Skip to content

Releases: subinium/vibesubin

vibesubin 0.7.2

Choose a tag to compare

@github-actions github-actions released this 05 May 12:25

Self-audit hot-fix release. Closes self-policy violations and documentation correctness gaps surfaced by static review against the pack's own invariants, plus one new reference (branch-models.md) closing the GitHub-Flow-only gap.

Fixed

  • .github/workflows/release.yml — third-party actions are now pinned to commit SHA per setup-ci's own policy: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 (v4), actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 (v5), softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 (v2). Prior @v4 / @v5 / @v2 floating tags violated the pack's own "tag can be moved; SHA cannot" invariant — setup-ci warns user repos against this pattern, but vibesubin's own release CI was using it.
  • .github/workflows/release.ymlpip install pytest now pins to pytest==8.3.3, matching validate-skills.yml. Previously unpinned, so the same pytest suite could run with different pytest versions in the two workflows.
  • .github/workflows/release.yml — secret filename check regex expanded to mirror manage-secrets-env's secret-shaped entry list: id_ed25519*, *.p12, *.pfx, credentials*, secrets*, *.credentials.json now also blocked. Each alternation anchors at a path-component boundary so words inside directory names (e.g., manage-secrets-env/) do not false-positive; .md / .template / .example documentation extensions are excluded; matched files are printed for debugging. Prior regex only caught .env, .pem, id_rsa, .key, leaving SSH ed25519 keys, PFX bundles, and service-account JSON keys free to land in a release commit.
  • .github/workflows/validate-skills.yml — path triggers expanded to scripts/**, tests/**, .claude-plugin/**, .github/workflows/**, MAINTENANCE.md, README.md, docs/i18n/**. Previously only plugins/**, scripts/validate_skills.py, and the validate-skills workflow itself triggered, so manifest version-sync changes, test edits, release-workflow edits, and translated README updates could bypass validation.
  • plugins/vibesubin/skills/refactor-verify/scripts/callsite-count.sh — rename mode where after_count > before_count now exits 1 by default (previously printed a NOTE and exited 0). The refactor-verify invariant is "before-count must equal after-count"; a silent exit-0 on mismatch contradicted it. New --allow-extra flag opts in to intentional wrapper / adapter / alias additions.
  • plugins/vibesubin/skills/refactor-verify/scripts/symbol-diff.sh — every rg invocation now passes --no-filename --no-line-number, and outputs use lang:symbol prefix form. Internal moves (function relocated to a different file) no longer surface as a dropped + added false positive; public-API drops still surface because the symbol disappears from the language's symbol set.
  • plugins/vibesubin/skills/refactor-verify/scripts/smoke-test.sh — when pnpm-lock.yaml / yarn.lock / bun.lockb is present but the matching package manager is not installed, the script now exits 3 with a bootstrap hint. Previously fell back to npm, which would silently install a different dependency tree from the same lockfile and produce a misleading "tests passed" signal.
  • plugins/vibesubin/skills/manage-secrets-env/SKILL.md.env file precedence is now correctly split between Next.js (process.env → .env.$NODE_ENV.local → .env.local → .env.$NODE_ENV → .env, earlier wins) and Vite (loads .env, .env.local, .env.[mode], .env.[mode].local; later wins for files but already-set process env beats every file). Previously both were described with one shared chain, which is wrong for Next.js.
  • plugins/vibesubin/skills/project-conventions/SKILL.md — dependency pinning rule split per repo type (app/template: exact pin + committed lockfile / library: semver range + lockfile-for-tests + compatibility matrix / monorepo: per-package). Previously the repo-type table separated them but the body sentence collapsed everything to "every production dependency is pinned to an exact version", contradicting the table for libraries.
  • plugins/vibesubin/skills/refactor-verify/SKILL.md — frontmatter allowed-tools no longer includes Bash(git stash *). The skill body declares git stash non-negotiable forbidden as an isolation mechanism; the tool-permission grant contradicted that.

Added

  • plugins/vibesubin/skills/ship-cycle/references/branch-models.md (130 lines) — new reference comparing GitHub Flow / GitFlow / Trunk-based, documenting why ship-cycle picks GitHub Flow and how it defers when a GitFlow / Trunk-based repo is detected (Step 1.5 announcement, Step 9 branch-naming deferral, Step 10 release-pipeline blocking on GitFlow). ship-cycle/SKILL.md Step 2 Assumptions block's Branch convention: line links to it.

Changed

  • Plugin version 0.7.10.7.2 in .claude-plugin/marketplace.json and plugins/vibesubin/.claude-plugin/plugin.json. Patch bump: every change in this release is either a fix to a self-policy violation or a documentation correctness gap surfaced by static self-audit, with one new reference (branch-models.md) added to close the GitHub-Flow-only deferral gap.

Full changelog: CHANGELOG.md · diff: v0.7.1...v0.7.2

vibesubin 0.7.1

Choose a tag to compare

@github-actions github-actions released this 27 Apr 03:00

TL;DR

Two AI-native failure modes the pack now actively guards against per-worker — recommending removal of unfamiliar code without identifying the why, and recommending gate-gaming as a fix when verification fails. Bundled with three previously-unreleased items (auto-verify hook, release CI safety net, marketplace metadata).

Engineering principles internalized

The pack now internalizes two named engineering principles as concrete per-skill checks, following the Karpathy-4-principles precedent — the rule lives in each affected SKILL.md, principle attribution lives here and in the changelog (no external shoutout in skill text).

Chesterton's Fence — don't remove what you don't understand

Workers refuse to recommend removal or replacement of unfamiliar code, files, env vars, assets, or conventions without first identifying the why (origin commit, recent issues/PRs, indirect references, ADRs). Confidence tier verified requires both zero references AND known origin; unclear origin downgrades to candidate-for-removal (or candidate-with-context-needed for convention changes) with operator confirmation.

Internalized in: fight-repo-rot, manage-assets, manage-secrets-env, refactor-verify, audit-security, project-conventions.

Goodhart's Law — don't recommend gaming the gate

Workers refuse to recommend gate-gaming patterns (as any, // @ts-ignore, eslint-disable without justification, weakened test assertions, .skip / xit, empty try/catch, expanded tsconfig excludes, continue-on-error: true on quality gates, suppression comments without CVE/justification) as fixes when verification fails. The pipeline measures correctness; gate-bypass mechanisms are a regression dressed as a fix.

Internalized in: refactor-verify, audit-security, setup-ci, codex-fix (wrapper enforces the canonical list at the wrapper boundary, no duplication).

Framing

Both principles are operationalizations of existing PHILOSOPHY invariants, not new ideology:

  • Invariant #2 (well-meaning junior developer) → stop-and-ask moments before destructive action (Chesterton)
  • Invariant #1 (Done is proven, not claimed) → proof of origin for verified tier and proof of correctness for gate passes (Chesterton + Goodhart)

The change is enforcement, not philosophy.

Also in 0.7.1 (previously [Unreleased])

  • Opt-in auto-verify hook (plugins/vibesubin/hooks/auto-verify.sh) — runs refactor-verify's symbol-diff.sh after MultiEdit ≥5 edits or signature-line diffs. Defaults OFF (VIBESUBIN_AUTO_VERIFY=1 to enable). Stderr-advisory only; 3-second hard timeout.
  • Release CI safety net (.github/workflows/release.yml) — tag-push workflow runs validate_skills.py, pytest, manifest version sync check (HARD: tag = marketplace = plugin), and forbidden-file scan before the GitHub release goes live.
  • Marketplace metadatacategory, tags, repository fields in .claude-plugin/marketplace.json for discoverability.

Under the hood

  • 11 files changed (+16 −2). 8 SKILL.md edits (one bullet each, two on refactor-verify and audit-security), 2 manifest version bumps, 1 CHANGELOG.md entry.
  • No new skills — the 10 hygiene + 1 process cap is unchanged.
  • No interface change — skill names, arguments, and 4-part output shape all identical.
  • No README.md / README.{ko,ja,zh}.md edits — no skill added, renamed, or removed, so translations stayed quiet.
  • scripts/validate_skills.py passes with all 12 checks. All SKILL.md files under the 500-line cap (largest affected: refactor-verify at 415).

Full changelog

See CHANGELOG.md for the complete entry.

vibesubin 0.7.0

Choose a tag to compare

@subinium subinium released this 25 Apr 00:23

TL;DRmutates frontmatter contract on every skill, 5 new validator checks, MAINTENANCE.md becomes the canonical operational policy, language READMEs reorganized under docs/i18n/, CLAUDE.md gitignored.

New — safety contract

  • mutates: [<tokens>] frontmatter on all 11 SKILL.md + umbrella. Tokens drawn from {direct, external}. Empty list [] for the three pure-diagnosis workers and the umbrella. [direct] for the six editable sweep workers. [direct, external] for the two direct-call-only skills (ship-cycle, codex-fix). The umbrella reads this field at sweep launch and refuses to include any worker carrying external; the validator enforces the same contract statically.
  • 5 new validator checks. Frontmatter schema (name, description, mutates, allowed-tools). mutates token validity + category consistency (sweep specialists cannot include external; pure-diagnosis must be []; editable workers must include direct). Per-references/*.md 500-line cap (same cap as SKILL.md — content can no longer hide in references to dodge the cap). /<skill-name> backtick references must resolve to a real skill in the pack. description must be 1–1024 chars; name must match directory.
  • 11 new pytest cases covering each new validator behavior. Total suite: 21 tests, all green.

New — ship-cycle hardening

  • Mutation contract — every external mutation (gh issue create, gh api, gh release create, git tag -a, git push) follows preview → confirm (approve / proceed / yes) → mutate. Created resources carry <!-- ship-cycle:vX.Y.Z --> idempotency markers. Deterministic branch names (<type>/issue-<N>-<slug>) and milestone titles (vX.Y.Z) make re-runs noop.
  • Rollback table — every mutation maps to its inverse gh command (gh issue close, gh api ... state=closed, gh release delete, git push --delete, gh pr close). Published tags and releases are never rewritten — cut a follow-up patch instead.
  • dry-run mode — operator says dry-run at Step 7 (or Step 1.5 override) to skip every Mutate step.

New — per-skill output schema

  • audit-security — secret fingerprint output rule. Findings print file:line + length + first 4 chars (or 7 for known prefixes like sk-, ghp_, xoxb-) + provider guess. Raw secret values are never echoed back into chat logs, PR bodies, or screenshots.
  • fight-repo-rot — Path exclusions section. node_modules/, vendor/, target/, .venv/, dist/, build/, out/, .next/, __pycache__/, schema migrations, test fixtures, snapshot files, // @generated headers, and Storybook stories are excluded from dead-code analysis before confidence tagging.
  • project-conventions — Repo type section. app | library | monorepo | template | docs-only with detection signals. Each repo type maps to a different pinning strategy: app uses exact pin + lockfile; library uses semver range + compatibility matrix; monorepo uses per-package strategy with shared root lockfile.
  • manage-assets — fixed-taxonomy classification field on every finding (artifact | source | media | database | secret-shaped | generated). Replaces ad-hoc prose grouping; umbrella consumes the token directly.
  • refactor-verify — Review-driven fix mode (~103 lines) extracted to references/review-driven-fix.md. Stale-snapshot handling, the four-way triage, and the resolution-report template move to references; SKILL.md keeps a 13-line summary + pointer.
  • vibesubin — Sweep contract enforcement paragraph in Step 2 launch block. Umbrella now reads each worker's frontmatter mutates before adding to the parallel sweep.

Changed — MAINTENANCE.md becomes the policy home

The (now gitignored) CLAUDE.md is no longer the operational source of truth. MAINTENANCE.md absorbs:

  • 🛑 Never do — 9 items (added: never put external in a sweep specialist's mutates).
  • ✅ Always do — 8 items (added: run pytest tests/; declare mutates).
  • 🚀 Release process — 10 steps from finalize CHANGELOG to gh release view.
  • 📋 Change type → file matrix — adapted for docs/i18n/ paths and the validator+pytest verification command.
  • 🔒 Load-bearing invariants — 10-row table with an "Enforced by" column citing validator check numbers.
  • 🎭 Recently decided — 12 entries preserving the v0.3.0–v0.7.0 decision log.

Changed — repo housekeeping

  • Language READMEs moved to docs/i18n/. git mv of README.{ko,ja,zh}.mddocs/i18n/README.{ko,ja,zh}.md. Inter-language links and the root README.md switcher updated. Root file count: 10 → 7.
  • CLAUDE.md gitignored + git rm --cached. Project-wide rules redistributed across MAINTENANCE.md (operational), docs/PHILOSOPHY.md (invariants), docs/ADDING-A-SKILL.md (skill-authoring mechanics), CONTRIBUTING.md (contribution model). Local maintainer copies — and AI tools auto-loading CLAUDE.md from the working directory — continue to work; the file just isn't shipped to forks. AGENTS.md also gitignored for symmetry. Cross-references in docs/ADDING-A-SKILL.md, ship-cycle/references/issue-body-template.md, ship-cycle/references/release-pipeline.md, and validate_skills.py comments updated to point at MAINTENANCE.md.

Verification

  • python3 scripts/validate_skills.py → OK across 12 skills, every promise resolves, frontmatter mutates contract enforced, every SKILL.md and references file ≤500 lines, manifests synced.
  • pytest tests/ → 21 passed.

Full diff: 28 files changed, +874 / −268.

See CHANGELOG.md for the complete entry.

vibesubin 0.6.0

Choose a tag to compare

@subinium subinium released this 24 Apr 03:21

vibesubin 0.6.0

Two opt-in output styles, a canonical conflict surface, a two-track ship-cycle, and a 5-category README — plus the usual tightening.

Layperson mode (opt-in)

Triggers: /vibesubin explain, /vibesubin easy, "쉽게 설명해줘", "일반인도 이해되게", "explain like I'm non-technical", "initiate easy mode", "非開発者でも分かるように", "用通俗的话解释".

Every finding now gets three plain-language questions answered — 왜 이것을 해야 하나요? / 왜 중요한 작업인가요? / 그래서 무엇을 하나요? — in a pretty box format, with severity translated to urgency (CRITICAL → "지금 당장", HIGH → "이번 주 안에", MEDIUM → "다음 릴리즈 전까지", LOW → "시간 날 때"). Stacks freely with tone=harsh. Same findings, same evidence, same file:line references — presentation-only. Full rules in plugins/vibesubin/skills/vibesubin/references/layperson-translation.md.

Skill conflicts surface — gap / reason / basis

When two specialists give contradictory advice on the same file, the umbrella now emits a ⚠ Skill conflict block with both sides' recommendation + reason + evidence basis — and the operator picks. Four canonical pairs seeded in plugins/vibesubin/skills/vibesubin/references/skill-conflicts.md:

  • refactor-verifyaudit-security on sequencing (ACTIVE vs. LATENT vulnerability)
  • unify-designrefactor-verify on component consolidation (hand-off, not conflict)
  • fight-repo-rotproject-conventions on dead dependencies (remove-then-verify-lockfile)
  • manage-secrets-envaudit-security on tracked .env (required sequence: rotate first, then structural fix)

Contradiction is information, not a bug — the catalog decides between hand-off (sequence) vs. true conflict (fork) and surfaces evidence either way.

ship-cycle — enforced conventions + two tracks

PR / branch / commit conventions are now enforced via a new reference file (plugins/vibesubin/skills/ship-cycle/references/pr-branch-conventions.md):

  • GitHub Flow branches: <type>/<issue-N>-<slug> (e.g., fix/issue-42-auth-session-refresh)
  • Conventional Commits + mandatory Closes #<N> footer
  • Six-section PR template: Context / What changed / Test plan / Docs plan / Risk / Handoff notes
  • Rebase-first merge with --force-with-lease (plain --force banned)
  • No force-push to main / master / release/*
  • CI green gate: all checks (including optional) must be SUCCESS or NEUTRAL; SKIPPED requires confirmation; flaky checks get one re-run
  • Merge strategy detection: repo settings first, CONTRIBUTING.md second, --squash default

Two tracks. The default GitHub track is unchanged. The new PRD track handles every other host (GitLab, Gitea, Forgejo, Bitbucket, plain git, gh unauthenticated) — local markdown files under docs/release-cycle/vX.Y.Z/ carry the same methodology, same conventions, same audit trail. ship-cycle no longer hard-exits on non-GitHub hosts.

See plugins/vibesubin/skills/ship-cycle/references/prd-track.md.

READMEs — 5 categories across 4 languages

Single lineup table split into 5 category-grouped tables:

  • Code quality (5): refactor-verify, audit-security, fight-repo-rot, manage-assets, unify-design
  • Docs & AI-friendliness (2): write-for-ai, project-conventions
  • Infra & config (2): setup-ci, manage-secrets-env
  • Release process (1): ship-cycle
  • Host-specific wrappers (1): codex-fix

Per-skill writeups tightened under the same 5 headings; anchors plain (#refactor-verify, no #1-refactor-verify numbering). Structure mirrors in README.ko.md, README.ja.md, README.zh.md with each file's voice preserved. Total across 4 languages: 1248 → 1190 lines.

Under the hood

  • Every 11 worker SKILL.md file gained a ## Layperson mode — plain-language translation section, parallel to the existing ## Harsh mode — no hedging.
  • Umbrella synthesis Step 3 gained two rules — skill-conflict check + layperson-layer application.
  • ship-cycle gained ### Step 1.5 — Track selection between Step 1 and Step 2.
  • Assumptions block gained Track: and Merge strategy: fields.
  • .gitignore explicitly lists .mypy_cache/ and .pytest_cache/. Caches must never be tracked.

Full detail: CHANGELOG.md.

vibesubin 0.5.0

Choose a tag to compare

@subinium subinium released this 22 Apr 00:42

TL;DR

v0.5.0 turns three social-contract invariants into machine checks, closes seven coverage gaps in ship-cycle surfaced by the user's typical release-cycle prompt, adds docs/ADDING-A-SKILL.md so a fresh contributor can author a skill without reverse-engineering, and fixes four real bugs surfaced during review.

Validator teeth

scripts/validate_skills.py now enforces four invariants that were social contract only:

  • Harsh mode section present in every worker — mirrors CLAUDE.md never-do #4
  • Sweep marker present in the six editable workers — mirrors never-do #7
  • Manifest version sync between marketplace.json and plugin.json — mirrors never-do #8
  • Path-traversal guard on backtick-quoted promised paths — defensive

New tests/test_validate_skills.py (11 tests, pytest + tmp_path) ensures the checks cannot regress silently. Wired into the existing validate-skills CI workflow.

ship-cycle workflow coverage

Seven additions close the gaps the typical release-cycle prompt exposed:

  • Step 0.5 — Offer upstream review (invoke /vibesubin sweep, invoke a targeted worker, or proceed with operator-pasted findings) before assuming findings exist.
  • Step 5.5 — Write PRD.md (themes + north-star goals + success metrics + deferred items) before clustering. New references/prd-template.md.
  • Step 9a — Parallel dispatch (10+ simultaneous workers) for independent issues with explicit opus/max defaults.
  • Step 9b — CI-green gate before gh pr merge.
  • Step 5 acceptance criteria — mandatory test plan / docs plan / handoff notes fields per issue. Missing any field blocks Step 6.
  • Step 11 audit trail — handoff notes propagate from issue body into close comment.
  • Release pipeline — pre-merge and pre-tag CI-green verification via gh statusCheckRollup.

New contributor doc

docs/ADDING-A-SKILL.md (136 lines) — frontmatter schema, required sections checklist, validator contract, output shape, per-change-type file checklist, wrapper-skill rules. Linked from CLAUDE.md and MAINTENANCE.md.

Bug fixes

  • manage-config-env ghost references in three locations (fight-repo-rot SKILL.md × 2, README.md, .env.example.template) replaced with the correct post-split skill names.
  • audit-security/SKILL.md Sweep mode section added — it was the only sweep specialist missing the canonical heading.
  • install.sh --dry-run no longer creates ~/.claude/skills — previously violated its own no-mutation contract.
  • v0.4.0 CHANGELOG P2 bullet corrected in place — claim of "universal bullet in all 10 skills" was literally false (6 universal + 4 anchored variants).

Security

  • .gitignore additions (*.pem *.key id_rsa* id_ed25519* *credentials* secrets/ *.pfx *.p12) — root .gitignore now matches the manage-secrets-env template defaults.
  • install.sh --force symlink-traversal guard — blocks the local foot-gun where rm -rf could follow a symlink to delete data outside the install target.
  • validator path-traversal guard on promised paths (see above).

Cleanup

  • 5 empty references/ directories deleted (fight-repo-rot, setup-ci, vibesubin, manage-assets, write-for-ai). They were not git-tracked but surfaced as ambiguous structure cues.
  • Umbrella ## Tone: balanced vs. harsh heading renamed to canonical ## Harsh mode — no hedging. Aligns with new validator Check A.
  • codex-fix heading same canonical form.
  • MAINTENANCE.md — removed references to two files that never existed; added CLAUDE.md to AI-session reading order; added pointer to new docs/ADDING-A-SKILL.md.

Intentionally skipped

  • v0.4.1 patch release — the four real bugs were bundled into v0.5.0 alongside validator teeth and the new contributor doc. No separate 0.4.1 tag exists; every change intended for it is in 0.5.0.
  • Dependency CVE scan, CI lint workflow, uninstall --dry-run, branch protection, repo-level secret scanning, README parity check, workflow-audit extension — out of scope. Not skill-coverage or invariant problems.

Full history in CHANGELOG.md.

vibesubin 0.4.0

Choose a tag to compare

@subinium subinium released this 21 Apr 01:31

TL;DR

v0.4.0 adds ship-cycle, vibesubin's first process-category skill — an issue-driven release orchestrator that turns improvement intent into bilingual issues, clusters them into milestones that map 1:1 to semver versions, dispatches each issue to the right worker for verified execution, and cuts the tag + GitHub release when the milestone closes. Karpathy's four AI-coding principles are now enforced in every worker as first-class vibesubin invariants rather than external references.

New

  • ship-cycle skill — 11th worker, first process-category. Direct-call only (not in /vibesubin parallel sweep). Host requirement: GitHub repo + authenticated gh CLI; graceful one-line fallback on every other host. 11-step procedure covers host check, state assumptions, language elicitation (Korean / English / Japanese / Chinese), intake from pasted findings or sweep output or a named scope, draft of bilingual issues, semver clustering into milestones (bug / perf / refactor / test / docs → patch; additive feature → minor; breaking → major) with a ~5-item patch cap, operator-approved gh issue create, per-label hand-off to the right worker skill for verified execution, and a release pipeline that aggregates closed issues into a functional-only CHANGELOG entry before cutting the annotated tag and GitHub release. Issue bodies, milestone rules, and the release pipeline each live in their own reference files.

  • Karpathy principles internalized — every worker now carries a skill-specific State assumptions — before acting section (Principle 1: Think Before Coding) and an anchored Don't add features the operator did not request bullet in Things-not-to-do (Principle 2: Simplicity First). These are load-bearing at Step 0 of every invocation — before any procedure runs. No external shoutout: the principles are now ours.

Category split: 10 code hygiene + 1 process

Worker-skill cap moves from a flat 10 to 10 + 1. Code hygiene stays at 10 (refactor-verify, audit-security, fight-repo-rot, write-for-ai, setup-ci, manage-secrets-env, project-conventions, manage-assets, unify-design, codex-fix). Process opens at 1 (ship-cycle). Each category has its own cap — future growth must extend, split, or displace within the category.

Documented as invariant #10 in docs/PHILOSOPHY.md. Root CLAUDE.md never-do list, change-type matrix, and load-bearing invariants table all updated to reflect the split.

Parallel sweep still reports 9

ship-cycle is not added to the parallel sweep — it mutates state (issues, branches, tags, releases) and belongs in direct-call workflows alongside codex-fix. The sweep continues to run exactly 9 code-hygiene specialists.

Other fixes

  • Umbrella SKILL.md had five stale "six specialists" narrative references from before v0.3.0 — corrected to "nine" (or "the full sweep" where a hard-coded count would drift again).
  • Two overlapping worker-cap invariant rows in CLAUDE.md merged into a single category-split row.
  • README.ja.md had a garbled "ロースクテス" (phonetic mangling of "low-stakes") and an untranslated English fallback quote in § 11 — both fixed to natural Japanese.
  • README.md § 11 heading now uses backticks on the skill name for uniformity with sections 1–10.

Full history in CHANGELOG.md.

vibesubin 0.3.3

Choose a tag to compare

@subinium subinium released this 16 Apr 00:16

vibesubin 0.3.3 — codex-fix correctness patch + translation cleanup.

⚠ What 0.3.2 shipped broken

codex-fix was advertised in 0.3.2 as "post-edit loop that invokes /codex:rescue". The SKILL.md instructed Claude to "invoke /codex:rescue" and embedded the prompt inside a plain-text code block starting with /codex:rescue .... That did not actually work. Slash-command text inside an LLM's response body is just a text string — it does not execute the slash command and does not dispatch the Codex plugin. The skill was instructions to write slash-command text, not instructions to invoke it.

On top of that, codex-fix's frontmatter allowed-tools omitted Task, so even if the skill had known the right dispatch mechanism, it would not have been allowed to use the tool that performs it.

Anyone who tried /codex-fix in 0.3.2 would have seen Claude generate a response containing /codex:rescue ... as text — which is a no-op. No Codex invocation, no findings, no fix loop. Apologies.

What 0.3.3 fixes

Invocation mechanism. codex-fix now invokes the Codex rescue subagent via the Task tool with subagent_type: "codex:codex-rescue" — the actual Claude Code plugin dispatch mechanism for agent-to-agent calls. The templated review prompt (security / correctness / performance / resource management / concurrency categories) is unchanged; only the dispatch mechanism is fixed.

allowed-tools frontmatter. Task, Bash(ls *), and Bash(test *) are now declared. Without them, the skill could not call the subagent or run the filesystem-based plugin-presence check.

Host-check detection paths. Step 1 now documents two paths:

  1. Primary — inspect the available-subagents list. Claude Code populates the available-subagents list at session start from installed plugins. The skill checks whether codex:codex-rescue appears as a valid subagent_type. If yes, proceed.
  2. Secondary — filesystem check. test -d "$HOME/.claude/plugins/codex" as a fallback for cases where the primary path is ambiguous.

Neither path triggers an error on a non-matching host; both just fall through to the graceful one-line fallback that exits cleanly.

Things-not-to-do warning. A new bullet explicitly warns future maintainers: "Don't write /codex:rescue ... as plain text in a response." It references this release so the 0.3.2 regression does not come back.

Transient-failure handling. Step 3 now specifies what to do if the Task call itself fails mid-call (subagent disabled, Codex CLI timeout, unexpected error): emit a one-line failure message and stop — do not retry automatically.

Also fixed

Translation cleanup. README.ja.md and README.zh.md skill-table trigger examples for codex-fix were in Korean in 0.3.2 (「codex 돌려서 고쳐줘」 etc.) — my 15-edit parallel translation batch copied Korean text across without per-language localization. Replaced with Japanese and Chinese equivalents:

  • README.ja.md line 59: 「Codex でチェックして直して」, 「codex fix」, 「run codex and fix」
  • README.zh.md line 59: "用 codex 跑一遍再修", "codex fix", "run codex and fix"

Korean prose polish. README.ko.md § 10 gained two minor fixes: "의도된 유일한""의도적으로 유일한" (less translated feel), and "소리내서 에러나지 않아요""시끄럽게 에러를 뱉지도 않습니다" (more idiomatic).

Who needs this update

  • Claude Code + Codex plugin users who tried /codex-fix on 0.3.2: yes, update immediately. 0.3.2's codex-fix was broken. 0.3.3 actually works.
  • Everyone else: update at your convenience. The refactor-verify review-driven fix mode (portable engine) and all other 0.3.2 features are unchanged. This release only touches codex-fix/SKILL.md, three READMEs, the CHANGELOG, and the version manifests.

The full CHANGELOG is at CHANGELOG.md.

vibesubin 0.3.2

Choose a tag to compare

@subinium subinium released this 15 Apr 23:39

vibesubin 0.3.2 — post-edit review loop, baked in.

Two coordinated additions for one specific workflow: "I've finished a batch of edits. Run an external review. Feed the findings back. Let Claude resolve them with verification."

What's new

refactor-verify gains a "Review-driven fix mode" — the portable engine for resolving external review findings. Accepts input from any source: pasted notes, a human PR review, a Sentry alert, gitleaks / pip-audit / cargo audit / govulncheck, Semgrep, Bandit, or a hand-off from a wrapper skill. The procedure: capture the review snapshot SHA, parse and normalize findings, triage each as real / false-positive / defer / duplicate, map each item to a commit via git blame, plan the fixes as a dependency tree, execute leaves-up with the standard 4-check verification (AST diff relaxed for intentionally-behavior-changing fixes, full call-site closure on the untouched surface), commit each fix with a back-reference (<type>: resolve <review-source>#<item-id> — ...), and report resolution item by item. This works on every agent that supports SKILL.md — Claude Code, Codex CLI, Cursor, Copilot, Cline, anything skills.sh talks to.

codex-fix skill — a deliberately thin (~100 lines) Claude Code + Codex plugin wrapper. It owns only the Codex-specific glue: host check, templated /codex:rescue prompt scoped to the current branch's diff, output collection, and the hand-off to refactor-verify's new mode. No parsing, no verification, no committing inside the wrapper — everything substantial delegates. This is the convenience path for operators who run the Codex loop often enough that the copy-paste between Codex output and Claude resolution was friction worth removing.

⚠ On non-matching hosts, this skill gracefully passes

codex-fix declares its host dependency explicitly. On any host that is not Claude Code + Codex plugin (Codex CLI itself, Cursor, Copilot, Cline, or Claude Code without the plugin), the skill's first action is a one-line fallback:

"Codex plugin not detected — this skill is Claude Code + Codex specific. To resolve a review from a different source, invoke /refactor-verify directly with the findings."

Then it exits. No hangs, no loud errors, no pasted-findings prompt. Graceful pass on non-matching hosts is the expected outcome, not a failure. Operators on other hosts or with other review sources should invoke /refactor-verify directly — same engine, same verification discipline, different input adapter.

New invariant: portable engines can have host-specific wrappers

docs/PHILOSOPHY.md gains rule 9: "Portable engines can have host-specific wrappers." The pack's core skills stay host-agnostic. When a frequent host-specific workflow justifies a dedicated trigger, it goes into a thin wrapper skill that declares the host dependency in its frontmatter, checks the host as its first action, emits a graceful one-line fallback on non-matching hosts, delegates everything substantial to a portable engine skill, and has no sweep mode. codex-fix is the first such wrapper; future ones (for Sentry, gitleaks, etc.) would follow the same shape. The engine is the contract; the wrapper is convenience.

10-worker cap reached

With codex-fix, the pack has exactly 10 worker skills (the vibesubin umbrella is not counted). The cap is full: refactor-verify, audit-security, fight-repo-rot, write-for-ai, setup-ci, manage-secrets-env, project-conventions, manage-assets, unify-design, codex-fix. Any future new capability must extend an existing skill, split one, or displace one — the surface area does not grow past 10, because users cannot remember more than ~10 tools.

Migration

No user-visible migration. Existing direct calls and natural-language triggers still work exactly as before.

If you want the new post-edit review loop:

  • Claude Code + Codex plugin: type "codex 돌려서 고쳐줘" or /codex-fix after finishing a batch of edits.
  • Any other agent or review source: invoke /refactor-verify directly with pasted findings — or any of the trigger phrases for the new review-driven fix mode ("resolve these findings", "fix this review", "리뷰 사항 처리해줘").

The full CHANGELOG is at CHANGELOG.md.

vibesubin 0.3.1

Choose a tag to compare

@subinium subinium released this 14 Apr 23:42

vibesubin 0.3.1 — operational rules, enforced.

No user-facing skill changes. This is a maintenance bump that turns two previously-social rules into durable guardrails.

What's new

CLAUDE.md at the repo root — the operational rules that apply to every Claude Code session on this repo are now in a single file Claude reads at session start. It encodes the never-do / always-do lists, the full release process (annotated tag + gh release create), a change-type → file matrix for common tasks (add a skill, rename a skill, split a skill, bump a version), the load-bearing invariants table, and a "recently decided" section listing decisions that should not be re-argued: the 10-skill cap, functional-only CHANGELOG style, harsh mode as framing only, no bulk README rewrites, unify-design as intentionally web-dev specific, and release notes living on GitHub only.

scripts/validate_skills.py enforces the 500-line SKILL.md cap. The cap was previously documented in MAINTENANCE.md and docs/PHILOSOPHY.md but nothing checked it. The validator now fails any SKILL.md that exceeds 500 lines with a remediation pointer ("extract tail sections into references/*.md"). Every current skill fits under the cap — the largest is write-for-ai/SKILL.md at 379 lines — so this release is a no-op for existing skills and a guardrail against future regressions. The verbose mode (--verbose) now reports per-file line counts.

Why this matters

The 0.3.0 review revealed that harsh mode had a coverage gap (only 2 of 6 workers implemented it) because the rule existed as documentation, not as a check. Social rules decay without enforcement. This release moves two such rules — operational workflow and the SKILL.md line cap — into places that cannot be silently ignored: a CLAUDE.md that Claude reads every session, and a validator that blocks commits on failure.

The full, functional CHANGELOG is at CHANGELOG.md.

vibesubin 0.3.0

Choose a tag to compare

@subinium subinium released this 14 Apr 18:37

vibesubin 0.3.0 — three new skills, one split, tighter harsh mode.

⚠ Breaking change — migration

manage-config-env has been split into two skills. Your existing calls need to move:

If you used to call Use this now
/manage-config-env for .env, secrets, .gitignore, secret rotation /manage-secrets-env
/manage-config-env for branch strategy, dep pinning, directory layout, hardcoded paths /project-conventions

The umbrella router (/vibesubin) already knows both — you only need to update direct /manage-config-env invocations. Re-run /plugin marketplace update and the new names are picked up automatically.

New skills

manage-secrets-env — the high-stakes half of the old manage-config-env. Four-bucket decision tree for where a value lives, .env.env.example drift check, default-safe .gitignore template, full secret lifecycle (add / update / rotate / remove / migrate / audit drift / provision new environment).

project-conventions — the low-stakes half. Picks GitHub Flow for you, enforces exact-pinned production dependencies with a committed lockfile, pushes toward domain-first directory layout, audits for absolute paths and literal IPs in source.

manage-assets — diagnosis-only bloat scan. Detects oversized files in the working tree, large blobs hiding in git history, LFS migration candidates, asset-directory growth, duplicate binaries. Never deletes, never rewrites history — every destructive action hands off to refactor-verify for verification. Pairs especially well with open-sourcing.

unify-design — web-dev design-system auditor and token extractor. Detects the framework (Tailwind v3, Tailwind v4, CSS Modules, styled-components, Emotion, Material UI, Chakra UI, vanilla CSS), scaffolds a tokens file with opinionated defaults if missing, audits for drift (hardcoded hex, arbitrary Tailwind values, inline styles, duplicate Button/Card/Nav/Logo components, near-match colors), and rewrites drift back to tokens. Multi-file consolidations hand off to refactor-verify.

Improvements

  • Harsh mode now covers every specialist. Previously only 2 of 6 workers implemented the tone=harsh marker switch; the umbrella propagated the marker but the other 4 silently fell back to balanced output. All 9 workers now implement the switch — /vibesubin harsh actually feels harsh end-to-end.
  • write-for-ai enforces objectivity. A new section rules out marketing drift in generated docs: no unbacked adjectives (fast, production-ready, best-in-class), no superlatives without comparison, no weasel hedging, and every capability claim ships with a verification command. Enforced via the mandatory self-review checklist.
  • fight-repo-rot adds test rot. Dead tests, obsolete fixtures, orphaned snapshot files, skipped tests older than six months, hardcoded sleeps inside test bodies, and oversized test files. Hands off to refactor-verify with the same HIGH/MEDIUM/LOW confidence framing as production dead code.
  • vibesubin umbrella drops time estimates. Phrases like couple of minutes, Est. time column, 20 min example rows are gone — they were unreliable across environments and read as promises. Replaced with qualitative size buckets (S / M / L).

Under the hood

  • docs/PHILOSOPHY.md now exists. MAINTENANCE.md had referenced it in the "future AI sessions should read this file" list, but the file was missing.
  • plugins/vibesubin/.claude-plugin/plugin.json was stuck at 0.1.0 while .claude-plugin/marketplace.json had advanced to 0.2.0. Both now sync at 0.3.0.
  • README.ko.md, README.ja.md, README.zh.md were rewritten end-to-end for the 0.3.0 structure in natural-voice translations, not literal.

The full, functional CHANGELOG is at CHANGELOG.md.