Releases: subinium/vibesubin
Release list
vibesubin 0.7.2
Self-audit hot-fix release. Closes self-policy violations and documentation correctness gaps surfaced by static review against the pack's own invariants, plus one new reference (branch-models.md) closing the GitHub-Flow-only gap.
Fixed
.github/workflows/release.yml— third-party actions are now pinned to commit SHA persetup-ci's own policy:actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5(v4),actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065(v5),softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65(v2). Prior@v4/@v5/@v2floating tags violated the pack's own "tag can be moved; SHA cannot" invariant —setup-ciwarns user repos against this pattern, but vibesubin's own release CI was using it..github/workflows/release.yml—pip install pytestnow pins topytest==8.3.3, matchingvalidate-skills.yml. Previously unpinned, so the same pytest suite could run with different pytest versions in the two workflows..github/workflows/release.yml— secret filename check regex expanded to mirrormanage-secrets-env's secret-shaped entry list:id_ed25519*,*.p12,*.pfx,credentials*,secrets*,*.credentials.jsonnow also blocked. Each alternation anchors at a path-component boundary so words inside directory names (e.g.,manage-secrets-env/) do not false-positive;.md/.template/.exampledocumentation extensions are excluded; matched files are printed for debugging. Prior regex only caught.env,.pem,id_rsa,.key, leaving SSH ed25519 keys, PFX bundles, and service-account JSON keys free to land in a release commit..github/workflows/validate-skills.yml— path triggers expanded toscripts/**,tests/**,.claude-plugin/**,.github/workflows/**,MAINTENANCE.md,README.md,docs/i18n/**. Previously onlyplugins/**,scripts/validate_skills.py, and the validate-skills workflow itself triggered, so manifest version-sync changes, test edits, release-workflow edits, and translated README updates could bypass validation.plugins/vibesubin/skills/refactor-verify/scripts/callsite-count.sh— rename mode whereafter_count > before_countnow exits 1 by default (previously printed a NOTE and exited 0). Therefactor-verifyinvariant is "before-count must equal after-count"; a silent exit-0 on mismatch contradicted it. New--allow-extraflag opts in to intentional wrapper / adapter / alias additions.plugins/vibesubin/skills/refactor-verify/scripts/symbol-diff.sh— everyrginvocation now passes--no-filename --no-line-number, and outputs uselang:symbolprefix form. Internal moves (function relocated to a different file) no longer surface as adropped + addedfalse positive; public-API drops still surface because the symbol disappears from the language's symbol set.plugins/vibesubin/skills/refactor-verify/scripts/smoke-test.sh— whenpnpm-lock.yaml/yarn.lock/bun.lockbis present but the matching package manager is not installed, the script now exits 3 with a bootstrap hint. Previously fell back tonpm, which would silently install a different dependency tree from the same lockfile and produce a misleading "tests passed" signal.plugins/vibesubin/skills/manage-secrets-env/SKILL.md—.envfile precedence is now correctly split between Next.js (process.env → .env.$NODE_ENV.local → .env.local → .env.$NODE_ENV → .env, earlier wins) and Vite (loads.env,.env.local,.env.[mode],.env.[mode].local; later wins for files but already-set process env beats every file). Previously both were described with one shared chain, which is wrong for Next.js.plugins/vibesubin/skills/project-conventions/SKILL.md— dependency pinning rule split per repo type (app/template: exact pin + committed lockfile / library: semver range + lockfile-for-tests + compatibility matrix / monorepo: per-package). Previously the repo-type table separated them but the body sentence collapsed everything to "every production dependency is pinned to an exact version", contradicting the table for libraries.plugins/vibesubin/skills/refactor-verify/SKILL.md— frontmatterallowed-toolsno longer includesBash(git stash *). The skill body declaresgit stashnon-negotiable forbidden as an isolation mechanism; the tool-permission grant contradicted that.
Added
plugins/vibesubin/skills/ship-cycle/references/branch-models.md(130 lines) — new reference comparing GitHub Flow / GitFlow / Trunk-based, documenting why ship-cycle picks GitHub Flow and how it defers when a GitFlow / Trunk-based repo is detected (Step 1.5 announcement, Step 9 branch-naming deferral, Step 10 release-pipeline blocking on GitFlow).ship-cycle/SKILL.mdStep 2 Assumptions block'sBranch convention:line links to it.
Changed
- Plugin version
0.7.1→0.7.2in.claude-plugin/marketplace.jsonandplugins/vibesubin/.claude-plugin/plugin.json. Patch bump: every change in this release is either a fix to a self-policy violation or a documentation correctness gap surfaced by static self-audit, with one new reference (branch-models.md) added to close the GitHub-Flow-only deferral gap.
Full changelog: CHANGELOG.md · diff: v0.7.1...v0.7.2
vibesubin 0.7.1
TL;DR
Two AI-native failure modes the pack now actively guards against per-worker — recommending removal of unfamiliar code without identifying the why, and recommending gate-gaming as a fix when verification fails. Bundled with three previously-unreleased items (auto-verify hook, release CI safety net, marketplace metadata).
Engineering principles internalized
The pack now internalizes two named engineering principles as concrete per-skill checks, following the Karpathy-4-principles precedent — the rule lives in each affected SKILL.md, principle attribution lives here and in the changelog (no external shoutout in skill text).
Chesterton's Fence — don't remove what you don't understand
Workers refuse to recommend removal or replacement of unfamiliar code, files, env vars, assets, or conventions without first identifying the why (origin commit, recent issues/PRs, indirect references, ADRs). Confidence tier verified requires both zero references AND known origin; unclear origin downgrades to candidate-for-removal (or candidate-with-context-needed for convention changes) with operator confirmation.
Internalized in: fight-repo-rot, manage-assets, manage-secrets-env, refactor-verify, audit-security, project-conventions.
Goodhart's Law — don't recommend gaming the gate
Workers refuse to recommend gate-gaming patterns (as any, // @ts-ignore, eslint-disable without justification, weakened test assertions, .skip / xit, empty try/catch, expanded tsconfig excludes, continue-on-error: true on quality gates, suppression comments without CVE/justification) as fixes when verification fails. The pipeline measures correctness; gate-bypass mechanisms are a regression dressed as a fix.
Internalized in: refactor-verify, audit-security, setup-ci, codex-fix (wrapper enforces the canonical list at the wrapper boundary, no duplication).
Framing
Both principles are operationalizations of existing PHILOSOPHY invariants, not new ideology:
- Invariant #2 (well-meaning junior developer) → stop-and-ask moments before destructive action (Chesterton)
- Invariant #1 (Done is proven, not claimed) → proof of origin for
verifiedtier and proof of correctness for gate passes (Chesterton + Goodhart)
The change is enforcement, not philosophy.
Also in 0.7.1 (previously [Unreleased])
- Opt-in auto-verify hook (
plugins/vibesubin/hooks/auto-verify.sh) — runsrefactor-verify'ssymbol-diff.shafter MultiEdit ≥5 edits or signature-line diffs. Defaults OFF (VIBESUBIN_AUTO_VERIFY=1to enable). Stderr-advisory only; 3-second hard timeout. - Release CI safety net (
.github/workflows/release.yml) — tag-push workflow runsvalidate_skills.py,pytest, manifest version sync check (HARD: tag = marketplace = plugin), and forbidden-file scan before the GitHub release goes live. - Marketplace metadata —
category,tags,repositoryfields in.claude-plugin/marketplace.jsonfor discoverability.
Under the hood
- 11 files changed (+16 −2). 8
SKILL.mdedits (one bullet each, two onrefactor-verifyandaudit-security), 2 manifest version bumps, 1CHANGELOG.mdentry. - No new skills — the 10 hygiene + 1 process cap is unchanged.
- No interface change — skill names, arguments, and 4-part output shape all identical.
- No
README.md/README.{ko,ja,zh}.mdedits — no skill added, renamed, or removed, so translations stayed quiet. scripts/validate_skills.pypasses with all 12 checks. AllSKILL.mdfiles under the 500-line cap (largest affected:refactor-verifyat 415).
Full changelog
See CHANGELOG.md for the complete entry.
vibesubin 0.7.0
TL;DR — mutates frontmatter contract on every skill, 5 new validator checks, MAINTENANCE.md becomes the canonical operational policy, language READMEs reorganized under docs/i18n/, CLAUDE.md gitignored.
New — safety contract
mutates: [<tokens>]frontmatter on all 11 SKILL.md + umbrella. Tokens drawn from{direct, external}. Empty list[]for the three pure-diagnosis workers and the umbrella.[direct]for the six editable sweep workers.[direct, external]for the two direct-call-only skills (ship-cycle,codex-fix). The umbrella reads this field at sweep launch and refuses to include any worker carryingexternal; the validator enforces the same contract statically.- 5 new validator checks. Frontmatter schema (
name,description,mutates,allowed-tools).mutatestoken validity + category consistency (sweep specialists cannot includeexternal; pure-diagnosis must be[]; editable workers must includedirect). Per-references/*.md500-line cap (same cap asSKILL.md— content can no longer hide in references to dodge the cap)./<skill-name>backtick references must resolve to a real skill in the pack.descriptionmust be 1–1024 chars;namemust match directory. - 11 new pytest cases covering each new validator behavior. Total suite: 21 tests, all green.
New — ship-cycle hardening
- Mutation contract — every external mutation (
gh issue create,gh api,gh release create,git tag -a,git push) follows preview → confirm (approve/proceed/yes) → mutate. Created resources carry<!-- ship-cycle:vX.Y.Z -->idempotency markers. Deterministic branch names (<type>/issue-<N>-<slug>) and milestone titles (vX.Y.Z) make re-runs noop. - Rollback table — every mutation maps to its inverse
ghcommand (gh issue close,gh api ... state=closed,gh release delete,git push --delete,gh pr close). Published tags and releases are never rewritten — cut a follow-up patch instead. dry-runmode — operator saysdry-runat Step 7 (or Step 1.5 override) to skip every Mutate step.
New — per-skill output schema
audit-security— secret fingerprint output rule. Findings print file:line + length + first 4 chars (or 7 for known prefixes likesk-,ghp_,xoxb-) + provider guess. Raw secret values are never echoed back into chat logs, PR bodies, or screenshots.fight-repo-rot— Path exclusions section.node_modules/,vendor/,target/,.venv/,dist/,build/,out/,.next/,__pycache__/, schema migrations, test fixtures, snapshot files,// @generatedheaders, and Storybook stories are excluded from dead-code analysis before confidence tagging.project-conventions— Repo type section.app | library | monorepo | template | docs-onlywith detection signals. Each repo type maps to a different pinning strategy: app uses exact pin + lockfile; library uses semver range + compatibility matrix; monorepo uses per-package strategy with shared root lockfile.manage-assets— fixed-taxonomy classification field on every finding (artifact | source | media | database | secret-shaped | generated). Replaces ad-hoc prose grouping; umbrella consumes the token directly.refactor-verify— Review-driven fix mode (~103 lines) extracted toreferences/review-driven-fix.md. Stale-snapshot handling, the four-way triage, and the resolution-report template move to references; SKILL.md keeps a 13-line summary + pointer.vibesubin— Sweep contract enforcement paragraph in Step 2 launch block. Umbrella now reads each worker's frontmattermutatesbefore adding to the parallel sweep.
Changed — MAINTENANCE.md becomes the policy home
The (now gitignored) CLAUDE.md is no longer the operational source of truth. MAINTENANCE.md absorbs:
- 🛑 Never do — 9 items (added: never put
externalin a sweep specialist'smutates). - ✅ Always do — 8 items (added: run
pytest tests/; declaremutates). - 🚀 Release process — 10 steps from finalize CHANGELOG to
gh release view. - 📋 Change type → file matrix — adapted for
docs/i18n/paths and the validator+pytest verification command. - 🔒 Load-bearing invariants — 10-row table with an "Enforced by" column citing validator check numbers.
- 🎭 Recently decided — 12 entries preserving the v0.3.0–v0.7.0 decision log.
Changed — repo housekeeping
- Language READMEs moved to
docs/i18n/.git mvofREADME.{ko,ja,zh}.md→docs/i18n/README.{ko,ja,zh}.md. Inter-language links and the rootREADME.mdswitcher updated. Root file count: 10 → 7. CLAUDE.mdgitignored +git rm --cached. Project-wide rules redistributed acrossMAINTENANCE.md(operational),docs/PHILOSOPHY.md(invariants),docs/ADDING-A-SKILL.md(skill-authoring mechanics),CONTRIBUTING.md(contribution model). Local maintainer copies — and AI tools auto-loadingCLAUDE.mdfrom the working directory — continue to work; the file just isn't shipped to forks.AGENTS.mdalso gitignored for symmetry. Cross-references indocs/ADDING-A-SKILL.md,ship-cycle/references/issue-body-template.md,ship-cycle/references/release-pipeline.md, andvalidate_skills.pycomments updated to point atMAINTENANCE.md.
Verification
python3 scripts/validate_skills.py→ OK across 12 skills, every promise resolves, frontmattermutatescontract enforced, every SKILL.md and references file ≤500 lines, manifests synced.pytest tests/→ 21 passed.
Full diff: 28 files changed, +874 / −268.
See CHANGELOG.md for the complete entry.
vibesubin 0.6.0
vibesubin 0.6.0
Two opt-in output styles, a canonical conflict surface, a two-track ship-cycle, and a 5-category README — plus the usual tightening.
Layperson mode (opt-in)
Triggers: /vibesubin explain, /vibesubin easy, "쉽게 설명해줘", "일반인도 이해되게", "explain like I'm non-technical", "initiate easy mode", "非開発者でも分かるように", "用通俗的话解释".
Every finding now gets three plain-language questions answered — 왜 이것을 해야 하나요? / 왜 중요한 작업인가요? / 그래서 무엇을 하나요? — in a pretty box format, with severity translated to urgency (CRITICAL → "지금 당장", HIGH → "이번 주 안에", MEDIUM → "다음 릴리즈 전까지", LOW → "시간 날 때"). Stacks freely with tone=harsh. Same findings, same evidence, same file:line references — presentation-only. Full rules in plugins/vibesubin/skills/vibesubin/references/layperson-translation.md.
Skill conflicts surface — gap / reason / basis
When two specialists give contradictory advice on the same file, the umbrella now emits a ⚠ Skill conflict block with both sides' recommendation + reason + evidence basis — and the operator picks. Four canonical pairs seeded in plugins/vibesubin/skills/vibesubin/references/skill-conflicts.md:
refactor-verify↔audit-securityon sequencing (ACTIVE vs. LATENT vulnerability)unify-design↔refactor-verifyon component consolidation (hand-off, not conflict)fight-repo-rot↔project-conventionson dead dependencies (remove-then-verify-lockfile)manage-secrets-env↔audit-securityon tracked.env(required sequence: rotate first, then structural fix)
Contradiction is information, not a bug — the catalog decides between hand-off (sequence) vs. true conflict (fork) and surfaces evidence either way.
ship-cycle — enforced conventions + two tracks
PR / branch / commit conventions are now enforced via a new reference file (plugins/vibesubin/skills/ship-cycle/references/pr-branch-conventions.md):
- GitHub Flow branches:
<type>/<issue-N>-<slug>(e.g.,fix/issue-42-auth-session-refresh) - Conventional Commits + mandatory
Closes #<N>footer - Six-section PR template: Context / What changed / Test plan / Docs plan / Risk / Handoff notes
- Rebase-first merge with
--force-with-lease(plain--forcebanned) - No force-push to
main/master/release/* - CI green gate: all checks (including optional) must be SUCCESS or NEUTRAL; SKIPPED requires confirmation; flaky checks get one re-run
- Merge strategy detection: repo settings first,
CONTRIBUTING.mdsecond,--squashdefault
Two tracks. The default GitHub track is unchanged. The new PRD track handles every other host (GitLab, Gitea, Forgejo, Bitbucket, plain git, gh unauthenticated) — local markdown files under docs/release-cycle/vX.Y.Z/ carry the same methodology, same conventions, same audit trail. ship-cycle no longer hard-exits on non-GitHub hosts.
See plugins/vibesubin/skills/ship-cycle/references/prd-track.md.
READMEs — 5 categories across 4 languages
Single lineup table split into 5 category-grouped tables:
- Code quality (5):
refactor-verify,audit-security,fight-repo-rot,manage-assets,unify-design - Docs & AI-friendliness (2):
write-for-ai,project-conventions - Infra & config (2):
setup-ci,manage-secrets-env - Release process (1):
ship-cycle - Host-specific wrappers (1):
codex-fix
Per-skill writeups tightened under the same 5 headings; anchors plain (#refactor-verify, no #1-refactor-verify numbering). Structure mirrors in README.ko.md, README.ja.md, README.zh.md with each file's voice preserved. Total across 4 languages: 1248 → 1190 lines.
Under the hood
- Every 11 worker
SKILL.mdfile gained a## Layperson mode — plain-language translationsection, parallel to the existing## Harsh mode — no hedging. - Umbrella synthesis Step 3 gained two rules — skill-conflict check + layperson-layer application.
ship-cyclegained### Step 1.5 — Track selectionbetween Step 1 and Step 2.- Assumptions block gained
Track:andMerge strategy:fields. .gitignoreexplicitly lists.mypy_cache/and.pytest_cache/. Caches must never be tracked.
Full detail: CHANGELOG.md.
vibesubin 0.5.0
TL;DR
v0.5.0 turns three social-contract invariants into machine checks, closes seven coverage gaps in ship-cycle surfaced by the user's typical release-cycle prompt, adds docs/ADDING-A-SKILL.md so a fresh contributor can author a skill without reverse-engineering, and fixes four real bugs surfaced during review.
Validator teeth
scripts/validate_skills.py now enforces four invariants that were social contract only:
- Harsh mode section present in every worker — mirrors
CLAUDE.mdnever-do #4 - Sweep marker present in the six editable workers — mirrors never-do #7
- Manifest version sync between
marketplace.jsonandplugin.json— mirrors never-do #8 - Path-traversal guard on backtick-quoted promised paths — defensive
New tests/test_validate_skills.py (11 tests, pytest + tmp_path) ensures the checks cannot regress silently. Wired into the existing validate-skills CI workflow.
ship-cycle workflow coverage
Seven additions close the gaps the typical release-cycle prompt exposed:
- Step 0.5 — Offer upstream review (invoke
/vibesubinsweep, invoke a targeted worker, or proceed with operator-pasted findings) before assuming findings exist. - Step 5.5 — Write PRD.md (themes + north-star goals + success metrics + deferred items) before clustering. New
references/prd-template.md. - Step 9a — Parallel dispatch (10+ simultaneous workers) for independent issues with explicit
opus/max defaults. - Step 9b — CI-green gate before
gh pr merge. - Step 5 acceptance criteria — mandatory test plan / docs plan / handoff notes fields per issue. Missing any field blocks Step 6.
- Step 11 audit trail — handoff notes propagate from issue body into close comment.
- Release pipeline — pre-merge and pre-tag CI-green verification via
gh statusCheckRollup.
New contributor doc
docs/ADDING-A-SKILL.md (136 lines) — frontmatter schema, required sections checklist, validator contract, output shape, per-change-type file checklist, wrapper-skill rules. Linked from CLAUDE.md and MAINTENANCE.md.
Bug fixes
manage-config-envghost references in three locations (fight-repo-rot SKILL.md × 2, README.md, .env.example.template) replaced with the correct post-split skill names.audit-security/SKILL.mdSweep mode section added — it was the only sweep specialist missing the canonical heading.install.sh --dry-runno longer creates~/.claude/skills— previously violated its own no-mutation contract.- v0.4.0 CHANGELOG P2 bullet corrected in place — claim of "universal bullet in all 10 skills" was literally false (6 universal + 4 anchored variants).
Security
.gitignoreadditions (*.pem *.key id_rsa* id_ed25519* *credentials* secrets/ *.pfx *.p12) — root.gitignorenow matches themanage-secrets-envtemplate defaults.install.sh --forcesymlink-traversal guard — blocks the local foot-gun whererm -rfcould follow a symlink to delete data outside the install target.- validator path-traversal guard on promised paths (see above).
Cleanup
- 5 empty
references/directories deleted (fight-repo-rot, setup-ci, vibesubin, manage-assets, write-for-ai). They were not git-tracked but surfaced as ambiguous structure cues. - Umbrella
## Tone: balanced vs. harshheading renamed to canonical## Harsh mode — no hedging. Aligns with new validator Check A. codex-fixheading same canonical form.MAINTENANCE.md— removed references to two files that never existed; addedCLAUDE.mdto AI-session reading order; added pointer to newdocs/ADDING-A-SKILL.md.
Intentionally skipped
- v0.4.1 patch release — the four real bugs were bundled into v0.5.0 alongside validator teeth and the new contributor doc. No separate 0.4.1 tag exists; every change intended for it is in 0.5.0.
- Dependency CVE scan, CI lint workflow, uninstall --dry-run, branch protection, repo-level secret scanning, README parity check, workflow-audit extension — out of scope. Not skill-coverage or invariant problems.
Full history in CHANGELOG.md.
vibesubin 0.4.0
TL;DR
v0.4.0 adds ship-cycle, vibesubin's first process-category skill — an issue-driven release orchestrator that turns improvement intent into bilingual issues, clusters them into milestones that map 1:1 to semver versions, dispatches each issue to the right worker for verified execution, and cuts the tag + GitHub release when the milestone closes. Karpathy's four AI-coding principles are now enforced in every worker as first-class vibesubin invariants rather than external references.
New
-
ship-cycleskill — 11th worker, first process-category. Direct-call only (not in/vibesubinparallel sweep). Host requirement: GitHub repo + authenticatedghCLI; graceful one-line fallback on every other host. 11-step procedure covers host check, state assumptions, language elicitation (Korean / English / Japanese / Chinese), intake from pasted findings or sweep output or a named scope, draft of bilingual issues, semver clustering into milestones (bug / perf / refactor / test / docs → patch; additive feature → minor; breaking → major) with a ~5-item patch cap, operator-approvedgh issue create, per-label hand-off to the right worker skill for verified execution, and a release pipeline that aggregates closed issues into a functional-only CHANGELOG entry before cutting the annotated tag and GitHub release. Issue bodies, milestone rules, and the release pipeline each live in their own reference files. -
Karpathy principles internalized — every worker now carries a skill-specific
State assumptions — before actingsection (Principle 1: Think Before Coding) and an anchoredDon't add features the operator did not requestbullet in Things-not-to-do (Principle 2: Simplicity First). These are load-bearing at Step 0 of every invocation — before any procedure runs. No external shoutout: the principles are now ours.
Category split: 10 code hygiene + 1 process
Worker-skill cap moves from a flat 10 to 10 + 1. Code hygiene stays at 10 (refactor-verify, audit-security, fight-repo-rot, write-for-ai, setup-ci, manage-secrets-env, project-conventions, manage-assets, unify-design, codex-fix). Process opens at 1 (ship-cycle). Each category has its own cap — future growth must extend, split, or displace within the category.
Documented as invariant #10 in docs/PHILOSOPHY.md. Root CLAUDE.md never-do list, change-type matrix, and load-bearing invariants table all updated to reflect the split.
Parallel sweep still reports 9
ship-cycle is not added to the parallel sweep — it mutates state (issues, branches, tags, releases) and belongs in direct-call workflows alongside codex-fix. The sweep continues to run exactly 9 code-hygiene specialists.
Other fixes
- Umbrella
SKILL.mdhad five stale "six specialists" narrative references from before v0.3.0 — corrected to "nine" (or "the full sweep" where a hard-coded count would drift again). - Two overlapping worker-cap invariant rows in
CLAUDE.mdmerged into a single category-split row. README.ja.mdhad a garbled "ロースクテス" (phonetic mangling of "low-stakes") and an untranslated English fallback quote in § 11 — both fixed to natural Japanese.README.md§ 11 heading now uses backticks on the skill name for uniformity with sections 1–10.
Full history in CHANGELOG.md.
vibesubin 0.3.3
vibesubin 0.3.3 — codex-fix correctness patch + translation cleanup.
⚠ What 0.3.2 shipped broken
codex-fix was advertised in 0.3.2 as "post-edit loop that invokes /codex:rescue". The SKILL.md instructed Claude to "invoke /codex:rescue" and embedded the prompt inside a plain-text code block starting with /codex:rescue .... That did not actually work. Slash-command text inside an LLM's response body is just a text string — it does not execute the slash command and does not dispatch the Codex plugin. The skill was instructions to write slash-command text, not instructions to invoke it.
On top of that, codex-fix's frontmatter allowed-tools omitted Task, so even if the skill had known the right dispatch mechanism, it would not have been allowed to use the tool that performs it.
Anyone who tried /codex-fix in 0.3.2 would have seen Claude generate a response containing /codex:rescue ... as text — which is a no-op. No Codex invocation, no findings, no fix loop. Apologies.
What 0.3.3 fixes
Invocation mechanism. codex-fix now invokes the Codex rescue subagent via the Task tool with subagent_type: "codex:codex-rescue" — the actual Claude Code plugin dispatch mechanism for agent-to-agent calls. The templated review prompt (security / correctness / performance / resource management / concurrency categories) is unchanged; only the dispatch mechanism is fixed.
allowed-tools frontmatter. Task, Bash(ls *), and Bash(test *) are now declared. Without them, the skill could not call the subagent or run the filesystem-based plugin-presence check.
Host-check detection paths. Step 1 now documents two paths:
- Primary — inspect the available-subagents list. Claude Code populates the available-subagents list at session start from installed plugins. The skill checks whether
codex:codex-rescueappears as a validsubagent_type. If yes, proceed. - Secondary — filesystem check.
test -d "$HOME/.claude/plugins/codex"as a fallback for cases where the primary path is ambiguous.
Neither path triggers an error on a non-matching host; both just fall through to the graceful one-line fallback that exits cleanly.
Things-not-to-do warning. A new bullet explicitly warns future maintainers: "Don't write /codex:rescue ... as plain text in a response." It references this release so the 0.3.2 regression does not come back.
Transient-failure handling. Step 3 now specifies what to do if the Task call itself fails mid-call (subagent disabled, Codex CLI timeout, unexpected error): emit a one-line failure message and stop — do not retry automatically.
Also fixed
Translation cleanup. README.ja.md and README.zh.md skill-table trigger examples for codex-fix were in Korean in 0.3.2 (「codex 돌려서 고쳐줘」 etc.) — my 15-edit parallel translation batch copied Korean text across without per-language localization. Replaced with Japanese and Chinese equivalents:
README.ja.mdline 59:「Codex でチェックして直して」,「codex fix」,「run codex and fix」README.zh.mdline 59:"用 codex 跑一遍再修","codex fix","run codex and fix"
Korean prose polish. README.ko.md § 10 gained two minor fixes: "의도된 유일한" → "의도적으로 유일한" (less translated feel), and "소리내서 에러나지 않아요" → "시끄럽게 에러를 뱉지도 않습니다" (more idiomatic).
Who needs this update
- Claude Code + Codex plugin users who tried
/codex-fixon 0.3.2: yes, update immediately. 0.3.2'scodex-fixwas broken. 0.3.3 actually works. - Everyone else: update at your convenience. The
refactor-verifyreview-driven fix mode (portable engine) and all other 0.3.2 features are unchanged. This release only touchescodex-fix/SKILL.md, three READMEs, the CHANGELOG, and the version manifests.
The full CHANGELOG is at CHANGELOG.md.
vibesubin 0.3.2
vibesubin 0.3.2 — post-edit review loop, baked in.
Two coordinated additions for one specific workflow: "I've finished a batch of edits. Run an external review. Feed the findings back. Let Claude resolve them with verification."
What's new
refactor-verify gains a "Review-driven fix mode" — the portable engine for resolving external review findings. Accepts input from any source: pasted notes, a human PR review, a Sentry alert, gitleaks / pip-audit / cargo audit / govulncheck, Semgrep, Bandit, or a hand-off from a wrapper skill. The procedure: capture the review snapshot SHA, parse and normalize findings, triage each as real / false-positive / defer / duplicate, map each item to a commit via git blame, plan the fixes as a dependency tree, execute leaves-up with the standard 4-check verification (AST diff relaxed for intentionally-behavior-changing fixes, full call-site closure on the untouched surface), commit each fix with a back-reference (<type>: resolve <review-source>#<item-id> — ...), and report resolution item by item. This works on every agent that supports SKILL.md — Claude Code, Codex CLI, Cursor, Copilot, Cline, anything skills.sh talks to.
codex-fix skill — a deliberately thin (~100 lines) Claude Code + Codex plugin wrapper. It owns only the Codex-specific glue: host check, templated /codex:rescue prompt scoped to the current branch's diff, output collection, and the hand-off to refactor-verify's new mode. No parsing, no verification, no committing inside the wrapper — everything substantial delegates. This is the convenience path for operators who run the Codex loop often enough that the copy-paste between Codex output and Claude resolution was friction worth removing.
⚠ On non-matching hosts, this skill gracefully passes
codex-fix declares its host dependency explicitly. On any host that is not Claude Code + Codex plugin (Codex CLI itself, Cursor, Copilot, Cline, or Claude Code without the plugin), the skill's first action is a one-line fallback:
"Codex plugin not detected — this skill is Claude Code + Codex specific. To resolve a review from a different source, invoke
/refactor-verifydirectly with the findings."
Then it exits. No hangs, no loud errors, no pasted-findings prompt. Graceful pass on non-matching hosts is the expected outcome, not a failure. Operators on other hosts or with other review sources should invoke /refactor-verify directly — same engine, same verification discipline, different input adapter.
New invariant: portable engines can have host-specific wrappers
docs/PHILOSOPHY.md gains rule 9: "Portable engines can have host-specific wrappers." The pack's core skills stay host-agnostic. When a frequent host-specific workflow justifies a dedicated trigger, it goes into a thin wrapper skill that declares the host dependency in its frontmatter, checks the host as its first action, emits a graceful one-line fallback on non-matching hosts, delegates everything substantial to a portable engine skill, and has no sweep mode. codex-fix is the first such wrapper; future ones (for Sentry, gitleaks, etc.) would follow the same shape. The engine is the contract; the wrapper is convenience.
10-worker cap reached
With codex-fix, the pack has exactly 10 worker skills (the vibesubin umbrella is not counted). The cap is full: refactor-verify, audit-security, fight-repo-rot, write-for-ai, setup-ci, manage-secrets-env, project-conventions, manage-assets, unify-design, codex-fix. Any future new capability must extend an existing skill, split one, or displace one — the surface area does not grow past 10, because users cannot remember more than ~10 tools.
Migration
No user-visible migration. Existing direct calls and natural-language triggers still work exactly as before.
If you want the new post-edit review loop:
- Claude Code + Codex plugin: type "codex 돌려서 고쳐줘" or
/codex-fixafter finishing a batch of edits. - Any other agent or review source: invoke
/refactor-verifydirectly with pasted findings — or any of the trigger phrases for the new review-driven fix mode ("resolve these findings", "fix this review", "리뷰 사항 처리해줘").
The full CHANGELOG is at CHANGELOG.md.
vibesubin 0.3.1
vibesubin 0.3.1 — operational rules, enforced.
No user-facing skill changes. This is a maintenance bump that turns two previously-social rules into durable guardrails.
What's new
CLAUDE.md at the repo root — the operational rules that apply to every Claude Code session on this repo are now in a single file Claude reads at session start. It encodes the never-do / always-do lists, the full release process (annotated tag + gh release create), a change-type → file matrix for common tasks (add a skill, rename a skill, split a skill, bump a version), the load-bearing invariants table, and a "recently decided" section listing decisions that should not be re-argued: the 10-skill cap, functional-only CHANGELOG style, harsh mode as framing only, no bulk README rewrites, unify-design as intentionally web-dev specific, and release notes living on GitHub only.
scripts/validate_skills.py enforces the 500-line SKILL.md cap. The cap was previously documented in MAINTENANCE.md and docs/PHILOSOPHY.md but nothing checked it. The validator now fails any SKILL.md that exceeds 500 lines with a remediation pointer ("extract tail sections into references/*.md"). Every current skill fits under the cap — the largest is write-for-ai/SKILL.md at 379 lines — so this release is a no-op for existing skills and a guardrail against future regressions. The verbose mode (--verbose) now reports per-file line counts.
Why this matters
The 0.3.0 review revealed that harsh mode had a coverage gap (only 2 of 6 workers implemented it) because the rule existed as documentation, not as a check. Social rules decay without enforcement. This release moves two such rules — operational workflow and the SKILL.md line cap — into places that cannot be silently ignored: a CLAUDE.md that Claude reads every session, and a validator that blocks commits on failure.
The full, functional CHANGELOG is at CHANGELOG.md.
vibesubin 0.3.0
vibesubin 0.3.0 — three new skills, one split, tighter harsh mode.
⚠ Breaking change — migration
manage-config-env has been split into two skills. Your existing calls need to move:
| If you used to call | Use this now |
|---|---|
/manage-config-env for .env, secrets, .gitignore, secret rotation |
/manage-secrets-env |
/manage-config-env for branch strategy, dep pinning, directory layout, hardcoded paths |
/project-conventions |
The umbrella router (/vibesubin) already knows both — you only need to update direct /manage-config-env invocations. Re-run /plugin marketplace update and the new names are picked up automatically.
New skills
manage-secrets-env — the high-stakes half of the old manage-config-env. Four-bucket decision tree for where a value lives, .env ↔ .env.example drift check, default-safe .gitignore template, full secret lifecycle (add / update / rotate / remove / migrate / audit drift / provision new environment).
project-conventions — the low-stakes half. Picks GitHub Flow for you, enforces exact-pinned production dependencies with a committed lockfile, pushes toward domain-first directory layout, audits for absolute paths and literal IPs in source.
manage-assets — diagnosis-only bloat scan. Detects oversized files in the working tree, large blobs hiding in git history, LFS migration candidates, asset-directory growth, duplicate binaries. Never deletes, never rewrites history — every destructive action hands off to refactor-verify for verification. Pairs especially well with open-sourcing.
unify-design — web-dev design-system auditor and token extractor. Detects the framework (Tailwind v3, Tailwind v4, CSS Modules, styled-components, Emotion, Material UI, Chakra UI, vanilla CSS), scaffolds a tokens file with opinionated defaults if missing, audits for drift (hardcoded hex, arbitrary Tailwind values, inline styles, duplicate Button/Card/Nav/Logo components, near-match colors), and rewrites drift back to tokens. Multi-file consolidations hand off to refactor-verify.
Improvements
- Harsh mode now covers every specialist. Previously only 2 of 6 workers implemented the
tone=harshmarker switch; the umbrella propagated the marker but the other 4 silently fell back to balanced output. All 9 workers now implement the switch —/vibesubin harshactually feels harsh end-to-end. write-for-aienforces objectivity. A new section rules out marketing drift in generated docs: no unbacked adjectives (fast,production-ready,best-in-class), no superlatives without comparison, no weasel hedging, and every capability claim ships with a verification command. Enforced via the mandatory self-review checklist.fight-repo-rotadds test rot. Dead tests, obsolete fixtures, orphaned snapshot files, skipped tests older than six months, hardcoded sleeps inside test bodies, and oversized test files. Hands off torefactor-verifywith the same HIGH/MEDIUM/LOW confidence framing as production dead code.vibesubinumbrella drops time estimates. Phrases likecouple of minutes,Est. timecolumn,20 minexample rows are gone — they were unreliable across environments and read as promises. Replaced with qualitative size buckets (S / M / L).
Under the hood
docs/PHILOSOPHY.mdnow exists.MAINTENANCE.mdhad referenced it in the "future AI sessions should read this file" list, but the file was missing.plugins/vibesubin/.claude-plugin/plugin.jsonwas stuck at0.1.0while.claude-plugin/marketplace.jsonhad advanced to0.2.0. Both now sync at0.3.0.README.ko.md,README.ja.md,README.zh.mdwere rewritten end-to-end for the 0.3.0 structure in natural-voice translations, not literal.
The full, functional CHANGELOG is at CHANGELOG.md.