@every-env/compound-plugin 2.34.4 → 2.34.6

package/CHANGELOG.md

@@ -7,6 +7,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 Release numbering now follows the repository `v*` tag line. Starting at `v2.34.0`, the root CLI package and this changelog stay on that shared version stream. Older entries below retain the previous `0.x` CLI numbering.
 
+## [2.34.6](https://github.com/EveryInc/compound-engineering-plugin/compare/v2.34.5...v2.34.6) (2026-03-10)
+
+
+### Bug Fixes
+
+* **mcp:** add API key auth support for Context7 server ([c649cfc](https://github.com/EveryInc/compound-engineering-plugin/commit/c649cfc17f895b58babf737dfdec2f6cc391e40a)), closes [#153](https://github.com/EveryInc/compound-engineering-plugin/issues/153)
+
+## [2.34.5](https://github.com/EveryInc/compound-engineering-plugin/compare/v2.34.4...v2.34.5) (2026-03-10)
+
+
+### Bug Fixes
+
+* **lfg:** enforce plan phase with explicit step gating ([b07f43d](https://github.com/EveryInc/compound-engineering-plugin/commit/b07f43ddf59cd7f2fe54b2e0a00d2b5b508b7f11)), closes [#227](https://github.com/EveryInc/compound-engineering-plugin/issues/227)
+
 ## [2.34.4](https://github.com/EveryInc/compound-engineering-plugin/compare/v2.34.3...v2.34.4) (2026-03-04)
 
 

package/PRIVACY.md

@@ -0,0 +1,38 @@
+# Privacy & Data Handling
+
+This repository contains:
+- a plugin package (`plugins/compound-engineering`) made of markdown/config content
+- a CLI (`@every-env/compound-plugin`) that converts and installs plugin content for different AI coding tools
+
+## Summary
+
+- The plugin package does not include telemetry or analytics code.
+- The plugin package does not run a background service that uploads repository/workspace contents automatically.
+- Data leaves your machine only when your host/tooling or an explicitly invoked integration performs a network request.
+
+## What May Send Data
+
+1. AI host/model providers
+
+If you run the plugin in tools like Claude Code, Cursor, Gemini CLI, Copilot, Kiro, Windsurf, etc., those tools may send prompts/context/code to their configured model providers. This behavior is controlled by those tools and providers, not by this plugin repository.
+
+2. Optional integrations and tools
+
+The plugin includes optional capabilities that can call external services when explicitly used, for example:
+- Context7 MCP (`https://mcp.context7.com/mcp`) for documentation lookup
+- Proof (`https://www.proofeditor.ai`) when using share/edit flows
+- Other opt-in skills (for example image generation or cloud upload workflows) that call their own external APIs/services
+
+If you do not invoke these integrations, they do not transmit your project data.
+
+3. Package/installer infrastructure
+
+Installing dependencies or packages (for example `npm`, `bunx`) communicates with package registries/CDNs according to your package manager configuration.
+
+## Data Ownership and Retention
+
+This repository does not operate a backend service for collecting or storing your project/workspace data. Data retention and processing for model prompts or optional integrations are governed by the external services you use.
+
+## Security Reporting
+
+If you identify a security issue in this repository, follow the disclosure process in [SECURITY.md](SECURITY.md).

package/SECURITY.md

@@ -0,0 +1,29 @@
+# Security Policy
+
+## Supported Versions
+
+Security fixes are applied to the latest version on `main`.
+
+## Reporting a Vulnerability
+
+Please do not open a public issue for undisclosed vulnerabilities.
+
+Instead, report privately by emailing:
+- `kieran@every.to`
+
+Include:
+- A clear description of the issue
+- Reproduction steps or proof of concept
+- Impact assessment (what an attacker can do)
+- Any suggested mitigation
+
+We will acknowledge receipt as soon as possible and work with you on validation, remediation, and coordinated disclosure timing.
+
+## Scope Notes
+
+This repository primarily contains plugin instructions/configuration plus a conversion/install CLI.
+
+- Plugin instruction content itself does not run as a server process.
+- Security/privacy behavior also depends on the host AI tool and any external integrations you explicitly invoke.
+
+For data-handling details, see [PRIVACY.md](PRIVACY.md).

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@every-env/compound-plugin",
-  "version": "2.34.4",
+  "version": "2.34.6",
   "type": "module",
   "private": false,
   "bin": {

package/plugins/compound-engineering/.mcp.json

@@ -2,7 +2,10 @@
   "mcpServers": {
     "context7": {
       "type": "http",
-      "url": "https://mcp.context7.com/mcp"
+      "url": "https://mcp.context7.com/mcp",
+      "headers": {
+        "x-api-key": "${CONTEXT7_API_KEY:-}"
+      }
     }
   }
 }

package/plugins/compound-engineering/README.md

@@ -53,12 +53,11 @@ Agents are organized into categories for easier discovery.
 | `design-iterator` | Iteratively refine UI through systematic design iterations |
 | `figma-design-sync` | Synchronize web implementations with Figma designs |
 
-### Workflow (5)
+### Workflow (4)
 
 | Agent | Description |
 |-------|-------------|
 | `bug-reproduction-validator` | Systematically reproduce and validate bug reports |
-| `every-style-editor` | Edit content to conform to Every's style guide |
 | `lint` | Run linting and code quality checks on Ruby and ERB files |
 | `pr-comment-resolver` | Address PR comments and implement fixes |
 | `spec-flow-analyzer` | Analyze user flows and identify gaps in specifications |
@@ -190,6 +189,8 @@ Supports 100+ frameworks including Rails, React, Next.js, Vue, Django, Laravel,
 
 MCP servers start automatically when the plugin is enabled.
 
+**Authentication:** To avoid anonymous rate limits, set the `CONTEXT7_API_KEY` environment variable with your Context7 API key. The plugin passes this automatically via the `x-api-key` header. Without it, requests go unauthenticated and will quickly hit the anonymous quota limit.
+
 ## Browser Automation
 
 This plugin uses **agent-browser CLI** for browser automation tasks. Install it globally:
@@ -220,13 +221,16 @@ claude /plugin install compound-engineering
   "mcpServers": {
     "context7": {
       "type": "http",
-      "url": "https://mcp.context7.com/mcp"
+      "url": "https://mcp.context7.com/mcp",
+      "headers": {
+        "x-api-key": "${CONTEXT7_API_KEY:-}"
+      }
     }
   }
 }
 ```
 
-Or add it globally in `~/.claude/settings.json` for all projects.
+Set `CONTEXT7_API_KEY` in your environment to authenticate. Or add it globally in `~/.claude/settings.json` for all projects.
 
 ## Version History
 

package/plugins/compound-engineering/commands/ce/compound.md

@@ -21,7 +21,45 @@ Captures problem solutions while context is fresh, creating structured documenta
 /ce:compound [brief context]    # Provide additional context hint
 ```
 
-## Execution Strategy: Two-Phase Orchestration
+## Execution Strategy: Context-Aware Orchestration
+
+### Phase 0: Context Budget Check
+
+<critical_requirement>
+**Run this check BEFORE launching any subagents.**
+
+The /compound command is token-heavy - it launches 5 parallel subagents that collectively consume ~10k tokens of context. Running near context limits risks compaction mid-compound, which degrades output quality significantly.
+</critical_requirement>
+
+Before proceeding, the orchestrator MUST:
+
+1. **Assess context usage**: Check how long the current conversation has been running. If there has been significant back-and-forth (many tool calls, large file reads, extensive debugging), context is likely constrained.
+
+2. **Warn the user**:
+   ```
+   ⚠️ Context Budget Check
+
+   /compound launches 5 parallel subagents (~10k tokens). Long conversations
+   risk compaction mid-compound, which degrades documentation quality.
+
+   Tip: For best results, run /compound early in a session - right after
+   verifying a fix, before continuing other work.
+   ```
+
+3. **Offer the user a choice**:
+   ```
+   How would you like to proceed?
+
+   1. Full compound (5 parallel subagents, ~10k tokens) - best quality
+   2. Compact-safe mode (single pass, ~2k tokens) - safe near context limits
+   ```
+
+4. **If the user picks option 1** (or confirms full mode): proceed to Phase 1 below.
+5. **If the user picks option 2** (or requests compact-safe): skip to the **Compact-Safe Mode** section below.
+
+---
+
+### Full Mode
 
 <critical_requirement>
 **Only ONE file gets written - the final documentation.**
@@ -99,6 +137,44 @@ Based on problem type, optionally invoke specialized agents to review the docume
 
 </parallel_tasks>
 
+---
+
+### Compact-Safe Mode
+
+<critical_requirement>
+**Single-pass alternative for context-constrained sessions.**
+
+When context budget is tight, this mode skips parallel subagents entirely. The orchestrator performs all work in a single pass, producing a minimal but complete solution document.
+</critical_requirement>
+
+The orchestrator (main conversation) performs ALL of the following in one sequential pass:
+
+1. **Extract from conversation**: Identify the problem, root cause, and solution from conversation history
+2. **Classify**: Determine category and filename (same categories as full mode)
+3. **Write minimal doc**: Create `docs/solutions/[category]/[filename].md` with:
+   - YAML frontmatter (title, category, date, tags)
+   - Problem description (1-2 sentences)
+   - Root cause (1-2 sentences)
+   - Solution with key code snippets
+   - One prevention tip
+4. **Skip specialized agent reviews** (Phase 3) to conserve context
+
+**Compact-safe output:**
+```
+✓ Documentation complete (compact-safe mode)
+
+File created:
+- docs/solutions/[category]/[filename].md
+
+Note: This was created in compact-safe mode. For richer documentation
+(cross-references, detailed prevention strategies, specialized reviews),
+re-run /compound in a fresh session.
+```
+
+**No subagents are launched. No parallel tasks. One file written.**
+
+---
+
 ## What It Captures
 
 - **Problem symptom**: Exact error messages, observable behavior

package/plugins/compound-engineering/commands/lfg.md

@@ -5,16 +5,30 @@ argument-hint: "[feature description]"
 disable-model-invocation: true
 ---
 
-Run these slash commands in order. Do not do anything else. Do not stop between steps — complete every step through to the end.
+CRITICAL: You MUST execute every step below IN ORDER. Do NOT skip any step. Do NOT jump ahead to coding or implementation. The plan phase (steps 2-3) MUST be completed and verified BEFORE any work begins. Violating this order produces bad output.
 
 1. **Optional:** If the `ralph-wiggum` skill is available, run `/ralph-wiggum:ralph-loop "finish all slash commands" --completion-promise "DONE"`. If not available or it fails, skip and continue to step 2 immediately.
+
 2. `/ce:plan $ARGUMENTS`
+
+   GATE: STOP. Verify that `/ce:plan` produced a plan file in `docs/plans/`. If no plan file was created, run `/ce:plan $ARGUMENTS` again. Do NOT proceed to step 3 until a written plan exists.
+
 3. `/compound-engineering:deepen-plan`
+
+   GATE: STOP. Confirm the plan has been deepened and updated. The plan file in `docs/plans/` should now contain additional detail. Do NOT proceed to step 4 without a deepened plan.
+
 4. `/ce:work`
+
+   GATE: STOP. Verify that implementation work was performed - files were created or modified beyond the plan. Do NOT proceed to step 5 if no code changes were made.
+
 5. `/ce:review`
+
 6. `/compound-engineering:resolve_todo_parallel`
+
 7. `/compound-engineering:test-browser`
+
 8. `/compound-engineering:feature-video`
+
 9. Output `<promise>DONE</promise>` when video is in PR
 
-Start with step 2 now (or step 1 if ralph-wiggum is available).
+Start with step 2 now (or step 1 if ralph-wiggum is available). Remember: plan FIRST, then work. Never skip the plan.