Skip to content

vibesubin 0.7.1

Choose a tag to compare

@github-actions github-actions released this 27 Apr 03:00

TL;DR

Two AI-native failure modes the pack now actively guards against per-worker — recommending removal of unfamiliar code without identifying the why, and recommending gate-gaming as a fix when verification fails. Bundled with three previously-unreleased items (auto-verify hook, release CI safety net, marketplace metadata).

Engineering principles internalized

The pack now internalizes two named engineering principles as concrete per-skill checks, following the Karpathy-4-principles precedent — the rule lives in each affected SKILL.md, principle attribution lives here and in the changelog (no external shoutout in skill text).

Chesterton's Fence — don't remove what you don't understand

Workers refuse to recommend removal or replacement of unfamiliar code, files, env vars, assets, or conventions without first identifying the why (origin commit, recent issues/PRs, indirect references, ADRs). Confidence tier verified requires both zero references AND known origin; unclear origin downgrades to candidate-for-removal (or candidate-with-context-needed for convention changes) with operator confirmation.

Internalized in: fight-repo-rot, manage-assets, manage-secrets-env, refactor-verify, audit-security, project-conventions.

Goodhart's Law — don't recommend gaming the gate

Workers refuse to recommend gate-gaming patterns (as any, // @ts-ignore, eslint-disable without justification, weakened test assertions, .skip / xit, empty try/catch, expanded tsconfig excludes, continue-on-error: true on quality gates, suppression comments without CVE/justification) as fixes when verification fails. The pipeline measures correctness; gate-bypass mechanisms are a regression dressed as a fix.

Internalized in: refactor-verify, audit-security, setup-ci, codex-fix (wrapper enforces the canonical list at the wrapper boundary, no duplication).

Framing

Both principles are operationalizations of existing PHILOSOPHY invariants, not new ideology:

  • Invariant #2 (well-meaning junior developer) → stop-and-ask moments before destructive action (Chesterton)
  • Invariant #1 (Done is proven, not claimed) → proof of origin for verified tier and proof of correctness for gate passes (Chesterton + Goodhart)

The change is enforcement, not philosophy.

Also in 0.7.1 (previously [Unreleased])

  • Opt-in auto-verify hook (plugins/vibesubin/hooks/auto-verify.sh) — runs refactor-verify's symbol-diff.sh after MultiEdit ≥5 edits or signature-line diffs. Defaults OFF (VIBESUBIN_AUTO_VERIFY=1 to enable). Stderr-advisory only; 3-second hard timeout.
  • Release CI safety net (.github/workflows/release.yml) — tag-push workflow runs validate_skills.py, pytest, manifest version sync check (HARD: tag = marketplace = plugin), and forbidden-file scan before the GitHub release goes live.
  • Marketplace metadatacategory, tags, repository fields in .claude-plugin/marketplace.json for discoverability.

Under the hood

  • 11 files changed (+16 −2). 8 SKILL.md edits (one bullet each, two on refactor-verify and audit-security), 2 manifest version bumps, 1 CHANGELOG.md entry.
  • No new skills — the 10 hygiene + 1 process cap is unchanged.
  • No interface change — skill names, arguments, and 4-part output shape all identical.
  • No README.md / README.{ko,ja,zh}.md edits — no skill added, renamed, or removed, so translations stayed quiet.
  • scripts/validate_skills.py passes with all 12 checks. All SKILL.md files under the 500-line cap (largest affected: refactor-verify at 415).

Full changelog

See CHANGELOG.md for the complete entry.