@every-env/compound-plugin 2.34.4 → 2.34.5

package/CHANGELOG.md

@@ -7,6 +7,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 Release numbering now follows the repository `v*` tag line. Starting at `v2.34.0`, the root CLI package and this changelog stay on that shared version stream. Older entries below retain the previous `0.x` CLI numbering.
 
+## [2.34.5](https://github.com/EveryInc/compound-engineering-plugin/compare/v2.34.4...v2.34.5) (2026-03-10)
+
+
+### Bug Fixes
+
+* **lfg:** enforce plan phase with explicit step gating ([b07f43d](https://github.com/EveryInc/compound-engineering-plugin/commit/b07f43ddf59cd7f2fe54b2e0a00d2b5b508b7f11)), closes [#227](https://github.com/EveryInc/compound-engineering-plugin/issues/227)
+
 ## [2.34.4](https://github.com/EveryInc/compound-engineering-plugin/compare/v2.34.3...v2.34.4) (2026-03-04)
 
 

package/PRIVACY.md

@@ -0,0 +1,38 @@
+# Privacy & Data Handling
+
+This repository contains:
+- a plugin package (`plugins/compound-engineering`) made of markdown/config content
+- a CLI (`@every-env/compound-plugin`) that converts and installs plugin content for different AI coding tools
+
+## Summary
+
+- The plugin package does not include telemetry or analytics code.
+- The plugin package does not run a background service that uploads repository/workspace contents automatically.
+- Data leaves your machine only when your host/tooling or an explicitly invoked integration performs a network request.
+
+## What May Send Data
+
+1. AI host/model providers
+
+If you run the plugin in tools like Claude Code, Cursor, Gemini CLI, Copilot, Kiro, Windsurf, etc., those tools may send prompts/context/code to their configured model providers. This behavior is controlled by those tools and providers, not by this plugin repository.
+
+2. Optional integrations and tools
+
+The plugin includes optional capabilities that can call external services when explicitly used, for example:
+- Context7 MCP (`https://mcp.context7.com/mcp`) for documentation lookup
+- Proof (`https://www.proofeditor.ai`) when using share/edit flows
+- Other opt-in skills (for example image generation or cloud upload workflows) that call their own external APIs/services
+
+If you do not invoke these integrations, they do not transmit your project data.
+
+3. Package/installer infrastructure
+
+Installing dependencies or packages (for example `npm`, `bunx`) communicates with package registries/CDNs according to your package manager configuration.
+
+## Data Ownership and Retention
+
+This repository does not operate a backend service for collecting or storing your project/workspace data. Data retention and processing for model prompts or optional integrations are governed by the external services you use.
+
+## Security Reporting
+
+If you identify a security issue in this repository, follow the disclosure process in [SECURITY.md](SECURITY.md).

package/SECURITY.md

@@ -0,0 +1,29 @@
+# Security Policy
+
+## Supported Versions
+
+Security fixes are applied to the latest version on `main`.
+
+## Reporting a Vulnerability
+
+Please do not open a public issue for undisclosed vulnerabilities.
+
+Instead, report privately by emailing:
+- `kieran@every.to`
+
+Include:
+- A clear description of the issue
+- Reproduction steps or proof of concept
+- Impact assessment (what an attacker can do)
+- Any suggested mitigation
+
+We will acknowledge receipt as soon as possible and work with you on validation, remediation, and coordinated disclosure timing.
+
+## Scope Notes
+
+This repository primarily contains plugin instructions/configuration plus a conversion/install CLI.
+
+- Plugin instruction content itself does not run as a server process.
+- Security/privacy behavior also depends on the host AI tool and any external integrations you explicitly invoke.
+
+For data-handling details, see [PRIVACY.md](PRIVACY.md).

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@every-env/compound-plugin",
-  "version": "2.34.4",
+  "version": "2.34.5",
   "type": "module",
   "private": false,
   "bin": {

package/plugins/compound-engineering/commands/lfg.md

@@ -5,16 +5,30 @@ argument-hint: "[feature description]"
 disable-model-invocation: true
 ---
 
-Run these slash commands in order. Do not do anything else. Do not stop between steps — complete every step through to the end.
+CRITICAL: You MUST execute every step below IN ORDER. Do NOT skip any step. Do NOT jump ahead to coding or implementation. The plan phase (steps 2-3) MUST be completed and verified BEFORE any work begins. Violating this order produces bad output.
 
 1. **Optional:** If the `ralph-wiggum` skill is available, run `/ralph-wiggum:ralph-loop "finish all slash commands" --completion-promise "DONE"`. If not available or it fails, skip and continue to step 2 immediately.
+
 2. `/ce:plan $ARGUMENTS`
+
+   GATE: STOP. Verify that `/ce:plan` produced a plan file in `docs/plans/`. If no plan file was created, run `/ce:plan $ARGUMENTS` again. Do NOT proceed to step 3 until a written plan exists.
+
 3. `/compound-engineering:deepen-plan`
+
+   GATE: STOP. Confirm the plan has been deepened and updated. The plan file in `docs/plans/` should now contain additional detail. Do NOT proceed to step 4 without a deepened plan.
+
 4. `/ce:work`
+
+   GATE: STOP. Verify that implementation work was performed - files were created or modified beyond the plan. Do NOT proceed to step 5 if no code changes were made.
+
 5. `/ce:review`
+
 6. `/compound-engineering:resolve_todo_parallel`
+
 7. `/compound-engineering:test-browser`
+
 8. `/compound-engineering:feature-video`
+
 9. Output `<promise>DONE</promise>` when video is in PR
 
-Start with step 2 now (or step 1 if ralph-wiggum is available).
+Start with step 2 now (or step 1 if ralph-wiggum is available). Remember: plan FIRST, then work. Never skip the plan.