Self-audit hot-fix release. Closes self-policy violations and documentation correctness gaps surfaced by static review against the pack's own invariants, plus one new reference (branch-models.md) closing the GitHub-Flow-only gap.
Fixed
.github/workflows/release.yml— third-party actions are now pinned to commit SHA persetup-ci's own policy:actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5(v4),actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065(v5),softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65(v2). Prior@v4/@v5/@v2floating tags violated the pack's own "tag can be moved; SHA cannot" invariant —setup-ciwarns user repos against this pattern, but vibesubin's own release CI was using it..github/workflows/release.yml—pip install pytestnow pins topytest==8.3.3, matchingvalidate-skills.yml. Previously unpinned, so the same pytest suite could run with different pytest versions in the two workflows..github/workflows/release.yml— secret filename check regex expanded to mirrormanage-secrets-env's secret-shaped entry list:id_ed25519*,*.p12,*.pfx,credentials*,secrets*,*.credentials.jsonnow also blocked. Each alternation anchors at a path-component boundary so words inside directory names (e.g.,manage-secrets-env/) do not false-positive;.md/.template/.exampledocumentation extensions are excluded; matched files are printed for debugging. Prior regex only caught.env,.pem,id_rsa,.key, leaving SSH ed25519 keys, PFX bundles, and service-account JSON keys free to land in a release commit..github/workflows/validate-skills.yml— path triggers expanded toscripts/**,tests/**,.claude-plugin/**,.github/workflows/**,MAINTENANCE.md,README.md,docs/i18n/**. Previously onlyplugins/**,scripts/validate_skills.py, and the validate-skills workflow itself triggered, so manifest version-sync changes, test edits, release-workflow edits, and translated README updates could bypass validation.plugins/vibesubin/skills/refactor-verify/scripts/callsite-count.sh— rename mode whereafter_count > before_countnow exits 1 by default (previously printed a NOTE and exited 0). Therefactor-verifyinvariant is "before-count must equal after-count"; a silent exit-0 on mismatch contradicted it. New--allow-extraflag opts in to intentional wrapper / adapter / alias additions.plugins/vibesubin/skills/refactor-verify/scripts/symbol-diff.sh— everyrginvocation now passes--no-filename --no-line-number, and outputs uselang:symbolprefix form. Internal moves (function relocated to a different file) no longer surface as adropped + addedfalse positive; public-API drops still surface because the symbol disappears from the language's symbol set.plugins/vibesubin/skills/refactor-verify/scripts/smoke-test.sh— whenpnpm-lock.yaml/yarn.lock/bun.lockbis present but the matching package manager is not installed, the script now exits 3 with a bootstrap hint. Previously fell back tonpm, which would silently install a different dependency tree from the same lockfile and produce a misleading "tests passed" signal.plugins/vibesubin/skills/manage-secrets-env/SKILL.md—.envfile precedence is now correctly split between Next.js (process.env → .env.$NODE_ENV.local → .env.local → .env.$NODE_ENV → .env, earlier wins) and Vite (loads.env,.env.local,.env.[mode],.env.[mode].local; later wins for files but already-set process env beats every file). Previously both were described with one shared chain, which is wrong for Next.js.plugins/vibesubin/skills/project-conventions/SKILL.md— dependency pinning rule split per repo type (app/template: exact pin + committed lockfile / library: semver range + lockfile-for-tests + compatibility matrix / monorepo: per-package). Previously the repo-type table separated them but the body sentence collapsed everything to "every production dependency is pinned to an exact version", contradicting the table for libraries.plugins/vibesubin/skills/refactor-verify/SKILL.md— frontmatterallowed-toolsno longer includesBash(git stash *). The skill body declaresgit stashnon-negotiable forbidden as an isolation mechanism; the tool-permission grant contradicted that.
Added
plugins/vibesubin/skills/ship-cycle/references/branch-models.md(130 lines) — new reference comparing GitHub Flow / GitFlow / Trunk-based, documenting why ship-cycle picks GitHub Flow and how it defers when a GitFlow / Trunk-based repo is detected (Step 1.5 announcement, Step 9 branch-naming deferral, Step 10 release-pipeline blocking on GitFlow).ship-cycle/SKILL.mdStep 2 Assumptions block'sBranch convention:line links to it.
Changed
- Plugin version
0.7.1→0.7.2in.claude-plugin/marketplace.jsonandplugins/vibesubin/.claude-plugin/plugin.json. Patch bump: every change in this release is either a fix to a self-policy violation or a documentation correctness gap surfaced by static self-audit, with one new reference (branch-models.md) added to close the GitHub-Flow-only deferral gap.
Full changelog: CHANGELOG.md · diff: v0.7.1...v0.7.2