at the end of round 2 (#71 reported 65 when the drift tracker opened; ECC merged 2 more before triage).

Round 3 totals

Category Port now Defer (net-new) Skip
skills 0 1
docs 0 30
agents 2 0
commands 0 0
shared logic 0 6
CI / packaging 0 2
other-harness (net-new features) 0 8 0
meta 0 1
needs-review (edge cases) 0 17
Total 2 8 57

Notable findings

  • df60af9 (code-reviewer guardrails) — adds Pre-Report Gate, HIGH/CRITICAL proof rules, "zero findings is valid" guidance, and a Common False Positives catalog to ECC's code-reviewer agent. All harness-agnostic. Port target.
  • 393d397 (prompt defense baselines) — adds a uniform 6-bullet prompt-defense block to ECC's CLAUDE.md and every agent file (71 files total upstream). Port target — apply to EGC's GEMINI.md and all agents.

Deferred (8 net-new features)

ECC added meaningful new surfaces this round that exceed a sync-round port scope: PRD planning command, network architect agents, motion system skills, Quarkus handling, Django Celery workflow, cost tracking + skill scout, frontend design guidance, homelab config skills. These join the deferred net-new candidates from round 2 (tinystruct-patterns, ios-icon-gen, flox-environments) — should be opened as a dedicated "ECC net-new" PR set in a future round.

Follow-up PRs

  1. `port: code-reviewer guardrails + prompt defense baselines from ECC`
  2. `docs: sync upstream baseline to 393d397` — closes #71

Test plan

  • `npm run lint` clean
  • `npm test` 279/279
  • Doc-only change

Summary by cubic

Adds the 2026-05-13 upstream sync inventory documenting ECC drift (67 commits from e9c8845 to 393d397). It calls out two port targets (code-reviewer guardrails and prompt-defense baselines), defers eight net-new features, and marks 57 skips to guide follow-ups.

Written for commit 925b1c8. Summary will update on new commits.

Summary by CodeRabbit

  • Documentation
    • Added comprehensive documentation for the 2026-05-13 upstream sync round, including triage inventory results across multiple categories, summary statistics, and suggested follow-up actions.

Review Change Stack


docs: record ECC backport in...

Read more

v1.3.11

Choose a tag to compare

@github-actions github-actions released this 13 May 01:58

What's Changed in v1.3.11

docs: sync upstream baseline to e9c88458 (#70) by @Jamkris

Summary

Final PR of the 2026-05-12 upstream sync round. Advances the recorded baseline from 9db98673 (2026-02-09) to e9c88458 (2026-05-11) — the upstream HEAD at triage time and the last commit evaluated in this round.

What landed in this round

  • #66 — triage / audit log (upstream/sync-rounds/2026-05-12.md)
  • #67 — port: skill curation updates from ECC
  • #68 — port: hook + validator fixes from ECC (closed two real bypass holes; 3 rounds of bot review)
  • #69 — port: plan command graceful degradation

Of the 159 commits in the focused range (4e66b288..e9c88458):

Disposition Count
Ported 9
Evaluated inline + skipped 5
Deferred (eligible net-new skills) 3
Skipped with rationale 142

The 142 skips are dominated by ECC-runtime-only surfaces (loop-status, gateguard, insaits-security-*, ECC's cursor/codex/opencode install targets, ecc2 RC1 work) and Claude-Code-specific session-start / observe-runner / MCP-disable changes.

Files updated (4)

  • upstream/.upstream-sync.jsonlastSyncedSha + lastSyncedAt + round notes pointing at the audit log.
  • upstream/README.md — baseline badge, Last-synced commit, date, and a round-notes pointer.
  • upstream/ko-KR/README.md + upstream/zh-CN/README.md — same three updates mirrored.

Why the baseline is the evaluated SHA, not ECC HEAD

ECC has continued to merge commits since triage (~820e07f at the time of this PR). The sync policy explicitly chooses to advance the baseline to the last commit actually evaluated rather than the current upstream HEAD — see upstream/README.md → Recording a sync. Lying about the SHA would close issue #60 prematurely and hide unevaluated drift.

Expected post-merge behaviour

  • The CI validator (validate-upstream-sync.js) passes — the prose SHA and JSON SHA agree on e9c8845.
  • The next scheduled or manually-dispatched upstream-drift workflow run will compute the delta against ECC's current HEAD, find a small drift (only the ~1–2 days of new ECC commits since e9c88458), and update issue #60 with the new (much smaller) count.
  • Issue #60 will not auto-close because ECC continues to merge faster than EGC catches up. That is exactly the "best-effort, surface drift" policy at work — the tracker now shows progress instead of an inflated 1500+ figure.

Test plan

  • node scripts/ci/validate-upstream-sync.js — "OK — both files reference e9c8845"
  • npm run lint — clean
  • npm test — 279/279
  • Manual link check — README baseline → ECC commit, audit log link → sync-rounds/2026-05-12.md
  • Post-merge: manually dispatch the upstream-drift workflow and verify issue #60 updates with the new count instead of duplicating to a new issue

Round end

This PR closes the round. Future rounds will start fresh with a new triage file under upstream/sync-rounds/.

Related to / will eventually close #60 once ECC's commit cadence catches down (or, more realistically, the next round).


Summary by cubic

Advances the recorded upstream baseline to e9c88458 (2026-05-11), the last commit evaluated in the 2026-05-12 sync round, and points docs to that round’s audit log. Updates upstream/.upstream-sync.json, upstream/README.md, upstream/ko-KR/README.md, and upstream/zh-CN/README.md with the new SHA, date, and notes; the next drift run will recalc against ECC’s current HEAD and shrink the count in issue #60.

Written for commit b18af8f. Summary will update on new commits.

Summary by CodeRabbit

Chores

  • Updated upstream synchronization baseline and configuration metadata to reflect the latest evaluated commit.
  • Refreshed README documentation in English, Korean, and Chinese languages with current upstream synchronization details and sync date of May 13, 2026.
  • Updated internal synchronization tracking notes and references to correspond with the latest round of upstream evaluation.

Review Change Stack


port: plan command graceful degradation (#69) by @Jamkris

Summary

Third port PR from the 2026-05-12 upstream sync round (audit log: upstream/sync-rounds/2026-05-12.md).

Ports ECC 17aafc4 ("fix: make plan command work without planner agent") to EGC's commands/egc-plan.toml.

Why

EGC's previous prompt asserted that /egc-plan "invokes the planner agent" unconditionally. When the @planner subagent is unavailable — agents not installed, runtime cannot resolve the name, plugin-only install — the assistant surfaces an Agent type 'planner' not found error instead of producing a plan. The fix makes the command run inline by default and treat the planner agent as an optional enhancement.

Changes to the prompt

  • Opening paragraph reframes /egc-plan as "creates a plan" and explicitly states inline-by-default + no default subagent delegation.
  • "How It Works" attributes the steps to "The assistant" instead of "The planner agent".
  • Example header changes from Agent (planner): to Assistant: so the example does not imply the agent is mandatory.
  • CRITICAL guard reattributed to "this command" instead of "the planner agent".
  • "Related Agents" section renamed to "Optional Planner Agent" with explicit fallback instructions: continue inline if @planner is unavailable rather than erroring. Reference to agents/planner.md retained for manual installs that ship the agent file.

New tests (3)

tests/commands/plan-command.test.js — adapted from ECC's test of the same name. Reads commands/egc-plan.toml and asserts:

  • New inline-by-default contract is present (Do not delegate to the @planner subagent, planner-unavailable fallback).
  • Old mandatory-agent strings are gone (invokes the **planner** agent, The planner agent will:, Agent (planner):).
  • The CRITICAL WAIT-for-CONFIRM contract is preserved (regression guard against future rewrites stripping it).

ECC commit in scope that did not port

  • 2fd8dfc (docs: clarify MCP disable guidance) — entirely Claude Code-specific surface (~/.claude.json runtime persistence, the Claude /mcp command, disabledMcpServers config key, ECC_DISABLED_MCPS env var, .claude/settings.json paths). EGC's MCP layer is Gemini CLI's mcp-configs/ model; none of the specific facts in the upstream doc map cleanly. EGC's current guidance ("Disable unused servers in project settings") is already harness-correct at the right altitude.

Test plan

  • npm run lint clean
  • npm test 279/279 (+3 new in commands/plan-command.test.js)
  • node scripts/ci/validate-commands.js — 80 command files validated
  • Manually re-read the prompt — /egc-plan would still produce the same WAITING FOR CONFIRMATION protocol when invoked, just without an upfront @planner dispatch

Summary by cubic

Make /egc-plan work without the @planner agent by running inline by default and treating @planner as optional. This prevents "Agent type 'planner' not found" errors and keeps planning usable across installs.

  • Bug Fixes
    • Updated commands/egc-plan.toml to run inline by default, avoid default delegation to @planner, and continue inline if @planner is unavailable.
    • Reworded prompt to attribute steps to the assistant, updated example header to "Assistant:", and preserved the CRITICAL wait-for-confirmation rule.
    • Added tests/commands/plan-command.test.js and registered it in tests/run-all.js to enforce the new inline-by-default contract and the confirmation guard.

Written for commit a3314d9. Summary will update on new commits.

Summary by CodeRabbit

Release Notes

  • Improvements

    • Updated /egc-plan command to default to inline execution rather than delegating to subagents, with strengthened confirmation prompts before code generation.
  • Tests

    • Added test coverage to validate /egc-plan command behavior and execution flow.

Review Change Stack


port: hook + validator fixes from ECC (#68) by @Jamkris

Summary

Second port PR from the 2026-05-12 upstream sync round (audit log: upstream/sync-rounds/2026-05-12.md).

Lands two real correctness fixes plus the matching CI...

Read more

v1.3.10

Choose a tag to compare

@github-actions github-actions released this 12 May 03:18

What's Changed in v1.3.10

chore: restore original Next-steps footer in release.sh (#64) by @Jamkris

Summary


Summary by cubic

Restored the original “Next steps” footer in scripts/release.sh to match our release flow and remove the -u flag. It now prompts to push the branch, push the tag, create a PR into main with gh pr create, push the tag after merge, and check GitHub Actions.

Written for commit ddc8757. Summary will update on new commits.


chore: release v1.3.9 (#63) by @Jamkris

Bump version to 1.3.9


Summary by cubic

Release v1.3.9 by bumping the version from 1.3.8 to 1.3.9 across manifests to keep the plugin and extension aligned. Updated package.json, .gemini-plugin/plugin.json, and gemini-extension.json.

Written for commit 8590daa. Summary will update on new commits.


chore: refuse release.sh from main; require release branch (#62) by @Jamkris

Summary

`scripts/release.sh` used to run on any branch and only print a hint about creating a PR when not on `main`. Running it from `main` accidentally commits a version bump directly to `main`, bypassing PR review, CI, and the merge audit trail. This happened today — two stray local commits had to be reset.

This PR adds an explicit guard: if HEAD is on `main`, the script prints the proper 5-step workflow and exits 1 before touching any file. No env-var escape hatch — normalising the wrong path is what caused the incident in the first place.

Behaviour

Before: running on main silently committed the version bump to main; a footer suggested a PR but the bump was already on the wrong branch.

After:

```
$ git checkout main
$ ./scripts/release.sh 1.3.9
Error: refusing to run release from 'main' branch.

Version bumps must go through a PR:

  1. git checkout -b chore/release-v1.3.9
  2. ./scripts/release.sh 1.3.9 # re-run on the release branch
  3. git push -u origin chore/release-v1.3.9
  4. gh pr create --title "chore: release v1.3.9" --body "Bump version to 1.3.9"
  5. Merge once CI is green, then push the tag.
    ```

On any non-main branch, the script proceeds normally.

Also in this PR

  • Dropped the dead `if [ "$BRANCH" != "main" ]` footer branch — `BRANCH = main` is now unreachable past the guard, so collapsed the "Next steps" to the single correct path.

Test plan

  • `npm run lint` — clean
  • `npm test` — 264/264
  • Dry-run on `chore/release-guard` branch — script proceeds past the guard (made a throwaway 9.9.9 commit, rolled back)
  • Dry-run on `main` — script prints the 5-step workflow and exits 1; `package.json` / `gemini-extension.json` / `plugin.json` are not modified

Follow-up (after this merges)

Re-do the 1.3.9 release the proper way:

  1. `git checkout main && git pull`
  2. `git checkout -b chore/release-v1.3.9`
  3. `./scripts/release.sh 1.3.9`
  4. Push the branch, open the release PR, merge, push the tag.

Summary by cubic

Add a hard guard in scripts/release.sh to refuse running on main, forcing releases to go through a release branch and PR. This prevents accidental version bumps on main and ensures CI and review run every time.

  • Refactors
    • Detect main, print a 5-step release workflow, and exit 1 before touching files.
    • Remove the dead if [ "$BRANCH" != "main" ] branch and simplify “Next steps” to the single PR path (push branch, open PR, push tag after merge).

Written for commit 468bf4f. Summary will update on new commits.


fix: issue body must report compare.ahead_by, not commits.length (#61) by @Jamkris

Summary

Smoke run after PR #59 merged surfaced a title/body inconsistency on tracking issue #60. Title said "1521 new commits" (correct); body said "has 250 commit(s) ahead" and "250 total, showing first 50" (wrong).

Root cause: the GitHub compare endpoint caps commits[] at 250 per response regardless of the true delta. formatIssueBody was using commits.length for the intro and the details summary, so any delta above 250 silently displays as 250.

Fix

  • scripts/lib/upstream-drift.js — add required totalCount param to formatIssueBody. Use it for:
    • intro: "has N commit(s) ahead"
    • details summary: "showing first X of N"
    • truncation footer: "… and (N − shown) more"
  • scripts/upstream/check-upstream-drift.jsbuildIssueContent passes compare.ahead_by as totalCount.

Tests

  • New: API-cap scenario (totalCount=1521, commits.length=250) — body must not mention 250 anywhere.
  • New: total-fits-in-display scenario — simple Commits (N) summary, no truncation footer.
  • New: rejects negative / non-integer totalCount.
  • Existing tests updated to pass totalCount.

Verification

  • npm run lint clean
  • npm test → 264/264 (was 261)
  • Post-merge: re-dispatch workflow, confirm issue #60 body intro now says "1521" and the details summary says "showing first 50 of 1521"

Before / after (issue #60 body intro)

- Upstream `affaan-m/everything-claude-code` has **250** commit(s) ahead of the recorded baseline.
+ Upstream `affaan-m/everything-claude-code` has **1521** commit(s) ahead of the recorded baseline.
- <summary>Commits (250 total, showing first 50)</summary>
+ <summary>Commits (showing first 50 of 1521)</summary>
- - _… and 200 more. See the [full diff](…)._
+ - _… and 1471 more. See the [full diff](…)._

Summary by cubic

Fixes incorrect commit counts in the upstream drift tracking issue body when more than 250 commits are ahead. The body now uses compare.ahead_by for all counts, matching the title and avoiding the GitHub compare API cap.

  • Bug Fixes
    • formatIssueBody now accepts totalCount and uses it in the intro, details summary, and truncation text.
    • buildIssueContent passes compare.ahead_by as totalCount to avoid relying on capped commits[].
    • Added tests for API-cap scenarios, no-truncation cases, and invalid totalCount.

Written for commit 2e0c8fb. Summary will update on new commits.

Summary by CodeRabbit

  • Improvements
    • Upstream drift tracking now accurately counts all commits ahead of upstream sources, even when API results are truncated, providing more precise repository synchronization reporting.

Review Change Stack


feat: upstream drift tracker (issue mgmt, cron, SHA validator) (#59) by @Jamkris

Summary

Bundles of the upstream-drift tracker plan from #58. log-only detection shipped already this PR brings the tracker to feature-complete.

Phase Adds
2 Rolling tracking issue (🔄 Upstream Sync), weekly cron (Mon 06:00 KST = Sun 21:00 UTC), recursive failure tracking (⚠ Upstream Sync Failure), new labels in the manifest
3 CI validator asserting that the SHA in upstream/README.md agrees with upstream/.upstream-sync.json; wired into reusable-validate.yml

Net behaviour:

  • Drift becomes a number on an open issue, refreshed weekly.
  • When the maintainer advances the baseline SHA, the tracker closes the issue automatically on the next run.
  • If the workflow itself errors, a separate rolling issue surfaces that fact (same trick recursively applied).
  • A SHA typo in either file fails CI on PR review.

File-by-file

Library (pure, fully unit-tested)

  • scripts/lib/upstream-drift.js — adds pickActiveIssue, decideAction, extractCommitsForBody.

Entry script

  • scripts/upstream/check-upstream-drift.js — rewritten main flow. Lists open 🔄 Upstream Sync issues, decides noop | close | create | update, executes via gh issue … (execFileSync, argv array — no shell).

Workflow

  • .github/workflows/upstream-drift.yml
    • schedule: cron '0 21 * * 0'
    • permissions: { contents: read, issues: write }
    • if: failure() step that ensures a single ⚠ Upstream Sync Failure issue points at the failing run URL.

Labels

  • .github/labels.yml — adds 🔄 Upstream Sync (green) and ⚠ Upstream Sync Failure (red). Sync to GitHub with scripts/setup-labels.sh.

Phase 3 validator

  • scripts/ci/validate-upstream-sync.js — env-overridable paths so tests can point at fixtures. Specific error message on mismatch (prints both SHAs side by side).
  • .github/workflows/reusable-validate.yml — adds a sixth validation step.

Tests (+19 new, 261 total)

  • tests/lib/upstream-drift.test.js — +11 tests for the new pure functions (action matrix, defensive multi-issue handling, compare-API flattening).
  • tests/ci/validate-upstream-sync.test.js — 9 tests covering the pure function and end-to-end (match, mismatch, missing line, malformed JSON, malformed SHA).
  • tests/run-all.js — registers the new test file.

Docs

  • upstream/{README,ko-KR/README,zh-CN/README}.md — references to the Action and the validator switched from "planned / will add" to present tense (both have now landed).

Test plan

  • npm run lint — clean
  • `npm te...
Read more

v1.3.8

Choose a tag to compare

@github-actions github-actions released this 12 May 00:25

What's Changed in v1.3.8

docs: document upstream sync policy and ecosystem-port framing (#56) by @Jamkris

Summary

Response to @affaan-m's review on affaan-m/everything-claude-code#1343. The maintainer flagged drift risk, asked for a documented sync policy, and asked for a clear "changed vs copied" delta. This PR addresses each of those asks in a doc-only change.

  • docs/UPSTREAM.md (new): records the upstream baseline (ECC 9db98673... — the ECC HEAD ~1h before EGC's initial commit ff331996), a best-effort sync policy, a category-level changed/copied/removed/added table, and an honest "known drift" section.
  • docs/.upstream-sync.json (new): machine-readable mirror of the same baseline. Sets up the state file that the planned upstream-drift-tracker Action (follow-up PR) will read.
  • README.md: adds an "ecosystem port, not official ECC release" disclaimer right under the existing attribution line, with a link to docs/UPSTREAM.md.
  • CONTRIBUTING.md: adds a new "Upstream contributions (ECC backports)" section between "Submitting a PR" and "Tool Name Conversion". Explains when a change belongs upstream too, how to dual-PR, and how to record a sync.

Maintainer asks → file mapping

Maintainer ask Addressed by
"Sync policy with upstream ECC" docs/UPSTREAM.mdSync policy section
"Ecosystem port, not an official compatibility claim" README.md disclaimer + docs/UPSTREAM.md opening paragraph
"Document what is changed versus copied" docs/UPSTREAM.mdWhat was copied vs. changed vs. removed vs. added table

Sync cadence chosen: best-effort, no committed schedule

Rationale: a solo maintainer cannot reliably commit to a calendar cadence, and a missed promise is itself the kind of drift the policy is meant to prevent. Instead, drift is made mechanically visible by recording the baseline SHA in two places (prose + JSON) and (in a follow-up PR) running a weekly cron Action that opens a tracking issue if the baseline lags upstream HEAD.

Out of scope (deferred)

  • Upstream-drift-tracker GitHub Action — follow-up PR on its own branch (feat/upstream-drift-tracker). Will read docs/.upstream-sync.json, compare against affaan-m/everything-claude-code HEAD on a weekly cron, and maintain a single rolling upstream-sync tracking issue.
  • CI validator asserting that the SHAs in UPSTREAM.md prose and docs/.upstream-sync.json agree. Will land with the action PR (Phase 3 of that plan).
  • ko-KR / zh-CN mirrors of the new doc and the README disclaimer — separate follow-up PR. Will also fix the verified gap that docs/zh-CN/README.md is missing the attribution line that the English and Korean READMEs have.

Test plan

  • npm run lint — clean
  • npm test — 222/222 (no test changes; doc-only)
  • Manual link check: README → docs/UPSTREAM.md, docs/UPSTREAM.mddocs/.upstream-sync.json + ECC repo + baseline commit + initial EGC commit, CONTRIBUTING → docs/UPSTREAM.md
  • Re-read all four paragraphs of @affaan-m's reply and verify each is addressed by a specific section

Summary by cubic

Documents the upstream sync policy and clarifies EGC as an ecosystem port, now organized under a dedicated upstream/ folder with a machine-readable baseline, status badges, conflict-resolution guidance, and ko‑KR/zh‑CN translations. Updates README.md, localized READMEs, and CONTRIBUTING.md to link to upstream/README.md, add the disclaimer (and missing Chinese attribution), and explain backports, dual‑PRs, and how to record syncs.

Written for commit a176681. Summary will update on new commits.

Summary by CodeRabbit

  • Documentation
    • Clarified that EGC is an ecosystem port rather than an official release, with no guaranteed API/behavioral compatibility
    • Added upstream synchronization policy documentation and procedures
    • Added contributor guidance for managing upstream contributions and backports

Review Change Stack


chore: release v1.3.7 (#55) by @Jamkris

Bump version to 1.3.7


Summary by cubic

Bumped everything-gemini-code version to 1.3.7 in .gemini-plugin/plugin.json, gemini-extension.json, and package.json to prepare the v1.3.7 release. No code changes.

Written for commit 7fa868c. Summary will update on new commits. Review in cubic

v1.3.7

Choose a tag to compare

@github-actions github-actions released this 30 Apr 04:05

What's Changed in v1.3.7

feat: add /egc-grok — full-repo audit using 1M context (#54) by @Jamkris

Summary

  • Introduce /egc-grok, a new slash command that audits the entire repo in one pass — language inventory, JS/TS import graph, circular dependencies (Tarjan SCC), and dead-file candidates.
  • Pattern matches the existing /egc-harness-audit design: a deterministic Node script is the source of truth for paths and counts; the LLM only adds a synthesis layer on top, so it cannot hallucinate file lists.
  • Designed to lean on Gemini's 1M context window — a vanilla CLI -> file-by-file workflow can't produce a repo-wide narrative in one shot, so this is the kind of "must-install" demo that answers "what does this give me on top of plain Gemini CLI?"

What's in the PR

File Role
scripts/lib/grok-engine.js Pure functions: walk, import extraction (require/import/export from/dynamic), graph build, Tarjan SCC, dead-file detection, text/json formatting.
scripts/grok.js CLI wrapper. --format text|json, --scope <dir>.
commands/egc-grok.toml Slash command with a strict synthesis contract pinning the LLM to script output.
workflows/grok.md Mirror workflow doc.
tests/lib/grok-engine.test.js 20 unit tests (import parsing, cycles incl. self-loop and DAG, dead-file heuristics, report shape, text/json output).
tests/run-all.js Register the new test file.

Why this is differentiated

  • Repo-scale, not file-scale. Vanilla gemini opens files one by one; /egc-grok reads the whole repo and emits a single report.
  • Deterministic core. The engine is a normal Node script — no LLM in the audit path. The LLM only adds the narrative + Top 3 actions on top of fixed JSON.
  • No new dependencies. All graph + cycle work uses Node stdlib.

Test plan

  • npm run lint — clean
  • npm test — 207/207 pass (20 new in lib/grok-engine.test.js)
  • Self-run node scripts/grok.js on this repo: 670 files inventoried, 54 JS/TS nodes / 39 edges, 0 cycles, 0 dead-file candidates after entry-pattern tuning
  • node scripts/grok.js --format json produces valid JSON parseable by JSON.parse
  • node scripts/grok.js --help prints usage
  • Try it inside Gemini CLI as /egc-grok end-to-end (manual smoke from a fresh shell)

Out of scope (deferred to v2)

  • --changed baseline mode for cost-efficient incremental audits
  • Python / Go / Rust import graph (v1 is JS/TS only — matches this repo's own surface)
  • Security smell scanning (overlaps with the existing /egc-code-review)

Summary by cubic

Add /egc-grok, a deterministic full-repo audit that inventories files, builds a JS/TS import graph, detects cycles, and flags dead-file candidates. The CLI is hardened and the report now surfaces read errors; Gemini’s 1M context adds a short synthesis on top.

  • New Features

    • CLI: node scripts/grok.js [scope] --format text|json.
    • Engine: walk, import parse, Tarjan SCC cycles, dead-file heuristics; text/json output.
    • Slash command + docs: commands/egc-grok.toml, workflows/grok.md.
    • Tests: engine + CLI tests, registered in tests/run-all.js. No new dependencies.
  • Bug Fixes

    • Normalize package.json main/bin paths to avoid false dead-file flags.
    • CLI: strict arg parsing, value checks, --format=/--scope= support, ensureDirectory validation.
    • Report: collect and display read errors in text and JSON outputs.
    • Rename to stripComments and document the string-literal limitation.

Written for commit f823410. Summary will update on new commits. Review in cubic

Summary by CodeRabbit

  • New Features

    • Introduced /egc-grok command for comprehensive repository auditing, analyzing dependencies, detecting circular dependencies, and identifying dead files with JSON or text output formats.
  • Documentation

    • Added workflow documentation detailing the deterministic audit process and output specifications.
  • Tests

    • Added test suite for the analysis engine covering import extraction, dependency detection, cycle identification, and dead-file discovery.

docs: update SECURITY.md contact + supported versions (#53) by @Jamkris

Summary by cubic

Update SECURITY.md to make 1.3.x the only supported release line and clarify that only the latest minor gets security fixes. Set GitHub private security advisories as the preferred reporting channel, with contact@jamkris.com as the fallback email.

Written for commit 9686517. Summary will update on new commits. Review in cubic


chore: add issue/PR templates, label manifest, and label sync script (#52) by @Jamkris

  • .github/ISSUE_TEMPLATE/: bug, feature, agent/skill forms with auto-applied emoji labels (🐞 Bug / ✨ Feature / 🤖 Agent + 🔍 Triage)
  • .github/PULL_REQUEST_TEMPLATE.md: summary, type, test plan checklist
  • .github/labels.yml: 21-label manifest (type / area / severity / triage)
  • scripts/setup-labels.sh: idempotent gh-based sync from labels.yml

Summary by cubic

Add GitHub issue and PR templates, a label manifest, and a hardened label sync script to standardize triage and contributions. This makes issues clearer and keeps labels consistent.

  • New Features

    • Issue templates for bug, feature, and agent/skill requests with auto labels (🐞 Bug, ✨ Feature, 🤖 Agent + 🔍 Triage), plus template config to disable blank issues and link to Discussions/docs
    • PR template with summary, type checklist, and test plan checks
    • Label manifest in .github/labels.yml defining 21 labels by type, area, severity, and triage
    • Idempotent label sync script at scripts/setup-labels.sh; uses gh/python3, sets -euo pipefail, and checks for python3 to avoid masked parser errors
  • Migration

    • Run scripts/setup-labels.sh after merge to create/update labels
    • Requires gh authenticated to the repo and python3 installed

Written for commit 55ffc9e. Summary will update on new commits. Review in cubic

Summary by CodeRabbit

  • Chores
    • Added structured issue templates for bug reports, feature requests, and agent/skill requests to guide contributor submissions
    • Introduced standardized pull request template with required fields
    • Configured repository labels system for consistent issue and PR categorization
    • Added automation script for label synchronization

chore: release v1.3.6 (#50) by @Jamkris

Bump version to 1.3.6


Summary by cubic

Prepare v1.3.6 release. Updated version fields in package.json, .gemini-plugin/plugin.json, and gemini-extension.json; no functional changes.

Written for commit 65a4df5. Summary will update on new commits.

v1.3.6

Choose a tag to compare

@github-actions github-actions released this 27 Apr 05:34

What's Changed in v1.3.6

chore: add Greptile and GitGuardian configs (#49) by @Jamkris

Summary

Adds in-repo configuration for two of the three review/security bots in active use on the upstream everything-claude-code. All three are free for our case (MIT-licensed public repo).

Tool Free for us? In-repo config?
Greptile ✅ via the OSS Perks program (MIT/Apache/GPL) greptile.json (this PR)
GitGuardian ✅ public-repo free tier .gitguardian.yaml (this PR)
Cubic ✅ unlimited for public repos None — GitHub App only

greptile.json

Mirrors the intent of .coderabbit.yaml:

  • strictness: 2 + commentTypes: [logic, syntax] — bugs and security over style
  • ignoreKeywords — release PRs and dependabot PRs are skipped
  • disabledLabels: ["release", "skip-review"] — manual escape hatch
  • instructions — project base prompt that frames the repo as a Gemini CLI extension and lists the common false-positive patterns to ignore (emoji in markdown, long TOML prompt fields, ~/.gemini/ paths in skills)
  • customContext.rules — per-path guidance for agents/, commands/, skills/, hooks/, scripts/, rules/, docs/ (mirrors path_instructions from CodeRabbit, including the agent tool allowlist)
  • customContext.files — pins .gemini/styleguide.md and scripts/lib/gemini-tools.js as the authoritative references the bot should consult

.gitguardian.yaml

Defaults are fine for most of the tree; this just suppresses noise:

  • secret.ignored_paths — lockfiles, node_modules, binary doc assets, plus tests/lint/fixtures/** and tests/ci/** (the latter embeds intentional hostile-workflow fixtures with ${{ github.event.pull_request.head.sha }} strings that some entropy detectors misfire on)
  • ignored_detectors: ['Generic High Entropy Secret'] — kills the most common false positive, documentation/curl examples

Cubic

No in-repo file. Custom rules are configured in their dashboard, optionally synced from .cursor/rules/ if the team uses those (we don't). Just need to install the app on the repo.

Action items for the maintainer

Out of scope of a code change — these need account/dashboard work:

  • Install the Cubic GitHub App: https://github.com/apps/cubic-dev-ai
  • Apply for the Greptile OSS plan via OSS Perks (https://www.ossperks.com/programs/greptile) — required for free tier; otherwise the trial expires and greptile.json becomes dead config
  • GitGuardian should already pick up .gitguardian.yaml automatically once the org is on the free OSS tier — if not yet installed, install via dashboard

Test plan

  • node -e "JSON.parse(...)" parses greptile.json
  • js-yaml parses .gitguardian.yaml (v2 schema)
  • npm run lint — clean
  • npm test — 187/187 pass (no behavior change)
  • After merge, watch the next non-release PR to verify Greptile picks up the config (instructions visible in walkthrough, dependabot/release titles correctly skipped)

Summary by CodeRabbit

  • Chores
    • Configured automated secret scanning to detect and prevent sensitive credentials and information from entering the repository, with customized detection patterns and exclusions for various file types, dependencies, and directories.
    • Added comprehensive code quality and governance configuration with specific rules, guidelines, and standards to enforce best practices and consistency throughout the project.

Summary by cubic

Add in-repo configs for Greptile (code review) and GitGuardian (secret scanning) on OSS free tiers. Tightens review focus on bugs/security and reduces noise without hiding real issues.

  • New Features

    • greptile.json: strictness: 2 with commentTypes: [logic, syntax]; precise skip rules via ignoreKeywords (e.g., chore: release, dependabot) and disabledLabels: ["release", "skip-review"]; section fields use objects; ignores lockfiles/assets. Adds project instructions, per-path rules, and pins .gemini/styleguide.md and scripts/lib/gemini-tools.js as references. Rule fixes: hooks-only “no console.log”; shell scripts require set -e (aligned with the styleguide).
    • .gitguardian.yaml: keeps detectors enabled; uses path-scoped ignores for known false positives (rules/**/security.md, **/SKILL.md) and suppresses noise from lockfiles, node_modules, binary docs, and test fixtures. Fails on real findings.
  • Migration

    • Apply for the Greptile OSS plan so the config is active.
    • Ensure the GitGuardian app is installed; it will auto-load .gitguardian.yaml.

Written for commit e97b09c. Summary will update on new commits.


chore: release v1.3.5 (#48) by @Jamkris

Bump version to 1.3.5

v1.3.5

Choose a tag to compare

@github-actions github-actions released this 27 Apr 04:02

What's Changed in v1.3.5

feat: port block-no-verify hook + workflow-security CI validator (#47) by @Jamkris

Summary

Adopts two security additions from everything-claude-code (upstream as of 4e66b28) that are protocol-portable to Gemini CLI without rewriting:

  1. scripts/hooks/block-no-verify.js — registered as a BeforeTool hook on run_shell_command. Blocks --no-verify (and -n shorthand on commit) plus -c core.hooksPath= overrides for git commit / push / merge / cherry-pick / rebase / am. Detects subcommand even in chained shells (git log -n 5 && git commit ...) without false-positiving on -n that belongs to git log. Returns exit 2 with stderr explanation when blocking; exit 0 otherwise.

  2. scripts/ci/validate-workflow-security.js — rejects unsafe github.event.{workflow_run,pull_request}.head.* refs inside actions/checkout steps when triggered from privileged events (workflow_run / pull_request_target). Wired into reusable-validate.yml as a 5th validation step.

The tool_input.command JSON shape that block-no-verify reads is the same shape Gemini CLI's BeforeTool already produces, so no protocol translation was needed for the hook code itself.

Hook registration (per session direction: same blast radius as the Claude side)

{
  "matcher": "tool == \"run_shell_command\"",
  "hooks": [
    { "type": "command", "command": "node \"$HOME/.gemini/extensions/everything-gemini-code/scripts/hooks/block-no-verify.js\"" }
  ]
}

Always-on: matches every shell command, with the hook returning exit 0 fast for non-git commands.

Skipped from upstream (with reasons)

  • gateguard-fact-force.js + skills/gateguard — hardcoded Claude tool names (Edit / Write / MultiEdit / Bash), Claude permissionDecision JSON output protocol, CLAUDE_* env vars. Porting would be a near-rewrite to fit Gemini's stderr+exit hook contract.
  • bash-hook-dispatcher.js + pre/post-bash-dispatcher.js — dispatcher pattern works around Claude's single-hook-per-event limit; Gemini hooks.json already supports multiple entries per event natively.

Test plan

  • node scripts/hooks/block-no-verify.js — direct stdin invocation works (12 cases pass)
  • node scripts/ci/validate-workflow-security.js — passes against this repo's 5 workflow files (and against the 4 fixture cases in the test)
  • node scripts/ci/validate-hooks.js — 16 hook matchers (was 15)
  • npm run lint — clean
  • npm test181/181 pass (was 165: +12 hook tests, +4 CI validator tests)
  • Reviewer spot-check: manually verify a git commit --no-verify attempt is blocked once the extension is reinstalled

feat: port a11y-architect agent + accessibility skill from upstream (#46) by @Jamkris

Summary

Ports two clean additions from everything-claude-code (upstream as of 4e66b28) that fit the Gemini CLI extension scope without rewriting:

  • agents/a11y-architect.md — WCAG 2.2 accessibility architect (Web/iOS/Android). Frontmatter migrated to the Gemini CLI shape per the strict validator added in #45.
  • skills/accessibility/SKILL.md — WCAG 2.2 implementation patterns. Copied as-is (no Claude-specific content).

Larger upstream items (gateguard hook + skill, bash dispatcher, Python LLM provider layer, Rust core, plugin manifests) are intentionally not included — they are deeply Claude-Code-protocol-coupled or out of scope for a Gemini CLI extension. PR 2 in this sync wave will cover block-no-verify.js and validate-workflow-security.js.

Frontmatter migration (a11y-architect)

Before (upstream) After (this PR)
model: sonnet + model: opus (duplicate, schema-forbidden) removed (Gemini CLI agent schema does not accept model)
tools: [Read, Write, Edit, Bash, Grep, Glob] tools: [read_file, write_file, replace, run_shell_command, search_file_content, glob]
Body content unchanged — no Claude-specific references

The migration is the exact mapping enforced by scripts/lib/gemini-tools.js (Phase 2 SoT).

Test plan

  • node scripts/ci/validate-agents.js — 48 agents validated (was 47)
  • node scripts/ci/validate-skills.js — 183 skill directories validated (was 182)
  • npm run lint — clean
  • npm test — 165/165 pass
  • Reviewer spot-check that the agent's tool list still makes sense for an accessibility audit workflow

Summary by CodeRabbit

  • Documentation
    • Added new accessibility agent guidance for designing WCAG 2.2 Level AA compliant interfaces
    • Included comprehensive skill documentation covering semantic mapping, focus management, and cross-platform labeling standards for Web, iOS, and Android
    • Provided best practices, anti-patterns, and implementation examples for accessible components

feat: strict agent/command validators to prevent Issue #34-class regr… (#45) by @Jamkris

Strengthens the existing CI validators to catch frontmatter and filename issues before the Gemini CLI agent loader rejects them.

scripts/lib/gemini-tools.js (new)

  • Single source of truth for the 11 valid Gemini CLI tool names
  • Claude-style → Gemini name mapping table for actionable error hints
  • Levenshtein-based "Did you mean?" suggestions for typos
  • Frontmatter validator: required keys, forbidden keys (color/model), malformed/empty tools array, MCP entries

scripts/ci/validate-agents.js

  • Now uses the lib instead of only checking that "tools" exists
  • Catches Read/Edit/Bash, search_files/replace_in_file, mcp__* tools, and color/model keys (all of which break the loader)

scripts/ci/validate-commands.js

  • Enforces egc- filename prefix (PR #38 regression guard)
  • Requires a non-empty description field
  • Logic exported as a module for integration tests

tests/lib/gemini-tools.test.js (new, 24 cases)

  • parseToolsField, suggestTool, validateToolList, validateAgentFrontmatter, allowlist sanity

tests/lint/validators.test.js (new, 13 cases)

  • Fixture-based: good + Claude-style + MCP + forbidden keys + legacy names + missing frontmatter; mirrored for commands
  • Plus a sweep that runs the live validators across every real agents/.md and commands/.toml in the repo

.gemini/styleguide.md

  • Notes that scripts/lib/gemini-tools.js is the authoritative allowlist and the styleguide is its human-facing mirror

Lint green / 161 tests pass (was 124).

Summary by CodeRabbit

  • New Features

    • Enhanced validation for agent and command configurations with detection of invalid tool names, forbidden keys, missing descriptions, and naming convention violations.
    • Added intelligent tool name suggestions for common misspellings.
  • Documentation

    • Updated style guide to clarify validation requirements and enforcement mechanisms.
  • Tests

    • Added comprehensive test suites and fixtures for validation verification.

chore: release v1.3.4 (#44) by @Jamkris

Bump version to 1.3.4