Skip to content

Releases: glebmish/builder-toolkit

v0.1.2

15 Jun 19:24
@github-actions github-actions
v0.1.2
93490df

Choose a tag to compare

View all tags
v0.1.2 Latest
Latest

share-artifact

Security fix — command injection in the upload path. The slug and local path
were inlined into shell source, so a quote or $(...)/; in the free-text image
description could break out of quoting and run before the runtime sanitizer ever
executed. Free-text inputs (description and path) are now captured via
single-quoted heredocs — the real safety boundary — and only then sanitized into
the slug.

Hardened in the same pass:

  • empty / all-punctuation descriptions fall back to a stable slug instead of a bare trailing dash;
  • a failed counter query now aborts instead of silently resetting to 001 (which could overwrite an existing asset);
  • only a real https:// URL is ever surfaced — a failed upload no longer pastes the literal null;
  • corrected the credential-disclosure guidance (cld config masks only the secret; the key and cloud name are still sensitive).

Docs. The README privacy model now states the signed URL doesn't expire and
stays live wherever the transcript lands (logs, backups, sync) — prune sensitive
shares at end of conversation.

git-history-rewrite is unchanged; its version moves to 0.1.2 only to keep the
marketplace lockstep.

Full Changelog: v0.1.1...v0.1.2

Assets 2
Loading

v0.1.1

07 Jun 12:07
@github-actions github-actions
v0.1.1
d566f9a

Choose a tag to compare

View all tags
v0.1.1

Adds a second plugin to the marketplace: share-artifact. git-history-rewrite is unchanged — the version bump is the marketplace's lockstep release line.

New: share-artifact

Share a finished image or GIF with the user as a viewable, signed URL. Uploads the artifact to Cloudinary and hands back a link that works on mobile, a chat client, or any remote control where a local file path is useless. Scoped to images and GIFs — it does not produce or edit artifacts.

  • Uploads as type=authenticated: the raw delivery URL returns 401, and the secure_url carries a signature (s--XXXX--) that grants access. Treat the URL like a password for that one image — it doesn't expire by default.
  • Names every upload off the Claude session id (<date>-<sid_short>/<NNN>-<slug>) so artifacts from one conversation group together in the Media Library and clean up with a single tag command.
  • Verifies the image before upload, and gates on not sending anything sensitive off-box to a third party. The upload command sanitizes the slug and quotes the local path.

Install

As a Claude Code plugin:

claude plugin marketplace add glebmish/builder-toolkit
claude plugin install share-artifact@builder-toolkit

As a standalone skill:

npx skills add glebmish/builder-toolkit --skill share-artifact

Requires cld (pipx install cloudinary-cli) and a CLOUDINARY_URL exported for the target Cloudinary account.

See the plugin README for the privacy model, naming scheme, and tag-based cleanup.

Loading

v0.1.0

23 May 18:13
@github-actions github-actions
v0.1.0
a8d12c3

Choose a tag to compare

View all tags
v0.1.0

A collection of skills and plugins loosely related to building projects. First public release of my Claude Code plugin marketplace. v0.1.0 ships one plugin.

What's inside

git-history-rewrite

Safety net for destructive git operations. A PreToolUse hook blocks unsafe forms of git filter-repo, the git push --force family, and non-HEAD git reset --hard before they run. The hook is bypass-resistant against the shapes an LLM agent realistically emits: chained commands (&& / ; / || / | / & / newline), subshells, bash -c / sh -c / eval, command and process substitution ($(...), <(...)), heredocs, function bodies, git -C <dir> and other global options, absolute-path forms like /usr/bin/git, and leading env-var assignments.

Gates:

  • git filter-branch — blocked outright; use git filter-repo instead.
  • git filter-repo — requires --refs <ref> (no all-refs rewrites); tracked working tree must be clean; one transformation kind per pass; --analyze is exempted as a read-only planning aid.
  • git push --force family — must use --force-with-lease --force-if-includes (the lease catches stale-remote clobbers, the includes check catches stale-local clobbers where a recent fetch made the lease tautological).
  • git reset --hard — explicit unambiguous target required; relative refs (HEAD~N, HEAD^) rejected; non-HEAD targets get an orphan check and a tracked-working-tree-clean check.

The skill body covers the discipline items the hook can't enforce mechanically: sibling backup ref, off-repo bundle before filter-repo, post-rewrite verification, smallest-tool selection.

Install

As a Claude Code plugin (recommended — enables the hook):

claude plugin marketplace add glebmish/builder-toolkit
claude plugin install git-history-rewrite@builder-toolkit

As a standalone skill (skill body only, no hook):

npx skills add glebmish/builder-toolkit --skill git-history-rewrite

Requires jq on PATH for the plugin install path.

See the plugin README for the full mechanics, blocked-command table, and visuals.

Loading