refactor: cleanup submodules and add depth support#99
Merged
Conversation
Remove submodules that are no longer needed: - sources/* (vue, nuxt, vite, unocss, pnpm, pinia, vitest, vitepress) - vendor/antfu-skills, vendor/nuxt-ui, vendor/mastra, vendor/prisma, vendor/slidev, vendor/supabase, vendor/vuejs-ai, vendor/vueuse
Remove skills that were synced from removed vendor submodules. Update plugin.json files that referenced removed skills.
Add depth option to SubmoduleMeta, VendorMeta, and ExtensionMeta interfaces. Pass --depth flag to git submodule add/update commands. Set shallow=true in .gitmodules for depth-enabled submodules.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
4 issues found across 1151 files
Confidence score: 3/5
- There is concrete user-impact risk in documentation:
plugins/agent-browser/.agents/skills/dogfood/SKILL.mdshows unquoted shell interpolation, which can break arguments and may enable shell-injection-style mistakes when users copy commands. plugins/agent-browser/.agents/skills/agent-browser/references/authentication.mdhas an incorrect.gitignorepattern, soauth-state.jsonmay be committed and expose session-token state; this is a meaningful security hygiene concern.- The remaining issues in
plugins/agent-browser/.agents/skills/agent-browser/references/proxy-support.mdandplugins/agent-browser/.agents/skills/agent-browser/references/commands.mdare lower severity doc correctness problems, so this is not necessarily merge-blocking but does add avoidable confusion/risk. - Pay close attention to
plugins/agent-browser/.agents/skills/dogfood/SKILL.mdandplugins/agent-browser/.agents/skills/agent-browser/references/authentication.md- they carry the highest-impact command-safety and credential-leak guidance issues.
Note: This PR contains a large number of files. cubic only reviews up to 75 files per PR, so some files may not have been reviewed.
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="plugins/agent-browser/.agents/skills/dogfood/SKILL.md">
<violation number="1" location="plugins/agent-browser/.agents/skills/dogfood/SKILL.md:53">
P1: Unquoted placeholder interpolation in shell commands allows argument breaking and potential shell injection; quote dynamic values in command examples.
(Based on your team's feedback about vendor-synced, read-only skill files.) [FEEDBACK_USED]</violation>
</file>
<file name="plugins/agent-browser/.agents/skills/agent-browser/references/authentication.md">
<violation number="1" location="plugins/agent-browser/.agents/skills/agent-browser/references/authentication.md:181">
P1: The `.gitignore` pattern is incorrect and does not ignore `auth-state.json`, which can lead to committing session-token state files.</violation>
</file>
<file name="plugins/agent-browser/.agents/skills/agent-browser/references/proxy-support.md">
<violation number="1" location="plugins/agent-browser/.agents/skills/agent-browser/references/proxy-support.md:94">
P2: The region parsing regex does not match proxied URLs with a scheme, so `region` becomes empty in the geo-testing loop.</violation>
</file>
<file name="plugins/agent-browser/.agents/skills/agent-browser/references/commands.md">
<violation number="1" location="plugins/agent-browser/.agents/skills/agent-browser/references/commands.md:9">
P2: The documented data URL scheme is incorrect (`data://`); it should be `data:`.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Contributor
|
Warning Gemini encountered an error creating the summary. You can try again by commenting |
Replace Type 1 (sources/) and Type 2 (vendor/) submodule-based skill sync with skills.sh-managed skills for all plugins. Migrated plugins: - Type 1 (sources/ → skills.sh): nuxt, pinia, vite, vitepress, vitest, unocss, pnpm, vue - Type 2 (vendor/ → skills.sh): antfu, slidev, vueuse, vuejs-ai, mastra, supabase, prisma, better-auth, agent-browser, ai-sdk, nuxt-ui Changes: - Move skills/ → .agents/skills/ for all migrated plugins - Install skills via `bunx skills add <repo> --skill <name> --agent universal -y` - Add skills-lock.json and "skills" field to each plugin.json - Remove 8 sources/ submodules and 11 vendor/ submodules from .gitmodules - Remove entries from scripts/meta.ts (submodules, vendors, manual) - Remove entries from scripts/cli.ts (SKILL_TO_PLUGIN, ANTFU_MANUAL_DIR) - Clean up skills.sh-created agent symlink dirs (.claude, .continue, etc.) - Remove old SYNC.md and LICENSE.md files Remaining vendor submodule: web-design-guidelines
There was a problem hiding this comment.
1 issue found across 723 files
Confidence score: 3/5
- The
plugins/ai-sdk/.agents/skills/ai-sdk/ai-sdksymlink points to a non-existent target, so consumers attempting to resolveai-sdkwill fail at runtime. - Severity is moderate (7/10) with high confidence, indicating a concrete resolution failure rather than a minor housekeeping issue.
- Pay close attention to
plugins/ai-sdk/.agents/skills/ai-sdk/ai-sdk- incorrect symlink target breaks skill resolution.
Note: This PR contains a large number of files. cubic only reviews up to 75 files per PR, so some files may not have been reviewed.
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="plugins/ai-sdk/.agents/skills/ai-sdk/ai-sdk">
<violation number="1" location="plugins/ai-sdk/.agents/skills/ai-sdk/ai-sdk:1">
P1: This symlink target is incorrect for its location and resolves to a non-existent path, so consumers of this skill link will fail to resolve `ai-sdk`.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
The verbatimSymlinks: true option was accidentally dropped from the vendor skill copy path during the skills.sh migration cleanup.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
depthoption toSubmoduleMeta,VendorMeta, andExtensionMetainterfaces for shallow cloning--depthflag to git submodule commands and setshallow=truein.gitmodulesCommits
chore: remove vendor and source submodules— deinit and remove 16 submoduleschore: remove vendor-synced skills and update plugin manifests— clean up generated skill filesfeat(scripts): add shallow clone depth support for submodules— new depth option in meta.ts/cli.tsTest plan
bun scripts/cli.ts initworks with depth-enabled entriesbun scripts/cli.ts syncpasses depth to submodule updateSummary by cubic
Removed obsolete
sources/*andvendor/*submodules, migrated plugin skills toskills.shwith lock files, and added shallow clone depth to speed up setup. Also fixed vendor skill sync to preserve symlinks.Refactors
.gitmodules; remaining vendor submodule:web-design-guidelines.skills/→.agents/skills/across migrated plugins and added"skills": "./.agents/skills/"to eachplugin.json.SYNC.md/LICENSE.mdfiles; restoredverbatimSymlinksin vendor skill copy to keep symlinks intact.agent-browserskill docs (CDP install/upgrade, auth import, iframe/webview support,get cdp-url, retina viewport).New Features
depthtoSubmoduleMeta,VendorMeta, andExtensionMeta; CLI passes--depthtogit submodulecommands and marksshallow = truefor depth-enabled entries.skills.sh-managed installs with per-pluginskills-lock.jsonfor reproducible skills.Written for commit 000f8e1. Summary will update on new commits.