Releases: Jamkris/everything-gemini-code
Release list
v1.3.15
What's Changed in v1.3.15
docs(upstream): sync round 6 — advance baseline to 1e8c7e7 (2026-05-26) (#88) by @Jamkris
Summary
Sixth upstream sync round. Advances the recorded baseline from 3b7e0ba3 (2026-05-18) to 1e8c7e7 (2026-05-20 UTC, evaluated 2026-05-26), closing tracker issue #87 on the next upstream-drift.yml tick. 102 commits triaged; per-commit dispositions land in upstream/sync-rounds/2026-05-26.md.
Headlines:
- Two EGC-authored PRs landed upstream during this window, both ECC-only surface (not back-portable):
- ECC PR #1982 — Unicode Tag block (
U+E0000–U+E007F) + six other invisible code points added tocheck-unicode-safety.jsdenylist. Canonical "ASCII smuggling" / "Tag Smuggling" LLM prompt-injection vector. Validator does not exist in EGC's port surface. - ECC PR #1983 —
writeBridgeAtomic/writeWarnStateENOENT race + Windows EPERM/EACCES/EBUSY rename retry. Touches theecc-metrics-bridge/ecc-context-monitorcost-observability surface, which is not part of EGC.
- ECC PR #1982 — Unicode Tag block (
- 78 of 102 commits are ECC release-readiness / billing-readback / dashboard refresh / video-suite operations log (May 18–20 RC1 publication cycle, ECC 2.0 hypergrowth lane) with no EGC analogue — clean skip.
- 9 out-of-surface fixes skip cleanly:
claude-projectinstall-target trio, Python LLM providers (OpenAI/AstraFlow empty-choices guard), MCP health-check 406 handling,gateguard-fact-forcequoting, IOC deny-rule filter,resolve-ecc-root.jsplugin bootstrap. - Three substantial net-new items deferred to focused follow-up PRs:
- Blender motion-state inspection skill (community contribution)
- Harness-audit integration scoring extension (ECC PR #1990, +214 LOC in script / +192 LOC in tests / .md→.toml command translation needed)
continuous-learning-v2project-registry maintenance (757-line change; EGC missingdetect-project.sh)
- One trivial clean-delete portable candidate (
812d4d0— deleteskills/strategic-compact/suggest-compact.sh, unreferenced in EGC's runtime path) filed for a small follow-up PR rather than bundled here, so a regression there does not block the baseline cycle.
No new EGC→ECC PR opens this round — the two high-value targets are already merged into ECC main, and the remaining commits are out-of-surface or substantial enough to need focused PRs.
Files changed
upstream/.upstream-sync.json—lastSyncedSha/lastSyncedAt/notesadvanced to round 6.upstream/README.md— Baseline badge, last-synced commit link, last-synced date, round-notes pointer list extended.upstream/ko-KR/README.md,upstream/zh-CN/README.md— catch-up update: localised mirrors had been left on the round-3 baseline393d397e(2026-05-13); both now point at the round-6 SHA and list the full pointer chain (5 rounds).upstream/sync-rounds/2026-05-26.md— new round-6 inventory.
Test plan
-
npm run lint— clean -
npm test— 308/308 pass (includesci/validate-upstream-sync.test.js9/9, all 5 fixture tests) -
node scripts/ci/validate-upstream-sync.js— both files reference1e8c7e7 - Compare endpoint
3b7e0ba..1e8c7e7returnsahead_by: 102(matches tracker issue #87) - Baseline badge URL renders against shields.io
- Round-notes pointer paths all resolve from
upstream/README.mdand from both localised READMEs
Related
- Closes #87 (Upstream Sync tracker — 102 commits ahead since
3b7e0ba) - Prior round: #86 (Round 5, baseline
3b7e0ba3)
Summary by cubic
Advance the upstream baseline and publish round‑6 notes to keep EGC in sync with ECC. Tidy the round‑6 notes (rename the “Detailed dispositions” section and correct the footer date to 2026‑05‑20), update upstream/.upstream-sync.json and localized READMEs (ko‑KR, zh‑CN), and add upstream/sync-rounds/2026-05-26.md; no runtime changes; closes #87.
Written for commit aa1eae7. Summary will update on new commits. Review in cubic
Summary by CodeRabbit
-
Documentation
- Updated upstream synchronization docs across languages (en, ko-KR, zh-CN) and added the 2026-05-26 sync round report detailing drift, dispositions, and follow-up items.
-
Chores
- Advanced upstream synchronization to round six and updated baseline tracking metadata and round notes to reflect the latest sync.
chore: release v1.3.14 (#86) by @Jamkris
Bump version to 1.3.14
Summary by cubic
Bump everything-gemini-code to v1.3.14 across package.json, .gemini-plugin/plugin.json, and gemini-extension.json to prepare the release and keep manifests in sync.
Written for commit c5fd746. Summary will update on new commits. Review in cubic
v1.3.14
What's Changed in v1.3.14
docs(upstream): sync round 2026-05-18 — advance baseline to 3b7e0ba3 (#85) by @Jamkris
Summary
Fifth upstream sync round. Inventories 137 commits between baseline f7315016 (2026-05-15) and ECC HEAD 3b7e0ba3 (2026-05-18) and advances the baseline files.
| Bucket | Count | Disposition |
|---|---|---|
| EGC-authored, already in ECC main | 10 | already in EGC (ECC PR #1970 + #1971) |
| ECC ops logs (Tools / AgentShield / rc1 / readiness) | ~92 | skip |
| ja-JP localization batch | ~15 | deferred |
| Net-new skills / locales / installer flag / deps bumps | ~14 | deferred |
| Out-of-port-surface (cost-monitor / IOC scanner / etc.) | ~6 | skip |
| Total | 137 |
Full per-commit table in upstream/sync-rounds/2026-05-18.md.
What's notable
No new EGC-authored ECC PR opens this round. The two PRs that would have been this round's top targets — workflow-security validator hardening + ecc-metrics-bridge cost-reporting — were opened upstream during round 4 and merged during this round's window. They ARE the backport, in the other direction.
The remaining 127 commits split into ECC operations log (no EGC analogue), substantial deferred candidates (ja-JP locale, new skills, installer --locale flag), and out-of-port-surface ECC hooks (ecc-context-monitor, gh-token-monitor, supply-chain IOC scanner, Zed install target).
Commit layout
Same shape as round 4: two commits so the narrative artefact and the baseline flip stay separable.
docs(upstream): add sync round note for 2026-05-18— adds the new round file only.docs(upstream): advance baseline to 3b7e0ba3 (2026-05-18)— flipsupstream/.upstream-sync.jsonANDupstream/README.mdatomically (the validator requires the SHA to match).
Validation
node scripts/ci/validate-upstream-sync.js→OK — both files reference 3b7e0banpm run lint— clean- No code changes;
npm testunaffected
Closes #77 on the next upstream-drift.yml cron tick.
Deferred net-new ECC features (carry forward)
New to the queue from this round:
uncloudskill (community contribution)recsys-pipeline-architectskill (community contribution)- Thai (
th) README + docs locale - Japanese (
ja-JP) full documentation translation - Installer
--localeflag for selective translated-docs installation - TypeScript 6 +
@types/node25 toolchain bumps - Zed install target (likely permanent-skip given EGC's Gemini-only positioning)
Plus all items already deferred from rounds 1–4.
Test plan
- CI lint passes
- CI
validate-upstream-sync.jsconfirms both files reference the same SHA - Round note renders correctly on GitHub (tables, links)
- Baseline badge in
upstream/README.mdshows the new SHA - Issue #77 auto-closes on next
upstream-drift.ymlrun
Summary by cubic
Advances the upstream baseline to 3b7e0ba3 (2026-05-18) and records the round‑5 inventory to keep EGC in sync with ECC. Updates upstream/.upstream-sync.json and upstream/README.md; adds upstream/sync-rounds/2026-05-18.md; no code changes.
Written for commit 2a11811. Summary will update on new commits. Review in cubic
Summary by CodeRabbit
-
Chores
- Completed fifth upstream sync round with updated metadata and baseline references.
-
Documentation
- Updated upstream baseline information and added sync round documentation including disposition summaries and feature tracking details.
chore: release v1.3.13 (#84) by @Jamkris
Bump version to 1.3.13
Summary by cubic
Prepare the v1.3.13 release by bumping the everything-gemini-code version in package.json, .gemini-plugin/plugin.json, and gemini-extension.json. No code changes; metadata only.
Written for commit 0bbecd4. Summary will update on new commits.
v1.3.13
What's Changed in v1.3.13
docs(upstream): sync round 2026-05-15 — advance baseline to f7315016 (#83) by @Jamkris
Summary
Fourth upstream sync round. Inventories the 46 commits between EGC's previously-recorded ECC baseline 393d397e (2026-05-13) and ECC main HEAD f7315016 (2026-05-15), records per-commit dispositions, and advances the baseline files.
Same path-based bucketing as rounds 2026-05-12 and 2026-05-13. Buckets are mutually exclusive; the first matching rule wins.
Inventory
| Bucket | Count | Notable items |
|---|---|---|
| E:shared-logic / D:other-harness | 4 | 375d750b (ECC PR #1905 integrating EGC-authored #1889 — being ported in branch feat/port-dev-server-block-from-ecc) |
| F:ci/packaging | 5 | f7315016 command registry, 7d15a228 IOC scanner — both deferred to net-new round |
| A:skills / A:rules | 2 | c2762dd5 Ruby/Rails rules — deferred |
| A:docs / H:meta | 32 | ECC-Tools / AgentShield roadmap sync — skip (no EGC equivalent) |
| X:needs-review | 3 | 6be241a4 (= ECC PR #1843, EGC-authored, already in EGC), 24867327 analyzer hardening (deferred) |
| Total | 46 |
Full per-commit table with SHAs and disposition rationale is in upstream/sync-rounds/2026-05-15.md.
What landed in EGC because of this round
This round catalyses three EGC-side PRs, opened as separate branches to keep review surfaces focused:
-
In-flight port (this round's primary output):
feat/port-dev-server-block-from-ecc— picks upscripts/lib/shell-substitution.js,scripts/lib/shell-split.js, andscripts/hooks/pre-bash-dev-server-block.jsfrom ECCmain(where they landed via #1905 integrating EGC-authored #1889) and switches thehooks/hooks.jsondev-server matcher from inline regex to the new script. Closes 4 false-negative variants and 3 false-positive quote-literal cases the inline matcher couldn't distinguish. -
Adjacent EGC-only fix:
fix/inline-matcher-quote-literal-false-positives— tightens the three remaining inline matchers (tmux reminder, git push reminder, build analysis) with^\s*anchors and missing variants. -
Adjacent EGC-only fix:
fix/md-block-hook-whitelist— expands the md-block hook whitelist with standard OSS files (SECURITY, CHANGELOG, etc.) and EGC convention directories (agents/,skills/,workflows/,rules/, …) that were previously over-blocked.
This PR is the recording PR — it does not include the code changes from those three branches. Once the three land, this round's baseline advance is consistent with what's in main; if any of them stays open, the deferred items list in the next sync round will record that explicitly.
Commit layout
Two commits so the narrative artefact and the baseline flip stay separable:
docs(upstream): add sync round note for 2026-05-15— adds the new round file (upstream/sync-rounds/2026-05-15.md) only. No baseline change.docs(upstream): advance baseline to f7315016 (2026-05-15)— flipsupstream/.upstream-sync.json(lastSyncedSha,lastSyncedAt,notes) and the matching lines inupstream/README.md(baseline badge, last-synced commit link, last-synced date, round-notes pointer list) atomically.
The two-file update in commit (2) is done atomically because scripts/ci/validate-upstream-sync.js requires the SHA in the JSON and the SHA in the README to match — splitting them would briefly fail validation.
Validation
node scripts/ci/validate-upstream-sync.js—OK — both files reference f731501.npm run lint— clean (markdownlint passes on the new round note).- No code changes;
npm testnot affected.
Deferred net-new ECC features (carry forward)
New items added to the deferred queue from this round:
- Ruby / Rails rules (
c2762dd5) - supply-chain IOC scanner (
7d15a228) - command registry / coverage checks (
f7315016) — needs EGC-native equivalent because EGC's command format is.toml, not.md - GitHub Copilot prompt support (
766f4ee1)
Plus all items already deferred from rounds 1–3.
Test plan
- CI lint passes
- CI
validate-upstream-sync.jsconfirms both files reference the same SHA - Round note renders correctly on GitHub (tables, links, headings)
- Baseline badge in
upstream/README.mdshows the new SHA
Summary by cubic
Advance the recorded ECC baseline to f7315016 (2026-05-15) and add the round‑4 upstream sync inventory note.
Updates upstream/.upstream-sync.json and upstream/README.md to the new SHA/date and adds upstream/sync-rounds/2026-05-15.md; CI validator (scripts/ci/validate-upstream-sync.js) confirms both files reference the same SHA.
Written for commit 38c75ac. Summary will update on new commits.
fix(hooks): expand md-block whitelist with OSS standards + EGC convention dirs (#82) by @Jamkris
Summary
hooks/hooks.json has a "block random .md file creation" hook that allowed exactly four filenames: README, CLAUDE, AGENTS, CONTRIBUTING. Everything else gets BLOCKED with [Hook] BLOCKED: Unnecessary documentation file creation.
That whitelist is too narrow on two axes:
-
Standard OSS files that this repo already contains and every other OSS repo expects (
SECURITY.md,CODE_OF_CONDUCT.md,CHANGELOG.md,LICENSE.md,SUPPORT.md) all get blocked.GEMINI.md— the Gemini CLI analogue ofCLAUDE.md— is also missing despite living at this repo's root. -
EGC convention directories. Every contribution path EGC actively encourages —
skills/<name>/SKILL.md,agents/<name>.md,workflows/<name>.md,rules/<lang>/<name>.md,commands/<name>.md, translated docs underdocs/<locale>/, etc. — gets blocked. EGC has 51 workflow files and 48 agent files, so a contributor adding a 49th agent currently gets denied by EGC's own hook.
This PR fixes both classes.
Behavior matrix (before → after)
| File path | Before | After | Why |
|---|---|---|---|
README.md |
allow | allow | unchanged |
CLAUDE.md, AGENTS.md, CONTRIBUTING.md |
allow | allow | unchanged |
GEMINI.md |
BLOCK | allow | added — Gemini CLI's CLAUDE.md analogue |
SECURITY.md |
BLOCK | allow | already exists in this repo |
CODE_OF_CONDUCT.md |
BLOCK | allow | already exists in this repo |
CHANGELOG.md, LICENSE.md, SUPPORT.md |
BLOCK | allow | standard OSS community-health files |
skills/python-patterns/SKILL.md |
BLOCK | allow | EGC skill bundle entry point |
skills/python-patterns/references/django.md |
BLOCK | allow | EGC skill reference doc |
agents/planner.md |
BLOCK | allow | EGC agent file |
workflows/tdd.md |
BLOCK | allow | EGC workflow file |
rules/typescript.md |
BLOCK | allow | EGC rule file |
commands/egc-grok.md |
BLOCK | allow | EGC command file |
docs/ko-KR/README.md |
allow | allow | unchanged (already worked) |
examples/foo.md |
BLOCK | allow | EGC examples dir |
templates/foo.md |
BLOCK | allow | EGC templates dir |
mcp-configs/README.md |
allow | allow | unchanged (README name) |
upstream/sync-rounds/2026-05-15.md |
BLOCK | allow | upstream sync notes |
TODO.md, NOTES.md, MEETING.md, random.md, random.txt |
BLOCK | BLOCK | still blocked — intended target |
src/foo.md |
BLOCK | BLOCK | non-convention path, still blocked |
tests/upstream-fixtures.md |
BLOCK | BLOCK | upstream as filename substring (not directory) — `(^ |
Commit layout
Two commits so each axis can be reviewed independently:
-
fix(hooks): expand md-block whitelist with standard OSS docs— addsGEMINI,CHANGELOG,SECURITY,LICENSE,CODE_OF_CONDUCT,SUPPORTto the filename whitelist (regex(README|CLAUDE|AGENTS|GEMINI|CONTRIBUTING|CHANGELOG|SECURITY|LICENSE|CODE_OF_CONDUCT|SUPPORT)\.md$). 3-line diff. Reference: GitHub's community-standards list. -
fix(hooks): allow EGC convention directories in md-block hook— adds a second exclusion clause for files under any path matching(^|/)(agents|skills|workflows|rules|commands|docs|examples|mcp-configs|templates|upstream)/. The(^|/)anchor prevents false matches on filenames that happen to contain those words (upstream-fixtures.mdis notupstream/fixtures.md).
Both the matcher (line 46) and the inline script's regex (line 50) are kept in sync — the matcher decides whether the hook fires, the script decides whether to block, so they must agree.
Tests
node scripts/ci/validate-hooks.js— clean.npm test— 279/279 pass.npm run lint— clean.
No new test file because the hook is inline node -e JavaScript. The behaviour is verified against the table above via a direct regex check in the commit body, and the same regexes are validated by the JSON-schema hook validator.
Test plan
- CI lint passes
- CI tests pass
- Manual: write each "Before BLOCK → After allow" path above through
write_file, confirm the hook no longer blocks - Manual: write each "still BLOCK" path, confirm the hook still blocks
Summary by cubic
Expand the .md/.txt blocking hook to allow standard OSS docs and files inside EGC convention directories. This prevents false blocks for valid docs like SECURITY.md, GEMINI.md, and skills/.../SKILL.md.
- Bug Fixes
- Whitelist standard filenames:
README,CLAUDE,AGENTS,GEMINI,CONTRIBUTING,CHANGELOG,SECURITY,LICENSE,CODE_OF_CONDUCT, `SUPP...
- Whitelist standard filenames:
v1.3.12
What's Changed in v1.3.12
docs: sync upstream baseline to 393d397 (#76) by @Jamkris
Summary
Final PR of the 2026-05-13 upstream sync round. Advances the recorded baseline from e9c88458 (2026-05-11) to 393d397 (2026-05-12) — the upstream HEAD at triage time and the last commit evaluated this round.
Round 3 PRs
- #74 — triage / audit log (
upstream/sync-rounds/2026-05-13.md) - #75 — port: code-reviewer guardrails + prompt defense baselines
Of 67 commits in the focused range: 2 ported, 8 deferred (net-new feature additions: PRD command, network architect agents, motion skills, Quarkus, Django Celery, cost tracking, frontend design, homelab configs), 57 skipped with rationale.
Files updated (4)
upstream/.upstream-sync.json—lastSyncedSha+lastSyncedAt+ round notes pointing at the new audit log.upstream/README.md— baseline badge, Last-synced commit, date, round-notes pointer (now references both 2026-05-13 and 2026-05-12).upstream/ko-KR/README.md+upstream/zh-CN/README.md— mirrored.
Expected post-merge behaviour
- The validator passes — the prose SHA and JSON SHA agree on
393d397. - Next scheduled or manually-dispatched
upstream-driftworkflow run will compute the delta against ECC's current HEAD. If ECC has moved past393d397(likely — they merge daily), issue #71 updates with the new (small) count. If no new ECC commits since393d397, #71 auto-closes.
Test plan
-
node scripts/ci/validate-upstream-sync.js— "OK — both files reference 393d397" -
npm run lintclean -
npm test279/279 - Manual link check — README baseline → ECC commit, audit log links → 2026-05-13.md + 2026-05-12.md
Round end
This PR closes round 3.
Related to #71.
port: code-reviewer guardrails + prompt defense baselines from ECC (#75) by @Jamkris
Summary
Two ports from the 2026-05-13 sync round:
agents/code-reviewer.md (df60af9)
Adds false-positive guardrails directly to the agent prompt:
- Pre-Report Gate — 4-question filter before writing any finding (cite line, name failure mode, read context, defensible severity).
- HIGH / CRITICAL require proof — exact snippet + scenario + why existing guards don't catch it. Demote or drop otherwise.
- "Zero findings is valid" — explicit license to APPROVE clean diffs instead of manufacturing nits.
- Common False Positives catalog — 12 patterns LLM reviewers consistently mis-flag (error handling already at framework level, magic numbers for well-known constants, missing JSDoc on self-describing helpers, security theater on
Math.random(), etc.). - Approval criteria updated — clean review is valid; don't withhold APPROVE to appear rigorous.
The intent is to reduce the kind of noise this very repo has been seeing in PR reviews — pattern-match nits with no concrete failure scenario.
GEMINI.md + 48 agent files (393d397)
Prepends a uniform Prompt Defense Baseline 6-bullet block:
- role / persona / identity protection
- confidential-data / secret protection
- executable-code output restraint
- unicode / homoglyph / encoded-trick suspicion
- external / untrusted data validation
- harmful-content prohibition
Block content is harness-agnostic; same text as upstream ECC. Inserted right after the closing frontmatter --- on every agent, and after the H1 + intro paragraph on GEMINI.md.
Applied via a one-shot script (idempotent — skips files already containing the block).
ECC commit in scope that did not port
cb2a70c(motion skill fix) — EGC hasremotion-video-creationbut notmotion-advanced/motion-foundations. The upstream motion skills are deferred net-new candidates for a future "ECC net-new" round.
Files changed (49)
| Group | Count | Source |
|---|---|---|
agents/code-reviewer.md |
1 (both ports) | df60af9 + 393d397 |
agents/*.md (other 47) |
47 | 393d397 |
GEMINI.md |
1 | 393d397 |
Total: +520 lines / -1 line.
Test plan
-
npm run lintclean -
npm test279/279 -
node scripts/ci/validate-agents.js— 48 agent files validated - Spot-checked 3 agents (architect, tdd-guide, code-reviewer) — block correctly inserted after frontmatter
- Spot-checked GEMINI.md — block inserted between intro paragraph and Guidelines section
Summary by cubic
Adds strict false-positive guardrails to the code-reviewer and applies a 6-point Prompt Defense Baseline to all agents and GEMINI.md to reduce review noise and strengthen prompt safety. This cuts low-signal findings and hardens prompts against injection and unsafe outputs.
-
New Features
- Code reviewer guardrails: 4-question pre-report gate; proof required for HIGH/CRITICAL; zero-findings APPROVE; skip common false positives; updated approval criteria.
- Prompt Defense Baseline: 6 rules (role/identity protection, secret protection, executable-output restraint, Unicode/encoding trick suspicion, untrusted-data validation, harmful-content ban) inserted across 48 agents and
GEMINI.md.
-
Migration
- No action needed. The baseline is auto-inserted after frontmatter; the script is idempotent and avoids duplicates.
Written for commit 92a84ba. Summary will update on new commits.
Summary by CodeRabbit
- Documentation
- Added comprehensive safety baselines to agent instructions, enforcing explicit constraints for identity preservation, data confidentiality, restricted output formats, and validation of untrusted inputs to ensure consistent secure behavior across all agents.
docs: triage ECC upstream commits e9c8845..393d397 (#74) by @Jamkris
Summary
Round 3 audit log. ECC moved 67 commits forward of the baseline recorded at the end of round 2 (#71 reported 65 when the drift tracker opened; ECC merged 2 more before triage).
Round 3 totals
| Category | Port now | Defer (net-new) | Skip |
|---|---|---|---|
| skills | 0 | — | 1 |
| docs | 0 | — | 30 |
| agents | 2 | — | 0 |
| commands | 0 | — | 0 |
| shared logic | 0 | — | 6 |
| CI / packaging | 0 | — | 2 |
| other-harness (net-new features) | 0 | 8 | 0 |
| meta | 0 | — | 1 |
| needs-review (edge cases) | 0 | — | 17 |
| Total | 2 | 8 | 57 |
Notable findings
df60af9(code-reviewer guardrails) — adds Pre-Report Gate, HIGH/CRITICAL proof rules, "zero findings is valid" guidance, and a Common False Positives catalog to ECC's code-reviewer agent. All harness-agnostic. Port target.393d397(prompt defense baselines) — adds a uniform 6-bullet prompt-defense block to ECC'sCLAUDE.mdand every agent file (71 files total upstream). Port target — apply to EGC'sGEMINI.mdand all agents.
Deferred (8 net-new features)
ECC added meaningful new surfaces this round that exceed a sync-round port scope: PRD planning command, network architect agents, motion system skills, Quarkus handling, Django Celery workflow, cost tracking + skill scout, frontend design guidance, homelab config skills. These join the deferred net-new candidates from round 2 (tinystruct-patterns, ios-icon-gen, flox-environments) — should be opened as a dedicated "ECC net-new" PR set in a future round.
Follow-up PRs
- `port: code-reviewer guardrails + prompt defense baselines from ECC`
- `docs: sync upstream baseline to 393d397` — closes #71
Test plan
- `npm run lint` clean
- `npm test` 279/279
- Doc-only change
Summary by cubic
Adds the 2026-05-13 upstream sync inventory documenting ECC drift (67 commits from e9c8845 to 393d397). It calls out two port targets (code-reviewer guardrails and prompt-defense baselines), defers eight net-new features, and marks 57 skips to guide follow-ups.
Written for commit 925b1c8. Summary will update on new commits.
Summary by CodeRabbit
- Documentation
- Added comprehensive documentation for the 2026-05-13 upstream sync round, including triage inventory results across multiple categories, summary statistics, and suggested follow-up actions.
docs: record ECC backport in...
v1.3.11
What's Changed in v1.3.11
docs: sync upstream baseline to e9c88458 (#70) by @Jamkris
Summary
Final PR of the 2026-05-12 upstream sync round. Advances the recorded baseline from 9db98673 (2026-02-09) to e9c88458 (2026-05-11) — the upstream HEAD at triage time and the last commit evaluated in this round.
What landed in this round
- #66 — triage / audit log (
upstream/sync-rounds/2026-05-12.md) - #67 — port: skill curation updates from ECC
- #68 — port: hook + validator fixes from ECC (closed two real bypass holes; 3 rounds of bot review)
- #69 — port: plan command graceful degradation
Of the 159 commits in the focused range (4e66b288..e9c88458):
| Disposition | Count |
|---|---|
| Ported | 9 |
| Evaluated inline + skipped | 5 |
| Deferred (eligible net-new skills) | 3 |
| Skipped with rationale | 142 |
The 142 skips are dominated by ECC-runtime-only surfaces (loop-status, gateguard, insaits-security-*, ECC's cursor/codex/opencode install targets, ecc2 RC1 work) and Claude-Code-specific session-start / observe-runner / MCP-disable changes.
Files updated (4)
upstream/.upstream-sync.json—lastSyncedSha+lastSyncedAt+ round notes pointing at the audit log.upstream/README.md— baseline badge, Last-synced commit, date, and a round-notes pointer.upstream/ko-KR/README.md+upstream/zh-CN/README.md— same three updates mirrored.
Why the baseline is the evaluated SHA, not ECC HEAD
ECC has continued to merge commits since triage (~820e07f at the time of this PR). The sync policy explicitly chooses to advance the baseline to the last commit actually evaluated rather than the current upstream HEAD — see upstream/README.md → Recording a sync. Lying about the SHA would close issue #60 prematurely and hide unevaluated drift.
Expected post-merge behaviour
- The CI validator (
validate-upstream-sync.js) passes — the prose SHA and JSON SHA agree one9c8845. - The next scheduled or manually-dispatched
upstream-driftworkflow run will compute the delta against ECC's current HEAD, find a small drift (only the ~1–2 days of new ECC commits sincee9c88458), and update issue #60 with the new (much smaller) count. - Issue #60 will not auto-close because ECC continues to merge faster than EGC catches up. That is exactly the "best-effort, surface drift" policy at work — the tracker now shows progress instead of an inflated 1500+ figure.
Test plan
-
node scripts/ci/validate-upstream-sync.js— "OK — both files reference e9c8845" -
npm run lint— clean -
npm test— 279/279 - Manual link check — README baseline → ECC commit, audit log link →
sync-rounds/2026-05-12.md - Post-merge: manually dispatch the upstream-drift workflow and verify issue #60 updates with the new count instead of duplicating to a new issue
Round end
This PR closes the round. Future rounds will start fresh with a new triage file under upstream/sync-rounds/.
Related to / will eventually close #60 once ECC's commit cadence catches down (or, more realistically, the next round).
Summary by cubic
Advances the recorded upstream baseline to e9c88458 (2026-05-11), the last commit evaluated in the 2026-05-12 sync round, and points docs to that round’s audit log. Updates upstream/.upstream-sync.json, upstream/README.md, upstream/ko-KR/README.md, and upstream/zh-CN/README.md with the new SHA, date, and notes; the next drift run will recalc against ECC’s current HEAD and shrink the count in issue #60.
Written for commit b18af8f. Summary will update on new commits.
Summary by CodeRabbit
Chores
- Updated upstream synchronization baseline and configuration metadata to reflect the latest evaluated commit.
- Refreshed README documentation in English, Korean, and Chinese languages with current upstream synchronization details and sync date of May 13, 2026.
- Updated internal synchronization tracking notes and references to correspond with the latest round of upstream evaluation.
port: plan command graceful degradation (#69) by @Jamkris
Summary
Third port PR from the 2026-05-12 upstream sync round (audit log: upstream/sync-rounds/2026-05-12.md).
Ports ECC 17aafc4 ("fix: make plan command work without planner agent") to EGC's commands/egc-plan.toml.
Why
EGC's previous prompt asserted that /egc-plan "invokes the planner agent" unconditionally. When the @planner subagent is unavailable — agents not installed, runtime cannot resolve the name, plugin-only install — the assistant surfaces an Agent type 'planner' not found error instead of producing a plan. The fix makes the command run inline by default and treat the planner agent as an optional enhancement.
Changes to the prompt
- Opening paragraph reframes
/egc-planas "creates a plan" and explicitly states inline-by-default + no default subagent delegation. - "How It Works" attributes the steps to "The assistant" instead of "The planner agent".
- Example header changes from
Agent (planner):toAssistant:so the example does not imply the agent is mandatory. - CRITICAL guard reattributed to "this command" instead of "the planner agent".
- "Related Agents" section renamed to "Optional Planner Agent" with explicit fallback instructions: continue inline if
@planneris unavailable rather than erroring. Reference toagents/planner.mdretained for manual installs that ship the agent file.
New tests (3)
tests/commands/plan-command.test.js — adapted from ECC's test of the same name. Reads commands/egc-plan.toml and asserts:
- New inline-by-default contract is present (
Do not delegate to the @planner subagent, planner-unavailable fallback). - Old mandatory-agent strings are gone (
invokes the **planner** agent,The planner agent will:,Agent (planner):). - The CRITICAL WAIT-for-CONFIRM contract is preserved (regression guard against future rewrites stripping it).
ECC commit in scope that did not port
2fd8dfc(docs: clarify MCP disable guidance) — entirely Claude Code-specific surface (~/.claude.jsonruntime persistence, the Claude/mcpcommand,disabledMcpServersconfig key,ECC_DISABLED_MCPSenv var,.claude/settings.jsonpaths). EGC's MCP layer is Gemini CLI'smcp-configs/model; none of the specific facts in the upstream doc map cleanly. EGC's current guidance ("Disable unused servers in project settings") is already harness-correct at the right altitude.
Test plan
-
npm run lintclean -
npm test279/279 (+3 new incommands/plan-command.test.js) -
node scripts/ci/validate-commands.js— 80 command files validated - Manually re-read the prompt —
/egc-planwould still produce the same WAITING FOR CONFIRMATION protocol when invoked, just without an upfront@plannerdispatch
Summary by cubic
Make /egc-plan work without the @planner agent by running inline by default and treating @planner as optional. This prevents "Agent type 'planner' not found" errors and keeps planning usable across installs.
- Bug Fixes
- Updated
commands/egc-plan.tomlto run inline by default, avoid default delegation to@planner, and continue inline if@planneris unavailable. - Reworded prompt to attribute steps to the assistant, updated example header to "Assistant:", and preserved the CRITICAL wait-for-confirmation rule.
- Added
tests/commands/plan-command.test.jsand registered it intests/run-all.jsto enforce the new inline-by-default contract and the confirmation guard.
- Updated
Written for commit a3314d9. Summary will update on new commits.
Summary by CodeRabbit
Release Notes
-
Improvements
- Updated
/egc-plancommand to default to inline execution rather than delegating to subagents, with strengthened confirmation prompts before code generation.
- Updated
-
Tests
- Added test coverage to validate
/egc-plancommand behavior and execution flow.
- Added test coverage to validate
port: hook + validator fixes from ECC (#68) by @Jamkris
Summary
Second port PR from the 2026-05-12 upstream sync round (audit log: upstream/sync-rounds/2026-05-12.md).
Lands two real correctness fixes plus the matching CI...
v1.3.10
What's Changed in v1.3.10
chore: restore original Next-steps footer in release.sh (#64) by @Jamkris
Summary
Summary by cubic
Restored the original “Next steps” footer in scripts/release.sh to match our release flow and remove the -u flag. It now prompts to push the branch, push the tag, create a PR into main with gh pr create, push the tag after merge, and check GitHub Actions.
Written for commit ddc8757. Summary will update on new commits.
chore: release v1.3.9 (#63) by @Jamkris
Bump version to 1.3.9
Summary by cubic
Release v1.3.9 by bumping the version from 1.3.8 to 1.3.9 across manifests to keep the plugin and extension aligned. Updated package.json, .gemini-plugin/plugin.json, and gemini-extension.json.
Written for commit 8590daa. Summary will update on new commits.
chore: refuse release.sh from main; require release branch (#62) by @Jamkris
Summary
`scripts/release.sh` used to run on any branch and only print a hint about creating a PR when not on `main`. Running it from `main` accidentally commits a version bump directly to `main`, bypassing PR review, CI, and the merge audit trail. This happened today — two stray local commits had to be reset.
This PR adds an explicit guard: if HEAD is on `main`, the script prints the proper 5-step workflow and exits 1 before touching any file. No env-var escape hatch — normalising the wrong path is what caused the incident in the first place.
Behaviour
Before: running on main silently committed the version bump to main; a footer suggested a PR but the bump was already on the wrong branch.
After:
```
$ git checkout main
$ ./scripts/release.sh 1.3.9
Error: refusing to run release from 'main' branch.
Version bumps must go through a PR:
- git checkout -b chore/release-v1.3.9
- ./scripts/release.sh 1.3.9 # re-run on the release branch
- git push -u origin chore/release-v1.3.9
- gh pr create --title "chore: release v1.3.9" --body "Bump version to 1.3.9"
- Merge once CI is green, then push the tag.
```
On any non-main branch, the script proceeds normally.
Also in this PR
- Dropped the dead `if [ "$BRANCH" != "main" ]` footer branch — `BRANCH = main` is now unreachable past the guard, so collapsed the "Next steps" to the single correct path.
Test plan
- `npm run lint` — clean
- `npm test` — 264/264
- Dry-run on `chore/release-guard` branch — script proceeds past the guard (made a throwaway 9.9.9 commit, rolled back)
- Dry-run on `main` — script prints the 5-step workflow and exits 1; `package.json` / `gemini-extension.json` / `plugin.json` are not modified
Follow-up (after this merges)
Re-do the 1.3.9 release the proper way:
- `git checkout main && git pull`
- `git checkout -b chore/release-v1.3.9`
- `./scripts/release.sh 1.3.9`
- Push the branch, open the release PR, merge, push the tag.
Summary by cubic
Add a hard guard in scripts/release.sh to refuse running on main, forcing releases to go through a release branch and PR. This prevents accidental version bumps on main and ensures CI and review run every time.
- Refactors
- Detect
main, print a 5-step release workflow, and exit 1 before touching files. - Remove the dead
if [ "$BRANCH" != "main" ]branch and simplify “Next steps” to the single PR path (push branch, open PR, push tag after merge).
- Detect
Written for commit 468bf4f. Summary will update on new commits.
fix: issue body must report compare.ahead_by, not commits.length (#61) by @Jamkris
Summary
Smoke run after PR #59 merged surfaced a title/body inconsistency on tracking issue #60. Title said "1521 new commits" (correct); body said "has 250 commit(s) ahead" and "250 total, showing first 50" (wrong).
Root cause: the GitHub compare endpoint caps commits[] at 250 per response regardless of the true delta. formatIssueBody was using commits.length for the intro and the details summary, so any delta above 250 silently displays as 250.
Fix
scripts/lib/upstream-drift.js— add requiredtotalCountparam toformatIssueBody. Use it for:- intro: "has N commit(s) ahead"
- details summary: "showing first X of N"
- truncation footer: "… and (N − shown) more"
scripts/upstream/check-upstream-drift.js—buildIssueContentpassescompare.ahead_byastotalCount.
Tests
- New: API-cap scenario (
totalCount=1521,commits.length=250) — body must not mention 250 anywhere. - New: total-fits-in-display scenario — simple
Commits (N)summary, no truncation footer. - New: rejects negative / non-integer
totalCount. - Existing tests updated to pass
totalCount.
Verification
-
npm run lintclean -
npm test→ 264/264 (was 261) - Post-merge: re-dispatch workflow, confirm issue #60 body intro now says "1521" and the details summary says "showing first 50 of 1521"
Before / after (issue #60 body intro)
- Upstream `affaan-m/everything-claude-code` has **250** commit(s) ahead of the recorded baseline.
+ Upstream `affaan-m/everything-claude-code` has **1521** commit(s) ahead of the recorded baseline.- <summary>Commits (250 total, showing first 50)</summary>
+ <summary>Commits (showing first 50 of 1521)</summary>- - _… and 200 more. See the [full diff](…)._
+ - _… and 1471 more. See the [full diff](…)._Summary by cubic
Fixes incorrect commit counts in the upstream drift tracking issue body when more than 250 commits are ahead. The body now uses compare.ahead_by for all counts, matching the title and avoiding the GitHub compare API cap.
- Bug Fixes
formatIssueBodynow acceptstotalCountand uses it in the intro, details summary, and truncation text.buildIssueContentpassescompare.ahead_byastotalCountto avoid relying on cappedcommits[].- Added tests for API-cap scenarios, no-truncation cases, and invalid
totalCount.
Written for commit 2e0c8fb. Summary will update on new commits.
Summary by CodeRabbit
- Improvements
- Upstream drift tracking now accurately counts all commits ahead of upstream sources, even when API results are truncated, providing more precise repository synchronization reporting.
feat: upstream drift tracker (issue mgmt, cron, SHA validator) (#59) by @Jamkris
Summary
Bundles of the upstream-drift tracker plan from #58. log-only detection shipped already this PR brings the tracker to feature-complete.
| Phase | Adds |
|---|---|
| 2 | Rolling tracking issue (🔄 Upstream Sync), weekly cron (Mon 06:00 KST = Sun 21:00 UTC), recursive failure tracking (⚠ Upstream Sync Failure), new labels in the manifest |
| 3 | CI validator asserting that the SHA in upstream/README.md agrees with upstream/.upstream-sync.json; wired into reusable-validate.yml |
Net behaviour:
- Drift becomes a number on an open issue, refreshed weekly.
- When the maintainer advances the baseline SHA, the tracker closes the issue automatically on the next run.
- If the workflow itself errors, a separate rolling issue surfaces that fact (same trick recursively applied).
- A SHA typo in either file fails CI on PR review.
File-by-file
Library (pure, fully unit-tested)
scripts/lib/upstream-drift.js— addspickActiveIssue,decideAction,extractCommitsForBody.
Entry script
scripts/upstream/check-upstream-drift.js— rewritten main flow. Lists open🔄 Upstream Syncissues, decidesnoop | close | create | update, executes viagh issue …(execFileSync, argv array — no shell).
Workflow
.github/workflows/upstream-drift.ymlschedule: cron '0 21 * * 0'permissions: { contents: read, issues: write }if: failure()step that ensures a single⚠ Upstream Sync Failureissue points at the failing run URL.
Labels
.github/labels.yml— adds🔄 Upstream Sync(green) and⚠ Upstream Sync Failure(red). Sync to GitHub withscripts/setup-labels.sh.
Phase 3 validator
scripts/ci/validate-upstream-sync.js— env-overridable paths so tests can point at fixtures. Specific error message on mismatch (prints both SHAs side by side)..github/workflows/reusable-validate.yml— adds a sixth validation step.
Tests (+19 new, 261 total)
tests/lib/upstream-drift.test.js— +11 tests for the new pure functions (action matrix, defensive multi-issue handling, compare-API flattening).tests/ci/validate-upstream-sync.test.js— 9 tests covering the pure function and end-to-end (match, mismatch, missing line, malformed JSON, malformed SHA).tests/run-all.js— registers the new test file.
Docs
upstream/{README,ko-KR/README,zh-CN/README}.md— references to the Action and the validator switched from "planned / will add" to present tense (both have now landed).
Test plan
-
npm run lint— clean - `npm te...
v1.3.8
What's Changed in v1.3.8
docs: document upstream sync policy and ecosystem-port framing (#56) by @Jamkris
Summary
Response to @affaan-m's review on affaan-m/everything-claude-code#1343. The maintainer flagged drift risk, asked for a documented sync policy, and asked for a clear "changed vs copied" delta. This PR addresses each of those asks in a doc-only change.
docs/UPSTREAM.md(new): records the upstream baseline (ECC9db98673...— the ECC HEAD ~1h before EGC's initial commitff331996), a best-effort sync policy, a category-level changed/copied/removed/added table, and an honest "known drift" section.docs/.upstream-sync.json(new): machine-readable mirror of the same baseline. Sets up the state file that the planned upstream-drift-tracker Action (follow-up PR) will read.README.md: adds an "ecosystem port, not official ECC release" disclaimer right under the existing attribution line, with a link todocs/UPSTREAM.md.CONTRIBUTING.md: adds a new "Upstream contributions (ECC backports)" section between "Submitting a PR" and "Tool Name Conversion". Explains when a change belongs upstream too, how to dual-PR, and how to record a sync.
Maintainer asks → file mapping
| Maintainer ask | Addressed by |
|---|---|
| "Sync policy with upstream ECC" | docs/UPSTREAM.md → Sync policy section |
| "Ecosystem port, not an official compatibility claim" | README.md disclaimer + docs/UPSTREAM.md opening paragraph |
| "Document what is changed versus copied" | docs/UPSTREAM.md → What was copied vs. changed vs. removed vs. added table |
Sync cadence chosen: best-effort, no committed schedule
Rationale: a solo maintainer cannot reliably commit to a calendar cadence, and a missed promise is itself the kind of drift the policy is meant to prevent. Instead, drift is made mechanically visible by recording the baseline SHA in two places (prose + JSON) and (in a follow-up PR) running a weekly cron Action that opens a tracking issue if the baseline lags upstream HEAD.
Out of scope (deferred)
- Upstream-drift-tracker GitHub Action — follow-up PR on its own branch (
feat/upstream-drift-tracker). Will readdocs/.upstream-sync.json, compare againstaffaan-m/everything-claude-codeHEAD on a weekly cron, and maintain a single rollingupstream-synctracking issue. - CI validator asserting that the SHAs in
UPSTREAM.mdprose anddocs/.upstream-sync.jsonagree. Will land with the action PR (Phase 3 of that plan). - ko-KR / zh-CN mirrors of the new doc and the README disclaimer — separate follow-up PR. Will also fix the verified gap that
docs/zh-CN/README.mdis missing the attribution line that the English and Korean READMEs have.
Test plan
-
npm run lint— clean -
npm test— 222/222 (no test changes; doc-only) - Manual link check: README →
docs/UPSTREAM.md,docs/UPSTREAM.md→docs/.upstream-sync.json+ ECC repo + baseline commit + initial EGC commit, CONTRIBUTING →docs/UPSTREAM.md - Re-read all four paragraphs of @affaan-m's reply and verify each is addressed by a specific section
Summary by cubic
Documents the upstream sync policy and clarifies EGC as an ecosystem port, now organized under a dedicated upstream/ folder with a machine-readable baseline, status badges, conflict-resolution guidance, and ko‑KR/zh‑CN translations. Updates README.md, localized READMEs, and CONTRIBUTING.md to link to upstream/README.md, add the disclaimer (and missing Chinese attribution), and explain backports, dual‑PRs, and how to record syncs.
Written for commit a176681. Summary will update on new commits.
Summary by CodeRabbit
- Documentation
- Clarified that EGC is an ecosystem port rather than an official release, with no guaranteed API/behavioral compatibility
- Added upstream synchronization policy documentation and procedures
- Added contributor guidance for managing upstream contributions and backports
chore: release v1.3.7 (#55) by @Jamkris
Bump version to 1.3.7
Summary by cubic
Bumped everything-gemini-code version to 1.3.7 in .gemini-plugin/plugin.json, gemini-extension.json, and package.json to prepare the v1.3.7 release. No code changes.
Written for commit 7fa868c. Summary will update on new commits. Review in cubic
v1.3.7
What's Changed in v1.3.7
feat: add /egc-grok — full-repo audit using 1M context (#54) by @Jamkris
Summary
- Introduce
/egc-grok, a new slash command that audits the entire repo in one pass — language inventory, JS/TS import graph, circular dependencies (Tarjan SCC), and dead-file candidates. - Pattern matches the existing
/egc-harness-auditdesign: a deterministic Node script is the source of truth for paths and counts; the LLM only adds a synthesis layer on top, so it cannot hallucinate file lists. - Designed to lean on Gemini's 1M context window — a
vanilla CLI -> file-by-fileworkflow can't produce a repo-wide narrative in one shot, so this is the kind of "must-install" demo that answers "what does this give me on top of plain Gemini CLI?"
What's in the PR
| File | Role |
|---|---|
scripts/lib/grok-engine.js |
Pure functions: walk, import extraction (require/import/export from/dynamic), graph build, Tarjan SCC, dead-file detection, text/json formatting. |
scripts/grok.js |
CLI wrapper. --format text|json, --scope <dir>. |
commands/egc-grok.toml |
Slash command with a strict synthesis contract pinning the LLM to script output. |
workflows/grok.md |
Mirror workflow doc. |
tests/lib/grok-engine.test.js |
20 unit tests (import parsing, cycles incl. self-loop and DAG, dead-file heuristics, report shape, text/json output). |
tests/run-all.js |
Register the new test file. |
Why this is differentiated
- Repo-scale, not file-scale. Vanilla
geminiopens files one by one;/egc-grokreads the whole repo and emits a single report. - Deterministic core. The engine is a normal Node script — no LLM in the audit path. The LLM only adds the narrative + Top 3 actions on top of fixed JSON.
- No new dependencies. All graph + cycle work uses Node stdlib.
Test plan
-
npm run lint— clean -
npm test— 207/207 pass (20 new inlib/grok-engine.test.js) - Self-run
node scripts/grok.json this repo: 670 files inventoried, 54 JS/TS nodes / 39 edges, 0 cycles, 0 dead-file candidates after entry-pattern tuning -
node scripts/grok.js --format jsonproduces valid JSON parseable byJSON.parse -
node scripts/grok.js --helpprints usage - Try it inside Gemini CLI as
/egc-grokend-to-end (manual smoke from a fresh shell)
Out of scope (deferred to v2)
--changedbaseline mode for cost-efficient incremental audits- Python / Go / Rust import graph (v1 is JS/TS only — matches this repo's own surface)
- Security smell scanning (overlaps with the existing
/egc-code-review)
Summary by cubic
Add /egc-grok, a deterministic full-repo audit that inventories files, builds a JS/TS import graph, detects cycles, and flags dead-file candidates. The CLI is hardened and the report now surfaces read errors; Gemini’s 1M context adds a short synthesis on top.
-
New Features
- CLI:
node scripts/grok.js [scope] --format text|json. - Engine: walk, import parse, Tarjan SCC cycles, dead-file heuristics; text/json output.
- Slash command + docs:
commands/egc-grok.toml,workflows/grok.md. - Tests: engine + CLI tests, registered in
tests/run-all.js. No new dependencies.
- CLI:
-
Bug Fixes
- Normalize
package.jsonmain/binpaths to avoid false dead-file flags. - CLI: strict arg parsing, value checks,
--format=/--scope=support,ensureDirectoryvalidation. - Report: collect and display read errors in text and JSON outputs.
- Rename to
stripCommentsand document the string-literal limitation.
- Normalize
Written for commit f823410. Summary will update on new commits. Review in cubic
Summary by CodeRabbit
-
New Features
- Introduced
/egc-grokcommand for comprehensive repository auditing, analyzing dependencies, detecting circular dependencies, and identifying dead files with JSON or text output formats.
- Introduced
-
Documentation
- Added workflow documentation detailing the deterministic audit process and output specifications.
-
Tests
- Added test suite for the analysis engine covering import extraction, dependency detection, cycle identification, and dead-file discovery.
docs: update SECURITY.md contact + supported versions (#53) by @Jamkris
Summary by cubic
Update SECURITY.md to make 1.3.x the only supported release line and clarify that only the latest minor gets security fixes. Set GitHub private security advisories as the preferred reporting channel, with contact@jamkris.com as the fallback email.
Written for commit 9686517. Summary will update on new commits. Review in cubic
chore: add issue/PR templates, label manifest, and label sync script (#52) by @Jamkris
- .github/ISSUE_TEMPLATE/: bug, feature, agent/skill forms with auto-applied emoji labels (🐞 Bug / ✨ Feature / 🤖 Agent + 🔍 Triage)
- .github/PULL_REQUEST_TEMPLATE.md: summary, type, test plan checklist
- .github/labels.yml: 21-label manifest (type / area / severity / triage)
- scripts/setup-labels.sh: idempotent gh-based sync from labels.yml
Summary by cubic
Add GitHub issue and PR templates, a label manifest, and a hardened label sync script to standardize triage and contributions. This makes issues clearer and keeps labels consistent.
-
New Features
- Issue templates for bug, feature, and agent/skill requests with auto labels (🐞 Bug, ✨ Feature, 🤖 Agent + 🔍 Triage), plus template config to disable blank issues and link to Discussions/docs
- PR template with summary, type checklist, and test plan checks
- Label manifest in
.github/labels.ymldefining 21 labels by type, area, severity, and triage - Idempotent label sync script at
scripts/setup-labels.sh; usesgh/python3, sets-euo pipefail, and checks forpython3to avoid masked parser errors
-
Migration
- Run
scripts/setup-labels.shafter merge to create/update labels - Requires
ghauthenticated to the repo andpython3installed
- Run
Written for commit 55ffc9e. Summary will update on new commits. Review in cubic
Summary by CodeRabbit
- Chores
- Added structured issue templates for bug reports, feature requests, and agent/skill requests to guide contributor submissions
- Introduced standardized pull request template with required fields
- Configured repository labels system for consistent issue and PR categorization
- Added automation script for label synchronization
chore: release v1.3.6 (#50) by @Jamkris
Bump version to 1.3.6
Summary by cubic
Prepare v1.3.6 release. Updated version fields in package.json, .gemini-plugin/plugin.json, and gemini-extension.json; no functional changes.
Written for commit 65a4df5. Summary will update on new commits.
v1.3.6
What's Changed in v1.3.6
chore: add Greptile and GitGuardian configs (#49) by @Jamkris
Summary
Adds in-repo configuration for two of the three review/security bots in active use on the upstream everything-claude-code. All three are free for our case (MIT-licensed public repo).
| Tool | Free for us? | In-repo config? |
|---|---|---|
| Greptile | ✅ via the OSS Perks program (MIT/Apache/GPL) | greptile.json (this PR) |
| GitGuardian | ✅ public-repo free tier | .gitguardian.yaml (this PR) |
| Cubic | ✅ unlimited for public repos | None — GitHub App only |
greptile.json
Mirrors the intent of .coderabbit.yaml:
strictness: 2+commentTypes: [logic, syntax]— bugs and security over styleignoreKeywords— release PRs and dependabot PRs are skippeddisabledLabels: ["release", "skip-review"]— manual escape hatchinstructions— project base prompt that frames the repo as a Gemini CLI extension and lists the common false-positive patterns to ignore (emoji in markdown, long TOML prompt fields,~/.gemini/paths in skills)customContext.rules— per-path guidance foragents/,commands/,skills/,hooks/,scripts/,rules/,docs/(mirrorspath_instructionsfrom CodeRabbit, including the agent tool allowlist)customContext.files— pins.gemini/styleguide.mdandscripts/lib/gemini-tools.jsas the authoritative references the bot should consult
.gitguardian.yaml
Defaults are fine for most of the tree; this just suppresses noise:
secret.ignored_paths— lockfiles,node_modules, binary doc assets, plustests/lint/fixtures/**andtests/ci/**(the latter embeds intentional hostile-workflow fixtures with${{ github.event.pull_request.head.sha }}strings that some entropy detectors misfire on)ignored_detectors: ['Generic High Entropy Secret']— kills the most common false positive, documentation/curl examples
Cubic
No in-repo file. Custom rules are configured in their dashboard, optionally synced from .cursor/rules/ if the team uses those (we don't). Just need to install the app on the repo.
Action items for the maintainer
Out of scope of a code change — these need account/dashboard work:
- Install the Cubic GitHub App: https://github.com/apps/cubic-dev-ai
- Apply for the Greptile OSS plan via OSS Perks (https://www.ossperks.com/programs/greptile) — required for free tier; otherwise the trial expires and
greptile.jsonbecomes dead config - GitGuardian should already pick up
.gitguardian.yamlautomatically once the org is on the free OSS tier — if not yet installed, install via dashboard
Test plan
-
node -e "JSON.parse(...)"parsesgreptile.json -
js-yamlparses.gitguardian.yaml(v2 schema) -
npm run lint— clean -
npm test— 187/187 pass (no behavior change) - After merge, watch the next non-release PR to verify Greptile picks up the config (instructions visible in walkthrough, dependabot/release titles correctly skipped)
Summary by CodeRabbit
- Chores
- Configured automated secret scanning to detect and prevent sensitive credentials and information from entering the repository, with customized detection patterns and exclusions for various file types, dependencies, and directories.
- Added comprehensive code quality and governance configuration with specific rules, guidelines, and standards to enforce best practices and consistency throughout the project.
Summary by cubic
Add in-repo configs for Greptile (code review) and GitGuardian (secret scanning) on OSS free tiers. Tightens review focus on bugs/security and reduces noise without hiding real issues.
-
New Features
greptile.json:strictness: 2withcommentTypes: [logic, syntax]; precise skip rules viaignoreKeywords(e.g.,chore: release, dependabot) anddisabledLabels: ["release", "skip-review"]; section fields use objects; ignores lockfiles/assets. Adds project instructions, per-path rules, and pins.gemini/styleguide.mdandscripts/lib/gemini-tools.jsas references. Rule fixes: hooks-only “no console.log”; shell scripts requireset -e(aligned with the styleguide)..gitguardian.yaml: keeps detectors enabled; uses path-scoped ignores for known false positives (rules/**/security.md,**/SKILL.md) and suppresses noise from lockfiles,node_modules, binary docs, and test fixtures. Fails on real findings.
-
Migration
- Apply for the Greptile OSS plan so the config is active.
- Ensure the GitGuardian app is installed; it will auto-load
.gitguardian.yaml.
Written for commit e97b09c. Summary will update on new commits.
chore: release v1.3.5 (#48) by @Jamkris
Bump version to 1.3.5
v1.3.5
What's Changed in v1.3.5
feat: port block-no-verify hook + workflow-security CI validator (#47) by @Jamkris
Summary
Adopts two security additions from everything-claude-code (upstream as of 4e66b28) that are protocol-portable to Gemini CLI without rewriting:
-
scripts/hooks/block-no-verify.js— registered as a BeforeTool hook onrun_shell_command. Blocks--no-verify(and-nshorthand oncommit) plus-c core.hooksPath=overrides forgit commit / push / merge / cherry-pick / rebase / am. Detects subcommand even in chained shells (git log -n 5 && git commit ...) without false-positiving on-nthat belongs togit log. Returns exit 2 with stderr explanation when blocking; exit 0 otherwise. -
scripts/ci/validate-workflow-security.js— rejects unsafegithub.event.{workflow_run,pull_request}.head.*refs insideactions/checkoutsteps when triggered from privileged events (workflow_run/pull_request_target). Wired intoreusable-validate.ymlas a 5th validation step.
The tool_input.command JSON shape that block-no-verify reads is the same shape Gemini CLI's BeforeTool already produces, so no protocol translation was needed for the hook code itself.
Hook registration (per session direction: same blast radius as the Claude side)
{
"matcher": "tool == \"run_shell_command\"",
"hooks": [
{ "type": "command", "command": "node \"$HOME/.gemini/extensions/everything-gemini-code/scripts/hooks/block-no-verify.js\"" }
]
}Always-on: matches every shell command, with the hook returning exit 0 fast for non-git commands.
Skipped from upstream (with reasons)
gateguard-fact-force.js+skills/gateguard— hardcoded Claude tool names (Edit/Write/MultiEdit/Bash), ClaudepermissionDecisionJSON output protocol,CLAUDE_*env vars. Porting would be a near-rewrite to fit Gemini's stderr+exit hook contract.bash-hook-dispatcher.js+pre/post-bash-dispatcher.js— dispatcher pattern works around Claude's single-hook-per-event limit; Geminihooks.jsonalready supports multiple entries per event natively.
Test plan
-
node scripts/hooks/block-no-verify.js— direct stdin invocation works (12 cases pass) -
node scripts/ci/validate-workflow-security.js— passes against this repo's 5 workflow files (and against the 4 fixture cases in the test) -
node scripts/ci/validate-hooks.js— 16 hook matchers (was 15) -
npm run lint— clean -
npm test— 181/181 pass (was 165: +12 hook tests, +4 CI validator tests) - Reviewer spot-check: manually verify a
git commit --no-verifyattempt is blocked once the extension is reinstalled
feat: port a11y-architect agent + accessibility skill from upstream (#46) by @Jamkris
Summary
Ports two clean additions from everything-claude-code (upstream as of 4e66b28) that fit the Gemini CLI extension scope without rewriting:
agents/a11y-architect.md— WCAG 2.2 accessibility architect (Web/iOS/Android). Frontmatter migrated to the Gemini CLI shape per the strict validator added in #45.skills/accessibility/SKILL.md— WCAG 2.2 implementation patterns. Copied as-is (no Claude-specific content).
Larger upstream items (gateguard hook + skill, bash dispatcher, Python LLM provider layer, Rust core, plugin manifests) are intentionally not included — they are deeply Claude-Code-protocol-coupled or out of scope for a Gemini CLI extension. PR 2 in this sync wave will cover block-no-verify.js and validate-workflow-security.js.
Frontmatter migration (a11y-architect)
| Before (upstream) | After (this PR) |
|---|---|
model: sonnet + model: opus (duplicate, schema-forbidden) |
removed (Gemini CLI agent schema does not accept model) |
tools: [Read, Write, Edit, Bash, Grep, Glob] |
tools: [read_file, write_file, replace, run_shell_command, search_file_content, glob] |
| Body content | unchanged — no Claude-specific references |
The migration is the exact mapping enforced by scripts/lib/gemini-tools.js (Phase 2 SoT).
Test plan
-
node scripts/ci/validate-agents.js— 48 agents validated (was 47) -
node scripts/ci/validate-skills.js— 183 skill directories validated (was 182) -
npm run lint— clean -
npm test— 165/165 pass - Reviewer spot-check that the agent's tool list still makes sense for an accessibility audit workflow
Summary by CodeRabbit
- Documentation
- Added new accessibility agent guidance for designing WCAG 2.2 Level AA compliant interfaces
- Included comprehensive skill documentation covering semantic mapping, focus management, and cross-platform labeling standards for Web, iOS, and Android
- Provided best practices, anti-patterns, and implementation examples for accessible components
feat: strict agent/command validators to prevent Issue #34-class regr… (#45) by @Jamkris
Strengthens the existing CI validators to catch frontmatter and filename issues before the Gemini CLI agent loader rejects them.
scripts/lib/gemini-tools.js (new)
- Single source of truth for the 11 valid Gemini CLI tool names
- Claude-style → Gemini name mapping table for actionable error hints
- Levenshtein-based "Did you mean?" suggestions for typos
- Frontmatter validator: required keys, forbidden keys (color/model), malformed/empty tools array, MCP entries
scripts/ci/validate-agents.js
- Now uses the lib instead of only checking that "tools" exists
- Catches Read/Edit/Bash, search_files/replace_in_file, mcp__* tools, and color/model keys (all of which break the loader)
scripts/ci/validate-commands.js
- Enforces egc- filename prefix (PR #38 regression guard)
- Requires a non-empty description field
- Logic exported as a module for integration tests
tests/lib/gemini-tools.test.js (new, 24 cases)
- parseToolsField, suggestTool, validateToolList, validateAgentFrontmatter, allowlist sanity
tests/lint/validators.test.js (new, 13 cases)
- Fixture-based: good + Claude-style + MCP + forbidden keys + legacy names + missing frontmatter; mirrored for commands
- Plus a sweep that runs the live validators across every real agents/.md and commands/.toml in the repo
.gemini/styleguide.md
- Notes that scripts/lib/gemini-tools.js is the authoritative allowlist and the styleguide is its human-facing mirror
Lint green / 161 tests pass (was 124).
Summary by CodeRabbit
-
New Features
- Enhanced validation for agent and command configurations with detection of invalid tool names, forbidden keys, missing descriptions, and naming convention violations.
- Added intelligent tool name suggestions for common misspellings.
-
Documentation
- Updated style guide to clarify validation requirements and enforcement mechanisms.
-
Tests
- Added comprehensive test suites and fixtures for validation verification.
chore: release v1.3.4 (#44) by @Jamkris
Bump version to 1.3.4