codeforge-dev 1.14.1 → 2.0.0

package/.devcontainer/plugins/devs-marketplace/plugins/git-workflow/skills/ship/SKILL.md

@@ -0,0 +1,314 @@
+---
+description: Review changes, commit with detailed message, push, and optionally create pull request
+argument-hint: [commit message hint]
+disable-model-invocation: true
+allowed-tools: Bash(gh:*), Bash(git:*), Read, Grep, Glob, Edit, Write, AskUserQuestion
+---
+
+# /ship - Review, Commit, Push & Optional PR
+
+Review all changes, commit with a detailed message, push, and optionally create a pull request. Optionally links to tickets if context exists from `/ticket:work`.
+
+## Input
+
+`$ARGUMENTS` - Optional commit message hint or summary of changes. May be empty.
+
+## Process
+
+### Phase 1: Gather Context
+
+```bash
+# Working tree state
+git status
+git diff HEAD
+git diff --staged
+
+# Branch info
+git branch --show-current
+git log main..HEAD --oneline
+git diff main...HEAD --stat
+
+# Discover project rules
+ls -la CLAUDE.md .claude/CLAUDE.md CLAUDE.local.md 2>/dev/null
+ls -la .claude/rules/*.md 2>/dev/null
+```
+
+Check for ticket context in the current session. If a ticket number is available from a prior `/ticket:work` call, note it for linking in later phases. Do NOT prompt for a ticket — this command works standalone.
+
+### Phase 2: Full Review
+
+Review ALL changes (staged + unstaged) with `file:line` references.
+
+#### Security Review
+
+| Check | Look For |
+|-------|----------|
+| Secrets | API keys, passwords, tokens, connection strings in code |
+| Injection | SQL injection, command injection, XSS, CSRF |
+| Auth/Authz | Missing auth checks, privilege escalation paths |
+| Data Exposure | PII in logs, sensitive data in error messages |
+| Dependencies | New dependencies with known vulnerabilities |
+| Input Validation | Unvalidated user input, missing sanitization |
+
+#### Project Rules Adherence
+
+Check compliance with project-specific rules:
+
+1. **Discover rules**:
+   - Read `CLAUDE.md` or `.claude/CLAUDE.md` if present
+   - Read all files in `.claude/rules/*.md`
+   - Check `CLAUDE.local.md` for user-specific rules
+
+2. **Review for compliance**:
+   - Check if changes violate any stated rules
+   - Note architectural patterns that should be followed
+   - Flag deviations from documented conventions
+
+| Rule Source | Compliance | Notes |
+|-------------|------------|-------|
+| CLAUDE.md | OK / VIOLATION | [specifics] |
+| rules/[name].md | OK / VIOLATION | [specifics] |
+
+#### Code Quality Review
+
+| Check | Look For |
+|-------|----------|
+| Complexity | Nesting depth > 3, high cyclomatic complexity |
+| Duplication | Copy-paste code, extractable shared logic |
+| Naming | Unclear names, inconsistent conventions |
+| Error Handling | Missing boundaries, generic catches, no recovery |
+| SOLID Violations | God classes, tight coupling, leaky abstractions |
+| Dead Code | Unreachable code, unused imports/variables |
+
+#### Architecture Review
+
+| Check | Look For |
+|-------|----------|
+| Pattern Compliance | Deviations from established patterns |
+| Coupling | Inappropriate dependencies, circular imports |
+| API Contracts | Breaking changes, missing versioning |
+| Cohesion | Mixed responsibilities, scattered logic |
+
+#### Test Review
+
+**Note**: If user indicates tests are not applicable or opts out, skip this section entirely and note "Tests: Skipped per user preference."
+
+| Check | Assess |
+|-------|--------|
+| Behavior Coverage | Are key behaviors tested? (not line count) |
+| Test Quality | Do tests verify outcomes, not implementation? |
+| Brittleness | Any tests that will break on refactor? |
+| Over-testing | Trivial code with unnecessary tests? |
+| Under-testing | Critical paths without tests? |
+
+### Phase 3: Present Findings
+
+Organize ALL findings by severity:
+
+```markdown
+## Review Findings
+
+### Critical (Must Fix Before Commit)
+- [Finding]: [file:line] - [Impact]
+
+### High (Should Fix Before Commit)
+- [Finding]: [file:line] - [Impact]
+
+### Medium (Fix Soon)
+- [Finding]: [file:line] - [Impact]
+
+### Low (Nice to Have)
+- [Finding]: [file:line] - [Impact]
+
+### Info (Observations)
+- [Observation]
+
+### Project Rules Compliance
+| Rule Source | Status | Details |
+|-------------|--------|---------|
+| ... | ... | ... |
+```
+
+If no findings in a severity level, omit that section.
+
+### Phase 4: User Decisions on Findings
+
+Use AskUserQuestion to batch decisions:
+
+```
+For each category of findings, select handling:
+- FIX: Address before commit
+- ISSUE: Create GitHub issue for later
+- IGNORE: Acknowledge and proceed
+```
+
+Allow multi-select within categories.
+
+### Phase 5: Fix Selected Items
+
+Address all items marked FIX. Re-run relevant checks after fixes.
+
+### Phase 6: Create Issues (if selected)
+
+For findings marked ISSUE, group by category:
+
+```bash
+gh issue create --title "[Category] findings from [branch]" --body "$(cat <<'EOF'
+## [Category] Findings
+
+**Source**: Branch `[branch]`, commit `[hash]`
+[**Related Ticket**: #[TICKET] — only if ticket context exists]
+
+### Findings
+
+- [ ] [Finding 1] - `file:line`
+- [ ] [Finding 2] - `file:line`
+
+### Context
+
+[Brief context about what was being implemented]
+EOF
+)"
+```
+
+Link to ticket if context exists.
+
+### Phase 7: Draft Commit Message
+
+```markdown
+<type>(<scope>): <summary>
+
+<Business context>
+- [Change description]
+- [User-facing impact]
+
+<Technical changes>
+- [File/component changed]
+- [Pattern used]
+
+<Review findings>
+- Addressed: [list]
+- Deferred to #[issue]: [list]
+- Acknowledged: [list]
+
+Closes #[TICKET] (if completing all requirements — only if ticket context)
+Refs #[TICKET] (if partial — only if ticket context)
+```
+
+Types: `feat`, `fix`, `refactor`, `test`, `docs`, `chore`
+
+If `$ARGUMENTS` provided a commit message hint, use it to inform the summary line.
+
+### Phase 8: User Sign-Off on Commit Message
+
+Present commit message for approval via AskUserQuestion. Allow edits. Do not proceed without explicit approval.
+
+### Phase 9: Commit & Push
+
+```bash
+git add [specific files — never git add -A]
+git commit -m "$(cat <<'EOF'
+[approved message]
+EOF
+)"
+git push -u origin $(git branch --show-current)
+```
+
+Stage specific files by name. Never use `git add .` or `git add -A`.
+
+### Phase 10: Ask About PR
+
+Use AskUserQuestion:
+
+```
+Changes committed and pushed to [branch].
+
+Would you like to create a pull request?
+- Yes: Create PR targeting main
+- No: Done — just commit and push
+```
+
+If **No** → skip to Phase 12.
+
+### Phase 11: Create PR (conditional)
+
+```bash
+gh pr create --title "<type>(<scope>): <summary>" --body "$(cat <<'EOF'
+## Summary
+
+- [1-3 bullet points of what this PR accomplishes]
+
+## Related Issue
+
+[Closes #TICKET / Refs #TICKET — only if ticket context exists]
+
+## Changes
+
+- [Component]: [What changed]
+
+## Testing
+
+- [ ] [How to test each change]
+
+---
+*PR created by Claude. Awaiting human review.*
+EOF
+)"
+```
+
+Capture PR number.
+
+If ticket context exists, post comment to the original issue:
+
+```bash
+gh issue comment $TICKET --body "$(cat <<'EOF'
+## Pull Request Created
+
+**PR**: #[PR_NUMBER]
+**Branch**: [branch]
+
+### Status
+- [x] PR created
+- [ ] Human review pending
+- [ ] Approved and merged
+
+---
+*PR created by Claude.*
+EOF
+)"
+```
+
+### Phase 12: Report
+
+Output summary:
+
+```markdown
+## Ship Summary
+
+- **Commit**: [hash] on `[branch]`
+- **Push**: [branch] → origin/[branch]
+- **PR**: #[N] ([URL]) — or "Not created"
+- **Issues Created**: #[N]: [category] — or "None"
+- **Ticket**: #[TICKET] linked — or "Standalone (no ticket context)"
+```
+
+## Rules
+
+- **Full review is mandatory** — no skipping phases 2-3
+- **User MUST approve** commit message before committing
+- **AskUserQuestion MUST confirm** before PR creation — never auto-create
+- **NEVER auto-approve** PRs
+- **Stage specific files** — never `git add .` or `git add -A`
+- **Optionally ticket-aware** — link to ticket if context exists, never prompt for one
+- **Batch** all GitHub operations
+- **Check project rules** (CLAUDE.md, .claude/rules/*.md) thoroughly
+- Present findings FIRST, then get decisions
+- Fix selected items BEFORE drafting commit
+
+## Finding Severity Guide
+
+**Critical**: Security vulnerability, data loss risk, breaking production
+**High**: Significant bug, major pattern violation, auth issue
+**Medium**: Code smell, minor bug, missing validation
+**Low**: Style issue, minor optimization, documentation gap
+**Info**: Observations, questions, future considerations

package/.devcontainer/plugins/devs-marketplace/plugins/prompt-snippets/.claude-plugin/plugin.json

@@ -0,0 +1,5 @@
+{
+	"name": "prompt-snippets",
+	"description": "Quick behavioral mode switches via /ps command.",
+	"author": { "name": "AnExiledDev" }
+}

package/.devcontainer/plugins/devs-marketplace/plugins/prompt-snippets/README.md

@@ -0,0 +1,52 @@
+# Prompt Snippets Plugin
+
+Quick behavioral mode switches via a single `/ps` slash command.
+
+## Usage
+
+```text
+/ps [snippet-name]
+```
+
+Type `/ps` followed by a snippet name to inject a behavioral directive for the remainder of the conversation.
+
+### Available Snippets
+
+| Snippet | What it does |
+|---------|-------------|
+| `noaction` | Investigate and report only — no edits, no commands |
+| `brief` | Concise answers, no filler |
+| `plan` | Plan first, don't implement until approved |
+| `go` | Proceed without confirmation prompts |
+| `review` | Audit only — report findings, don't modify |
+| `ship` | Commit, push, and create a PR |
+| `deep` | Thorough investigation, leave no stone unturned |
+| `hold` | Do the work but don't commit or push |
+| `recall` | Search session history with ccms for prior context |
+| `wait` | When done, stop — no suggestions or follow-ups |
+
+### Composing
+
+Combine snippets by listing multiple names:
+
+```text
+/ps noaction brief
+```
+
+## Design
+
+This plugin contains a single skill (`/ps`) that uses `$ARGUMENTS` as a lookup key into a snippet table. It is:
+
+- **Not auto-suggested** — `disable-model-invocation: true` keeps it out of the skill engine's auto-suggestion system
+- **Independently toggleable** — disable via `enabledPlugins` in `settings.json` without affecting other skills
+- **Extensible** — add a row to the table in `skills/ps/SKILL.md` to create new snippets
+
+## Adding Custom Snippets
+
+Edit `skills/ps/SKILL.md` and add a row to the "Available Snippets" table:
+
+```markdown
+| `mysnippet` | Your custom instruction here. |
+```
+
+No other files need to change.

package/.devcontainer/plugins/devs-marketplace/plugins/prompt-snippets/skills/ps/SKILL.md

@@ -0,0 +1,37 @@
+---
+name: ps
+description: Inject a behavioral prompt snippet by name.
+disable-model-invocation: true
+argument-hint: "[snippet-name]"
+---
+
+# /ps — Prompt Snippets
+
+Apply the prompt snippet matching `$ARGUMENTS` from the table below. Follow its instruction for the **remainder of this conversation** unless the user explicitly overrides it.
+
+If `$ARGUMENTS` does not match any snippet name, list all available snippets and ask the user to pick one.
+
+## Available Snippets
+
+| Snippet | Instruction |
+|---------|-------------|
+| `noaction` | Investigate and report only. Take no action — no edits, no commands, no file writes. |
+| `brief` | Be concise. Short answers, no filler, no preamble. Answer the question and stop. |
+| `plan` | Build a plan before taking any action. Do not implement until the plan is explicitly approved. |
+| `go` | Proceed without asking for confirmation. Use your best judgment on all decisions. |
+| `review` | Review and audit only. Report findings with specific file paths and line numbers. Do not modify anything. |
+| `ship` | Commit all staged changes, push to remote, and create a pull request. |
+| `deep` | Be thorough and comprehensive. Investigate in depth, consider edge cases, leave no stone unturned. |
+| `hold` | Complete the current task but do not commit, push, or publish. Await my review before any git operations. |
+| `recall` | Search past session history with `ccms --no-color --project "$(pwd)"` to find prior decisions, discussions, and context relevant to the current task. Summarize what you find before proceeding. |
+| `wait` | When done, stop. Do not suggest next steps, ask follow-up questions, or continue with related work. Await further instructions. |
+
+## Composing Snippets
+
+Multiple snippets can be applied in one invocation by separating names with spaces:
+
+```text
+/ps noaction brief
+```
+
+Apply all matching snippets. If instructions conflict, the **last snippet wins** for that specific behavior.

package/.devcontainer/plugins/devs-marketplace/plugins/protected-files-guard/scripts/guard-protected-bash.py

@@ -36,7 +36,7 @@ PROTECTED_PATTERNS = [
     (r"\.crt$", "Blocked: .crt certificate files should not be edited directly"),
     (r"\.p12$", "Blocked: .p12 files contain sensitive cryptographic material"),
     (r"\.pfx$", "Blocked: .pfx files contain sensitive cryptographic material"),
-    (r"(^|/)credentials\.json$", "Blocked: credentials.json contains secrets"),
+    (r"(^|/)\.?credentials\.json$", "Blocked: credentials.json contains secrets"),
     (r"(^|/)secrets\.yaml$", "Blocked: secrets.yaml contains secrets"),
     (r"(^|/)secrets\.yml$", "Blocked: secrets.yml contains secrets"),
     (r"(^|/)secrets\.json$", "Blocked: secrets.json contains secrets"),

package/.devcontainer/plugins/devs-marketplace/plugins/protected-files-guard/scripts/guard-protected.py

@@ -40,7 +40,7 @@ PROTECTED_PATTERNS = [
     (r"\.p12$", "Blocked: .p12 files contain sensitive cryptographic material"),
     (r"\.pfx$", "Blocked: .pfx files contain sensitive cryptographic material"),
     # Credential files
-    (r"(^|/)credentials\.json$", "Blocked: credentials.json contains secrets"),
+    (r"(^|/)\.?credentials\.json$", "Blocked: credentials.json contains secrets"),
     (r"(^|/)secrets\.yaml$", "Blocked: secrets.yaml contains secrets"),
     (r"(^|/)secrets\.yml$", "Blocked: secrets.yml contains secrets"),
     (r"(^|/)secrets\.json$", "Blocked: secrets.json contains secrets"),

package/.devcontainer/plugins/devs-marketplace/plugins/session-context/README.md

@@ -4,13 +4,14 @@ Claude Code plugin that injects contextual information at session boundaries. Pr
 
 ## What It Does
 
-Three hooks that run automatically at session lifecycle boundaries:
+Four hooks that run automatically at session lifecycle boundaries:
 
 | Phase | Script | What It Injects |
 |-------|--------|-----------------|
 | Session start | `git-state-injector.py` | Current branch, status, recent commits, uncommitted changes |
 | Session start | `todo-harvester.py` | Count and top 10 TODO/FIXME/HACK/XXX markers in the codebase |
-| Stop | `commit-reminder.py` | Advisory about staged/unstaged changes that should be committed |
+| PostToolUse (Edit/Write) | `collect-session-edits.py` | Tracks which files the session modified (tmp file) |
+| Stop | `commit-reminder.py` | Advisory about uncommitted changes (only if session edited files) |
 
 All hooks are non-blocking and cap their output to prevent context bloat.
 
@@ -31,12 +32,19 @@ Scans source files for tech debt markers and injects a summary:
 - Shows total count plus top 10 items
 - Output capped at 800 characters
 
+### Edit Tracking
+
+Lightweight PostToolUse hook on Edit/Write that records file paths to `/tmp/claude-session-edits-{session_id}`. Used by the commit reminder to determine if this session actually modified files.
+
 ### Commit Reminder
 
-Fires when Claude stops responding and checks for uncommitted work:
-- Detects staged and unstaged changes
-- Injects an advisory so Claude can naturally ask if the user wants to commit
-- Uses a guard flag to prevent infinite loops (the reminder itself is a Stop event)
+Fires when Claude stops responding, using tiered logic based on change significance:
+- Checks the session edit tracker — skips entirely if session was read-only
+- **Meaningful changes** (3+ files, 2+ source files, or test files): suggests committing via advisory `systemMessage`
+- **Small changes** (1-2 non-source files): silent, no output
+- Output wrapped in `<system-reminder>` tags — advisory only, never blocks
+- Instructs Claude not to commit without explicit user approval
+- Uses a guard flag to prevent infinite loops
 
 ## How It Works
 
@@ -58,6 +66,12 @@ Session starts
   |           +-> Injects count + top 10 as additionalContext
   |
   |  ... Claude works ...
+  |     |
+  |     +-> PostToolUse (Edit|Write) fires
+  |           |
+  |           +-> collect-session-edits.py
+  |                 |
+  |                 +-> Appends file path to /tmp/claude-session-edits-{session_id}
   |
 Claude stops responding
   |
@@ -65,14 +79,14 @@ Claude stops responding
         |
         +-> commit-reminder.py
               |
-              +-> Checks git status for changes
-              +-> Has changes? -> Inject commit advisory
-              +-> No changes? -> Silent (no output)
+              +-> Session edited files? (checks tmp file)
+              +-> No edits this session? -> Silent (no output)
+              +-> Has edits + uncommitted changes? -> Inject advisory systemMessage
 ```
 
 ### Exit Code Behavior
 
-All three scripts exit 0 (advisory only). They never block operations.
+All four scripts exit 0 (advisory only). They never block operations.
 
 ### Error Handling
 
@@ -88,6 +102,7 @@ All three scripts exit 0 (advisory only). They never block operations.
 |------|---------|
 | Git state injection | 10s |
 | TODO harvesting | 8s |
+| Edit tracking | 3s |
 | Commit reminder | 8s |
 
 ## Installation
@@ -125,11 +140,12 @@ session-context/
 +-- .claude-plugin/
 |   +-- plugin.json            # Plugin metadata
 +-- hooks/
-|   +-- hooks.json             # Hook registrations (SessionStart + Stop)
+|   +-- hooks.json               # Hook registrations (SessionStart + PostToolUse + Stop)
 +-- scripts/
-|   +-- git-state-injector.py  # Git state context (SessionStart)
-|   +-- todo-harvester.py      # Tech debt markers (SessionStart)
-|   +-- commit-reminder.py     # Uncommitted changes advisory (Stop)
+|   +-- git-state-injector.py    # Git state context (SessionStart)
+|   +-- todo-harvester.py        # Tech debt markers (SessionStart)
+|   +-- collect-session-edits.py # Edit tracking (PostToolUse)
+|   +-- commit-reminder.py       # Uncommitted changes advisory (Stop)
 +-- README.md                  # This file
 ```
 

package/.devcontainer/plugins/devs-marketplace/plugins/session-context/hooks/hooks.json

@@ -1,6 +1,18 @@
 {
-	"description": "Context injection at session boundaries: git state, TODO harvesting, commit reminders",
+	"description": "Context injection at session boundaries: git state, TODO harvesting, edit tracking, commit reminders",
 	"hooks": {
+		"PostToolUse": [
+			{
+				"matcher": "Edit|Write",
+				"hooks": [
+					{
+						"type": "command",
+						"command": "python3 ${CLAUDE_PLUGIN_ROOT}/scripts/collect-session-edits.py",
+						"timeout": 3
+					}
+				]
+			}
+		],
 		"SessionStart": [
 			{
 				"matcher": "",

package/.devcontainer/plugins/devs-marketplace/plugins/session-context/scripts/collect-session-edits.py

@@ -0,0 +1,44 @@
+#!/usr/bin/env python3
+"""
+Collect edited file paths for session-aware Stop hooks.
+
+Lightweight PostToolUse hook that appends the edited file path
+to a session-scoped temp file. The commit-reminder Stop hook
+reads this file to determine if the session modified any files.
+
+Non-blocking: always exits 0. Runs in <10ms.
+"""
+
+import json
+import os
+import sys
+
+
+def main():
+    try:
+        input_data = json.load(sys.stdin)
+    except (json.JSONDecodeError, ValueError):
+        sys.exit(0)
+
+    session_id = input_data.get("session_id", "")
+    tool_input = input_data.get("tool_input", {})
+    file_path = tool_input.get("file_path", "")
+
+    if not file_path or not session_id:
+        sys.exit(0)
+
+    if not os.path.isfile(file_path):
+        sys.exit(0)
+
+    tmp_path = f"/tmp/claude-session-edits-{session_id}"
+    try:
+        with open(tmp_path, "a") as f:
+            f.write(file_path + "\n")
+    except OSError:
+        pass  # non-critical, don't block Claude
+
+    sys.exit(0)
+
+
+if __name__ == "__main__":
+    main()