You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
/security-audit-static findings now carry a mandatory Evidence line (file:line + verbatim snippet), and every citation is re-verified against the file before the final report ships.
Subagent fan-out has a concrete trigger (scope over ~30 files / ~5,000 lines) and a structured candidate-record contract, so parallel audit slices merge cleanly into one self-refute pass.
/performance-audit-static now hunts N+1 queries and request waterfalls — the most common perf failure in AI-generated code — alongside over-fetching, indexes, and caching, and gained a refute-before-reporting pass (dynamic field access, existing indexes, hot-path evidence).
Both audit commands pre-approve a read-only toolset (allowed-tools): read, search, fan out, and write under reports/ — never edit the code under audit.
The audited repo is treated as untrusted input across the kit: instructions embedded in code, comments, or docs are data to analyze — a steering attempt is itself a finding — never directives to follow.
/ship-check runs the security and performance audits as parallel subagents once the docs exist.
Security reports gained severity anchors (what Critical/High/Medium/Low mean) and a consolidation rule (more than ~12 findings → lead with the worst, group the tail by root cause).
Docs and reports now use repo-relative paths (documentation/, reports/) — the old absolute forms (/documentation) could resolve to the filesystem root — and reports are always written, with the path announced, instead of "optionally".
Repo
Added this CHANGELOG.md as the release source of truth with auto-tag-and-release on merge (adapted from claude-usage): pushing a new ## vX.Y.Z heading to main tags that version and publishes a GitHub Release with the section as notes — gated on the test suite and a version-sync check.
Added a test suite (tests/) and a Tests workflow (every PR and push to main): plugin-spec validation plus docs consistency — README skill/command counts vs. disk, marketplace plugin list vs. directories, version sync across all manifests, CHANGELOG format.
CONTRIBUTING now documents the changelog convention (every user-facing change gets a bullet; contributors credited inline) and the release procedure.