@trendai-crem/claude-skills 1.3.0 → 1.5.0

package/README.md

@@ -8,13 +8,14 @@ One-command Claude Code skill installer for the team. Installs curated AI agent
 npx @trendai-crem/claude-skills
 ```
 
-That's it. The command installs all three source types declared in `sources.json`:
+That's it. The command installs all four source types declared in `sources.json`:
 
 | Source type | What it installs | How to change |
 |-------------|-----------------|---------------|
+| **rules-dir** | Team-shared rules to `~/.claude/rules/team/` (loaded in every session) | Add/remove `rules/<name>.md`, bump version, PR |
 | **skills-repo** | [superpowers](https://github.com/obra/superpowers) — brainstorming, debugging, TDD, and more | Edit `sources.json`, bump version, PR |
 | **skills-dir** | Team skills in this repo's `skills/` directory | Add/remove `skills/<name>/`, bump version, PR |
-| **marketplace** | Plugins from `ai-skill-marketplace`, `claude-plugins-official`, and `openai-codex` | Edit `plugins` list in `sources.json`, bump version, PR |
+| **marketplace** | Plugins from `ai-skill-marketplace`, `claude-plugins-official`, `openai-codex`, and `everything-claude-code` | Edit `plugins` list in `sources.json`, bump version, PR |
 
 Re-run to update everything:
 
@@ -24,6 +25,14 @@ npx @trendai-crem/claude-skills@latest
 
 Auto-update runs at session start — you'll be notified when a new version is available and it installs automatically.
 
+## Team Rules (`rules/`)
+
+Rules are `.md` files installed to `~/.claude/rules/team/` and automatically loaded in every Claude session across all projects. Use rules for team-wide conventions that should always apply.
+
+| Rule | Description |
+|------|-------------|
+| **confluence-editing** | Use `atlassian-tools` skill for Confluence edits — never use raw MCP update tools |
+
 ## Team Skills (`skills/`)
 
 | Skill | Trigger | Description |
@@ -49,6 +58,16 @@ Installed from [ai-skill-marketplace](https://github.com/trend-ai-taskforce/ai-s
 
 ## For Maintainers
 
+### Adding a team rule
+
+1. Create a branch: `git checkout -b feat/add-<rule-name>`
+2. Add `rules/<rule-name>.md` (plain markdown, no frontmatter needed)
+3. Keep rules short (<50 lines) — they consume context window in every session
+4. Bump version: `npm version patch`
+5. Commit, push, open a PR, merge — CI publishes automatically
+
+Rules are always overwritten on install (not no-clobber) to stay in sync with the repo.
+
 ### Adding a team skill
 
 1. Create a branch: `git checkout -b feat/add-<skill-name>`
@@ -178,9 +197,13 @@ sources.json
     ↓
 cli.js (thin orchestrator)
     ↓
-lib/handlers/{skills-dir, skills-repo, marketplace}.js
+lib/handlers/{rules-dir, skills-dir, skills-repo, marketplace}.js
     ↓
 ~/.claude/claude-skills-manifest.json  (tracks what's installed)
+    ↓
+~/.claude/rules/team/     ← rules-dir handler
+~/.claude/skills/         ← skills-dir, skills-repo handlers
+~/.claude/plugins/        ← marketplace handler
 ```
 
 Removals propagate automatically: remove an entry from `sources.json`, bump version, and the next auto-update uninstalls it for all team members.

package/cli.js

@@ -92,9 +92,11 @@ function installEccRules() {
   const eccRulesDir = join(eccMarketplace, 'rules');
   if (!existsSync(eccRulesDir)) return;
 
+  const ALLOWED_LANGS = new Set(['common', 'typescript', 'java', 'golang', 'python', 'swift']);
+
   const destDir = join(homedir(), '.claude', 'rules');
   const languages = readdirSync(eccRulesDir, { withFileTypes: true })
-    .filter(d => d.isDirectory())
+    .filter(d => d.isDirectory() && ALLOWED_LANGS.has(d.name))
     .map(d => d.name);
 
   let copied = 0;

package/lib/handlers/index.js

@@ -1,9 +1,11 @@
 import { skillsDirHandler } from './skills-dir.js';
 import { skillsRepoHandler } from './skills-repo.js';
 import { marketplaceHandler } from './marketplace.js';
+import { rulesDirHandler } from './rules-dir.js';
 
 // Use Object.create(null) to prevent prototype chain traversal on adversarial type values.
 export const HANDLERS = Object.create(null);
 HANDLERS['skills-dir']  = skillsDirHandler;
 HANDLERS['skills-repo'] = skillsRepoHandler;
 HANDLERS['marketplace'] = marketplaceHandler;
+HANDLERS['rules-dir']   = rulesDirHandler;

package/lib/handlers/rules-dir.js

@@ -0,0 +1,70 @@
+import { readdirSync, copyFileSync, mkdirSync, existsSync, unlinkSync, rmdirSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+
+const DEST_DIR = join(homedir(), '.claude', 'rules', 'team');
+
+/**
+ * Handler for team-shared rules (type: "rules-dir").
+ * Copies .md files from <repo>/rules/ to ~/.claude/rules/team/.
+ */
+export const rulesDirHandler = {
+  /**
+   * Returns the set of rule file names in the source directory.
+   * @param {object} entry - Source entry (uses convention: <baseDir>/rules/).
+   * @param {string} baseDir - Repository base directory.
+   * @returns {Set<string>|null}
+   */
+  getDesired(entry, baseDir) {
+    const srcDir = join(baseDir, entry.path ?? 'rules');
+    try {
+      const names = readdirSync(srcDir)
+        .filter(f => f.endsWith('.md'))
+        .sort();
+      return new Set(names);
+    } catch (err) {
+      console.warn(`\nWARN: Cannot read rules directory "${srcDir}": ${err.message}`);
+      return null;
+    }
+  },
+
+  /**
+   * Copies rule .md files to ~/.claude/rules/team/.
+   * Always overwrites to keep rules in sync with the repo.
+   * @returns {Array<{label, action, ok}>}
+   */
+  install(entry, baseDir) {
+    const srcDir = join(baseDir, entry.path ?? 'rules');
+    mkdirSync(DEST_DIR, { recursive: true });
+
+    try {
+      const files = readdirSync(srcDir).filter(f => f.endsWith('.md'));
+      for (const file of files) {
+        copyFileSync(join(srcDir, file), join(DEST_DIR, file));
+      }
+      console.log(`\n  Rules installed to ${DEST_DIR}/ (${files.length} files)`);
+      return [{ label: entry.label, action: 'install-group', ok: true }];
+    } catch (err) {
+      console.error(`\nFailed: ${entry.label} (${err.message})`);
+      return [{ label: entry.label, action: 'install-group', ok: false }];
+    }
+  },
+
+  /**
+   * Removes stale rule files from ~/.claude/rules/team/.
+   * @param {string[]} staleItems - File names to remove.
+   * @returns {Array<{label, action, ok}>}
+   */
+  uninstall(staleItems) {
+    return staleItems.map(file => {
+      const dest = join(DEST_DIR, file);
+      try {
+        if (existsSync(dest)) unlinkSync(dest);
+        return { label: file, action: 'uninstall', ok: true };
+      } catch (err) {
+        console.error(`\nFailed to remove rule ${file}: ${err.message}`);
+        return { label: file, action: 'uninstall', ok: false };
+      }
+    });
+  },
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@trendai-crem/claude-skills",
-  "version": "1.3.0",
+  "version": "1.5.0",
   "description": "Claude Code skills installer for the trendai-crem team",
   "license": "UNLICENSED",
   "repository": {
@@ -15,7 +15,8 @@
     "sources.json",
     "marketplace.json",
     "lib/",
-    "skills/"
+    "skills/",
+    "rules/"
   ],
   "type": "module",
   "engines": {

package/rules/confluence-editing.md

@@ -0,0 +1,20 @@
+# Confluence Editing
+
+When editing Confluence pages, ALWAYS use the `atlassian-tools` skill
+(confluence_cli.py retrieve → edit local .md → update --file).
+
+NEVER use `mcp__atlassian__updateConfluencePage` with markdown contentFormat — it loses
+diagrams, macros, panels, and other ADF elements.
+
+NEVER use `mcp__atlassian__updateConfluencePage` with ADF contentFormat for large pages —
+the body parameter has a size limit that truncates content.
+
+Correct workflow:
+1. `confluence_cli.py -o <project>/.atlassian retrieve <pageId>`
+2. Edit the local `.md` file (Mermaid = ```mermaid blocks, macros = <!-- confluence-macro --> comments)
+3. `confluence_cli.py -o <project>/.atlassian update <pageId> --file <path>.md`
+
+The atlassian-tools skill handles:
+- Bidirectional HTML↔Markdown conversion preserving all Confluence elements
+- Version conflict detection with auto patch-merge
+- Local caching for offline editing

package/skills/code-review/README.md

@@ -14,7 +14,7 @@ Multi-perspective code review for Trend Micro teams, powered by Claude Code.
 | Quality | Naming, style guide compliance, documentation |
 | Testing | Coverage, error handling, regression tests, requirements |
 
-Optional 6th reviewer: **Codex (gpt-5.4, fallback gpt-5.3-codex)** as cross-model baseline (auto-detected, not required). Retries 3 times on gpt-5.4 before falling back.
+Optional 6th reviewer: **Codex (gpt-5.4, fallback gpt-5.3-codex)** as cross-model baseline (auto-detected, not required). Supports the official Codex companion plugin (`codex-companion.mjs`) with fallback to raw CLI (`codex exec`). Retries 3 times on gpt-5.4 before falling back.
 
 ### Security Gate (Mandatory, Non-Bypassable)
 
@@ -139,7 +139,7 @@ The skill auto-triggers when Claude detects a code review request.
 [Step 3] Write review prompt with language packs
     |
     v
-[Step 3.5] Check Codex availability (optional)
+[Step 3.5] Detect Codex mode (companion → CLI → unavailable)
     |
     v
 [Step 4] Launch reviewers in parallel (ONE message)
@@ -149,7 +149,7 @@ The skill auto-triggers when Claude detects a code review request.
     +---> security-reviewer (Claude Agent, MANDATORY GATE)
     +---> quality-reviewer (Claude Agent)
     +---> testing-reviewer (Claude Agent)
-    +---> codex (gpt-5.4 x3 retry, fallback gpt-5.3-codex, if available)
+    +---> codex (companion plugin or CLI, gpt-5.4 x3 retry, fallback gpt-5.3-codex)
     |
     v
 [Step 5-7] Collect results, synthesize report
@@ -178,7 +178,7 @@ Installation is handled by the repo's root `install.sh`.
 ## FAQ
 
 **Q: Do I need Codex CLI installed?**
-A: No. The skill auto-detects Codex. Without it, 5 Claude reviewers provide full coverage. Codex adds an independent cross-model baseline.
+A: No. The skill auto-detects Codex in three modes: (1) official Codex companion plugin (`codex-companion.mjs` via `--prompt-file`), (2) raw Codex CLI (`codex exec`), (3) not available. Without Codex, 5 Claude reviewers provide full coverage. Codex adds an independent cross-model baseline.
 
 **Q: Does it work with repos using `main` instead of `develop`?**
 A: Yes. The skill shows commit counts for origin/develop, origin/main, and origin/master, then asks you to confirm the correct base branch.
@@ -201,6 +201,7 @@ A: The skill produces a report — it does not directly block git operations. Th
 
 | Version | Date | Changes |
 |---------|------|---------|
+| v1.3.0 | 2026-03-31 | Codex companion plugin support (`codex-companion.mjs` with `--prompt-file`), three-mode detection (companion → CLI → skip), raw CLI preserved as fallback |
 | v1.2.0 | 2026-03-23 | Session-isolated temp files, user-confirmed base branch, SOLID/design pattern evaluation, Codex gpt-5.4 retry x3 + gpt-5.3-codex fallback, 30min timeout |
 | v1.1.0 | 2026-03-21 | Base branch detection fix, `.c` extension support, security-reviewer gets language pack |
 | v1.0.0 | 2026-03-20 | Initial release: 5 lenses + Codex, SCD 10, OWASP Top 10, Red/Blue Team, language packs, JSON output |

package/skills/code-review/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: code-review
-version: "1.2.0"
+version: "1.3.0"
 description: "Multi-perspective code review with 5 standards-aligned reviewers + Codex baseline. Enforces Trend Micro RDSec policy, Secure Coding Dojo checkpoints, and company-wide review checklist. Use when the user asks for code review, review changes, review branch, or review PR."
 ---
 
@@ -120,14 +120,17 @@ Use the `Write` tool to create `${REVIEW_DIR}/review-prompt.txt` with the REVIEW
 
 ## Step 3.5: Detect Codex Availability
 
-Before launching reviews, check if Codex CLI is installed:
+Before launching reviews, detect Codex integration mode. The official Codex companion plugin is preferred over the raw CLI:
 
 ```
-Bash("command -v codex >/dev/null 2>&1 && echo 'CODEX_AVAILABLE' || echo 'CODEX_UNAVAILABLE'")
+Bash("COMPANION=$(find \"$HOME/.claude/plugins/marketplaces\" -name \"codex-companion.mjs\" -path \"*/openai-codex/*\" 2>/dev/null | head -1); if [ -n \"$COMPANION\" ] && [ -f \"$COMPANION\" ]; then echo \"CODEX_MODE=companion\"; echo \"COMPANION_PATH=$COMPANION\"; elif command -v codex >/dev/null 2>&1; then echo \"CODEX_MODE=cli\"; else echo \"CODEX_MODE=unavailable\"; fi")
 ```
 
-- If `CODEX_AVAILABLE` → include Codex as the 6th reviewer (cross-model baseline)
-- If `CODEX_UNAVAILABLE` → proceed with 5 Claude reviewers only. Note in report: "Codex baseline: SKIPPED (CLI not installed)"
+Save `CODEX_MODE` and (if applicable) `COMPANION_PATH` for use in Step 4b.
+
+- If `CODEX_MODE=companion` → official Codex plugin detected. Use `node "$COMPANION_PATH" task --prompt-file` for execution. Include Codex as the 6th reviewer.
+- If `CODEX_MODE=cli` → legacy Codex CLI available. Use `codex exec` for execution (backward-compatible). Include Codex as the 6th reviewer.
+- If `CODEX_MODE=unavailable` → no Codex integration. Proceed with 5 Claude reviewers only. Note in report: "Codex baseline: SKIPPED (not installed)"
 
 **This is NOT a blocker.** The 5 Claude lens reviewers provide full coverage. Codex adds independent cross-model validation but is optional.
 
@@ -140,7 +143,20 @@ Execute ALL of the following in a SINGLE message (5 reviewers if no Codex, 6 if
 TeamCreate(team_name="code-review")
 ```
 
-### 4b. Launch Codex (ONLY if CODEX_AVAILABLE)
+### 4b. Launch Codex (ONLY if CODEX_MODE is "companion" or "cli")
+
+Select the appropriate invocation based on `CODEX_MODE` from Step 3.5. Skip this step entirely if `CODEX_MODE=unavailable`.
+
+**If CODEX_MODE is "companion" (official plugin):**
+```
+Bash(
+  command='COMPANION="${COMPANION_PATH}"; REVIEW_DIR_VAL="${REVIEW_DIR}"; MODEL="gpt-5.4"; FALLBACK="gpt-5.3-codex"; MAX_RETRY=3; for i in $(seq 1 $MAX_RETRY); do echo "Attempt $i/$MAX_RETRY with $MODEL via companion"; node "$COMPANION" task --prompt-file "${REVIEW_DIR_VAL}/review-prompt.txt" --model $MODEL 2>"${REVIEW_DIR_VAL}/codex-stderr.txt" && exit 0; echo "Failed (attempt $i)"; sleep 2; done; echo "gpt-5.4 failed after $MAX_RETRY attempts. Falling back to $FALLBACK..."; node "$COMPANION" task --prompt-file "${REVIEW_DIR_VAL}/review-prompt.txt" --model $FALLBACK 2>"${REVIEW_DIR_VAL}/codex-stderr.txt"',
+  run_in_background=true,
+  timeout=1800000
+)
+```
+
+**If CODEX_MODE is "cli" (legacy fallback):**
 ```
 Bash(
   command='REVIEW_DIR_VAL="${REVIEW_DIR}"; MODEL="gpt-5.4"; FALLBACK="gpt-5.3-codex"; MAX_RETRY=3; for i in $(seq 1 $MAX_RETRY); do echo "Attempt $i/$MAX_RETRY with $MODEL"; cat ${REVIEW_DIR_VAL}/review-prompt.txt | codex exec -m $MODEL -s read-only --skip-git-repo-check - 2>${REVIEW_DIR_VAL}/codex-stderr.txt && exit 0; echo "Failed (attempt $i)"; sleep 2; done; echo "gpt-5.4 failed after $MAX_RETRY attempts. Falling back to $FALLBACK..."; cat ${REVIEW_DIR_VAL}/review-prompt.txt | codex exec -m $FALLBACK -s read-only --skip-git-repo-check - 2>${REVIEW_DIR_VAL}/codex-stderr.txt',
@@ -149,10 +165,15 @@ Bash(
 )
 ```
 
-**Codex retry strategy:**
+**Codex retry strategy (same for both modes):**
 - Default model: `gpt-5.4` (retry up to 3 times on failure)
 - Fallback: `gpt-5.3-codex` (if all 3 retries fail)
-- Skip this step entirely if Codex CLI is unavailable. Do NOT error or warn the user to install it.
+- Skip this step entirely if `CODEX_MODE=unavailable`. Do NOT error or warn the user to install it.
+
+**Companion mode advantages:**
+- `--prompt-file` reads the review prompt directly from disk (no stdin piping)
+- The companion validates authentication via `ensureCodexReady()` before executing
+- No `--skip-git-repo-check` or `-s read-only` flags needed (companion defaults to read-only sandbox without `--write`)
 
 ### 4c. Spawn Architecture Reviewer
 ```
@@ -754,7 +775,7 @@ TypeScript-specific checks:
 | security-reviewer | Security (GATE) | Claude | [OK/FAILED/TIMEOUT] | N crit, N major, N minor |
 | quality-reviewer | Style + Documentation | Claude | [OK/FAILED/TIMEOUT] | N crit, N major, N minor |
 | testing-reviewer | Testing + Requirements | Claude | [OK/FAILED/TIMEOUT] | N crit, N major, N minor |
-| codex | External Baseline | gpt-5.4 (fallback: gpt-5.3-codex) | [OK/FAILED/TIMEOUT] | N crit, N major, N minor |
+| codex | External Baseline | gpt-5.4 via companion/CLI (fallback: gpt-5.3-codex) | [OK/FAILED/TIMEOUT] | N crit, N major, N minor |
 
 ### Dimension Scores
 
@@ -800,7 +821,7 @@ TypeScript-specific checks:
 #### Testing Reviewer
 (same format)
 
-#### Codex (gpt-5.4 / gpt-5.3-codex fallback)
+#### Codex (gpt-5.4 via companion/CLI, fallback: gpt-5.3-codex)
 (same format)
 
 ---
@@ -859,7 +880,7 @@ Note: These three verdicts are evaluated in order: FAIL first, then PASS, then P
 
 ## Rules
 
-1. **Codex default model is `gpt-5.4`, retry 3 times on failure, then fallback to `gpt-5.3-codex`. If Codex CLI is not installed, skip gracefully — do NOT ask the user to install it.**
+1. **Codex uses the official companion plugin when available (`codex-companion.mjs` with `--prompt-file`), falling back to raw CLI (`codex exec`) if the plugin is not installed. Default model is `gpt-5.4`, retry 3 times on failure, then fallback to `gpt-5.3-codex`. If neither companion nor CLI is available, skip gracefully — do NOT ask the user to install it.**
 2. **Claude teammates use Agent Teams. No `claude -p`. No `unset CLAUDECODE`.**
 3. **Every issue must have exact file:line, code snippet, and policy reference. No vague descriptions.**
 4. **Do NOT recommend replacing dependencies unless a concrete bug is demonstrated.**

package/skills/code-review/TEST_PLAN.md

@@ -269,6 +269,28 @@ for issue in data["issues"]:
 - **Expected**: Remaining reviewers complete, report marks failed reviewer, averages adjust
 - **Validates**: Graceful partial failure
 
+### 2.8 Codex Integration Modes
+
+#### TC-CDX-01: Companion plugin detected and used
+- **Setup**: Ensure `~/.claude/plugins/marketplaces/openai-codex/` contains `codex-companion.mjs`
+- **Expected**: `CODEX_MODE=companion`, `COMPANION_PATH` resolved, Codex invoked via `node "$COMPANION" task --prompt-file`
+- **Validates**: Official companion plugin detection and execution path
+
+#### TC-CDX-02: Companion not found, CLI fallback
+- **Setup**: Remove or rename companion plugin directory, ensure `codex` CLI is in PATH
+- **Expected**: `CODEX_MODE=cli`, Codex invoked via `cat ... | codex exec -m ... -s read-only --skip-git-repo-check -`
+- **Validates**: Backward-compatible CLI fallback when plugin is not installed
+
+#### TC-CDX-03: Neither companion nor CLI available
+- **Setup**: Remove companion plugin AND ensure `codex` not in PATH
+- **Expected**: `CODEX_MODE=unavailable`, report notes "Codex baseline: SKIPPED (not installed)", 5 Claude reviewers only
+- **Validates**: Graceful skip without error or user prompt
+
+#### TC-CDX-04: Companion auth failure
+- **Setup**: Companion plugin exists but Codex is not authenticated (`codex login` not run)
+- **Expected**: Companion's `ensureCodexReady()` throws, retry loop catches failure, Codex marked as FAILED in report
+- **Validates**: Auth failure handling in companion mode
+
 ---
 
 ## 3. Test Fixtures

package/sources.json

@@ -1,6 +1,11 @@
 {
   "version": 1,
   "sources": [
+    {
+      "type": "rules-dir",
+      "path": "./rules",
+      "label": "team-rules"
+    },
     {
       "type": "skills-dir",
       "path": "./skills",