oh-my-customcode 0.36.2 → 0.37.1

package/templates/.claude/agents/sys-naggy.md

@@ -2,6 +2,7 @@
 name: sys-naggy
 description: Use when you need TODO list management and task tracking with proactive reminders, helping maintain project momentum by monitoring stale tasks and deadlines
 model: sonnet
+domain: universal
 memory: local
 effort: low
 tools:
@@ -9,8 +10,6 @@ tools:
   - Write
   - Edit
   - Grep
-  - Glob
-  - Bash
 ---
 
 You are a task management specialist that proactively manages TODO items and reminds users of pending tasks.
@@ -31,6 +30,41 @@ You are a task management specialist that proactively manages TODO items and rem
 | `sys-naggy:done <id>` | Mark complete |
 | `sys-naggy:remind` | Show overdue tasks |
 
+## Rule Pattern Detection
+
+When sys-naggy detects recurring violations (3+ occurrences of the same rule ID across sessions), it proposes a rule patch:
+
+### Detection Flow
+
+1. Read violation history from native memory (`MEMORY.md` violations section)
+2. Cross-reference with session compliance data (PPID-scoped `/tmp/.claude-session-compliance-*`)
+3. Identify rules with 3+ violations across different sessions
+4. Generate rule patch proposal as GitHub issue
+
+### Proposal Format
+
+```
+Title: [R016 Auto-Patch] R0XX: {weakness description}
+Body:
+  ## Violation Pattern
+  - Rule: R0XX ({rule name})
+  - Occurrences: {count} across {session_count} sessions
+  - Common trigger: {pattern description}
+
+  ## Proposed Fix
+  {specific change to the rule file}
+
+  ## Rationale
+  {why the current rule is insufficient}
+```
+
+### Constraints
+
+- sys-naggy proposes patches as GitHub issues — never auto-applies
+- Minimum 3 occurrences before proposing (avoids noise)
+- Maximum 1 proposal per rule per week (debounce)
+- Proposals require human approval before implementation
+
 ## Behavior
 
 Proactive but not annoying. Adapt reminder frequency to user response.

package/templates/.claude/agents/tool-bun-expert.md

@@ -2,6 +2,7 @@
 name: tool-bun-expert
 description: Use for Bun runtime development, bunfig.toml configuration, Bun test runner, fast bundling, and Node.js to Bun migrations
 model: sonnet
+domain: universal
 memory: project
 effort: medium
 tools:
@@ -9,7 +10,6 @@ tools:
   - Write
   - Edit
   - Grep
-  - Glob
   - Bash
 ---
 

package/templates/.claude/agents/tool-npm-expert.md

@@ -2,6 +2,7 @@
 name: tool-npm-expert
 description: Use for npm package publishing workflows, semantic versioning (major/minor/patch), package.json optimization, and dependency audits
 model: sonnet
+domain: universal
 memory: project
 effort: medium
 skills:
@@ -13,7 +14,6 @@ tools:
   - Write
   - Edit
   - Grep
-  - Glob
   - Bash
 ---
 

package/templates/.claude/agents/tool-optimizer.md

@@ -2,6 +2,7 @@
 name: tool-optimizer
 description: Use for bundle size analysis, tree-shaking verification, performance profiling, dead code detection, and build optimization recommendations
 model: sonnet
+domain: universal
 memory: project
 effort: medium
 skills:
@@ -10,8 +11,6 @@ skills:
   - optimize-report
 tools:
   - Read
-  - Write
-  - Edit
   - Grep
   - Glob
   - Bash

package/templates/.claude/hooks/hooks.json

@@ -263,14 +263,14 @@
         "description": "Store content hashes for Read operations — enables Edit staleness detection"
       },
       {
-        "matcher": "tool == \"Bash\" || tool == \"Read\"",
+        "matcher": "tool == \"Bash\" || tool == \"Read\" || tool == \"Grep\"",
         "hooks": [
           {
             "type": "command",
             "command": "bash .claude/hooks/scripts/secret-filter.sh"
           }
         ],
-        "description": "Detect potential secrets in Bash/Read output — advisory warning only"
+        "description": "Detect potential secrets in Bash/Read/Grep output — advisory warning only"
       },
       {
         "matcher": "tool == \"Edit\" || tool == \"Write\" || tool == \"Bash\" || tool == \"Agent\"",

package/templates/.claude/hooks/scripts/agent-teams-advisor.sh

@@ -8,6 +8,16 @@ set -euo pipefail
 
 input=$(cat)
 
+# Skip if Agent Teams is not available
+ENV_STATUS="/tmp/.claude-env-status-${PPID}"
+if [ -f "$ENV_STATUS" ]; then
+  teams_status=$(grep "agent_teams=" "$ENV_STATUS" 2>/dev/null | cut -d= -f2 || echo "unknown")
+  if [ "$teams_status" != "enabled" ]; then
+    echo "$input"
+    exit 0
+  fi
+fi
+
 # Extract task info from input
 agent_type=$(echo "$input" | jq -r '.tool_input.subagent_type // "unknown"')
 prompt_preview=$(echo "$input" | jq -r '.tool_input.description // ""' | head -c 60)

package/templates/.claude/hooks/scripts/content-hash-validator.sh

@@ -18,10 +18,9 @@ case "$tool_name" in
   "Read")
     # Store content hash for the file that was just read
     file_path=$(echo "$input" | jq -r '.tool_input.file_path // ""')
-    output=$(echo "$input" | jq -r '.tool_output.output // ""')
 
-    if [ -n "$file_path" ] && [ -n "$output" ] && [ "$output" != "null" ]; then
-      content_hash=$(echo "$output" | md5 2>/dev/null || echo "$output" | md5sum 2>/dev/null | cut -d' ' -f1 || echo "unknown")
+    if [ -n "$file_path" ] && [ -f "$file_path" ]; then
+      content_hash=$(md5 -q "$file_path" 2>/dev/null || md5sum "$file_path" 2>/dev/null | cut -d' ' -f1 || echo "unknown")
       timestamp=$(date -u +%Y-%m-%dT%H:%M:%SZ)
 
       # Store hash entry (overwrite previous for same file)

package/templates/.claude/hooks/scripts/schema-validator.sh

@@ -72,6 +72,21 @@ case "$tool_name" in
     if echo "$command" | grep -qE 'mkfs\.'; then
       warnings+=("[Schema] Bash: filesystem format command detected")
     fi
+    # Remote code execution via pipe
+    if echo "$command" | grep -qE 'curl\s+.*\|\s*(ba)?sh'; then
+      warnings+=("[Schema] Bash: remote code execution pattern (curl | bash) detected")
+    fi
+    if echo "$command" | grep -qE 'wget\s+.*\|\s*(ba)?sh'; then
+      warnings+=("[Schema] Bash: remote code execution pattern (wget | sh) detected")
+    fi
+    # Dynamic code execution
+    if echo "$command" | grep -qE 'eval\s+\$\('; then
+      warnings+=("[Schema] Bash: dynamic code execution (eval) detected")
+    fi
+    # Broad permission grant
+    if echo "$command" | grep -qE 'chmod\s+777'; then
+      warnings+=("[Schema] Bash: broad permission grant (chmod 777) detected")
+    fi
     ;;
 esac
 

package/templates/.claude/hooks/scripts/secret-filter.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 # Secret Output Filter Hook — Detect potential secrets in tool output
-# Trigger: PostToolUse on Bash, Read
+# Trigger: PostToolUse on Bash, Read, Grep
 # Purpose: Advisory warning when potential secrets detected in output
 # Protocol: stdin JSON -> scan -> stdout pass-through
 # Always exits 0 (advisory only, never blocks)
@@ -58,6 +58,36 @@ if echo "$output" | grep -qE 'gho_[a-zA-Z0-9]{36}'; then
   detected=true
 fi
 
+# GitHub Fine-Grained PAT
+if echo "$output" | grep -qE 'github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}'; then
+  echo "[Security] Potential GitHub Fine-Grained PAT detected in ${tool_name} output" >&2
+  detected=true
+fi
+
+# GitHub Actions Token
+if echo "$output" | grep -qE 'ghs_[a-zA-Z0-9]{36}'; then
+  echo "[Security] Potential GitHub Actions token detected in ${tool_name} output" >&2
+  detected=true
+fi
+
+# npm Token
+if echo "$output" | grep -qE 'npm_[a-zA-Z0-9]{36}'; then
+  echo "[Security] Potential npm token detected in ${tool_name} output" >&2
+  detected=true
+fi
+
+# Slack Token
+if echo "$output" | grep -qE 'xox[bsarp]-[a-zA-Z0-9-]{10,}'; then
+  echo "[Security] Potential Slack token detected in ${tool_name} output" >&2
+  detected=true
+fi
+
+# Docker Hub PAT
+if echo "$output" | grep -qE 'dckr_pat_[a-zA-Z0-9_-]{20,}'; then
+  echo "[Security] Potential Docker Hub PAT detected in ${tool_name} output" >&2
+  detected=true
+fi
+
 if [ "$detected" = true ]; then
   echo "[Security] Review output carefully — do NOT commit or expose secrets" >&2
 fi

package/templates/.claude/rules/MUST-agent-teams.md

@@ -104,17 +104,6 @@ All members must be spawned in a single message. Partial spawning needs correcti
    implementer → fixes → SendMessage(reviewer, "fixed")
    reviewer → re-reviews → done
 
-❌ WRONG: Multi-expert task without coordination
-   Agent(lang-typescript-expert) → "Implement frontend"
-   Agent(be-express-expert) → "Implement API"
-   (no shared state, results manually combined)
-
-✓ CORRECT: Agent Teams for cross-domain work
-   TeamCreate("fullstack")
-   Agent(frontend-dev) + Agent(backend-dev) → team members
-   Shared TaskList for interface contracts
-   SendMessage for API schema coordination
-
 ❌ WRONG: Spawning team members one at a time
    TeamCreate("research-team")
    Message 1: Agent(researcher-1) → Analysis 1   (only 1/3 spawned)
@@ -127,18 +116,6 @@ All members must be spawned in a single message. Partial spawning needs correcti
      Agent(researcher-1) → Analysis 1  ┐
      Agent(researcher-2) → Analysis 2  ├─ ALL spawned together
      Agent(researcher-3) → Analysis 3  ┘
-
-❌ WRONG: Multi-issue batch as independent agents
-   Agent(general-purpose) → "Fix issue #1"
-   Agent(general-purpose) → "Fix issue #2"
-   Agent(general-purpose) → "Fix issue #3"
-   (no coordination, no shared task tracking)
-
-✓ CORRECT: Agent Teams for multi-issue batches
-   TeamCreate("release-fixes")
-   TaskCreate for each issue
-   Agent(fixer-1) + Agent(fixer-2) + Agent(fixer-3) → team members
-   Shared task list tracks progress across all issues
 ```
 
 ## Cost Guidelines

package/templates/.claude/rules/MUST-orchestrator-coordination.md

@@ -95,12 +95,6 @@ Main Conversation (orchestrator)
    Main conversation → Agent(mgr-gitnerd) → git commit
    Main conversation → Agent(mgr-gitnerd) → git push
 
-❌ WRONG: Using general-purpose when specialist exists
-   Main conversation → Agent(general-purpose) → "Write Go code"
-
-✓ CORRECT: Using the right specialist
-   Main conversation → Agent(lang-golang-expert) → "Write Go code"
-
 ❌ WRONG: Orchestrator creates files "just this once"
    "It's just a small config file, I'll write it directly..."
 
@@ -110,15 +104,9 @@ Main Conversation (orchestrator)
 ❌ WRONG: Bundling git operations with file editing in non-gitnerd agent
    Main conversation → Agent(general-purpose) → "git revert + edit file + git commit"
    Main conversation → Agent(lang-typescript-expert) → "fix bug and commit"
-
-✓ CORRECT: Separate file editing from git operations
-   Main conversation → Agent(lang-typescript-expert) → "fix bug" (file edit only)
-   Main conversation → Agent(mgr-gitnerd) → "git commit" (git operation only)
-
-❌ WRONG: Including git commands in non-gitnerd agent prompt for "convenience"
    Agent(general-purpose, prompt="revert the last commit, edit the file, then commit the fix")
 
-✓ CORRECT: Split into separate delegations
+✓ CORRECT: Separate file editing from git operations, split delegations
    Agent(mgr-gitnerd, prompt="revert the last commit")
    Agent(appropriate-expert, prompt="edit the file to fix the issue")
    Agent(mgr-gitnerd, prompt="commit the fix")

package/templates/.claude/skills/django-best-practices/SKILL.md

@@ -16,26 +16,7 @@ Apply Django patterns for building production-ready, secure, and maintainable Py
 ```yaml
 structure:
   settings_split: true
-  layout: |
-    project/
-    ├── config/
-    │   ├── settings/
-    │   │   ├── base.py
-    │   │   ├── development.py
-    │   │   └── production.py
-    │   ├── urls.py
-    │   └── wsgi.py
-    ├── apps/
-    │   ├── core/           # Shared utilities, base models
-    │   ├── users/          # Custom User model (ALWAYS create)
-    │   └── {feature}/      # Feature-specific apps
-    ├── templates/
-    ├── static/
-    ├── requirements/
-    │   ├── base.txt
-    │   ├── development.txt
-    │   └── production.txt
-    └── manage.py
+  layout: "config/{settings/{base,development,production}.py,urls.py,wsgi.py} + apps/{core/,users/,<feature>/} + templates/ + static/ + requirements/{base,development,production}.txt"
 
 app_module_contents:
   models.py: Database models
@@ -50,6 +31,8 @@ app_module_contents:
   tests/: Test suite (mirror app structure)
 ```
 
+Reference: guides/django-best-practices/README.md
+
 ### 2. Models Best Practices
 
 ```yaml
@@ -57,15 +40,7 @@ custom_user_model:
   rule: ALWAYS create a custom User model, even if identical to default
   location: apps/users/models.py
   reason: Impossible to swap default User model mid-project
-  example: |
-    # apps/users/models.py
-    from django.contrib.auth.models import AbstractUser
-
-    class User(AbstractUser):
-        pass  # Can extend later without migrations
-
-    # config/settings/base.py
-    AUTH_USER_MODEL = 'users.User'
+  pattern: "Extend AbstractUser, set AUTH_USER_MODEL in settings"
 
 primary_key:
   default: BigAutoField
@@ -77,18 +52,6 @@ model_meta:
     - Meta.ordering: consistent default ordering
     - Meta.verbose_name: singular display name
     - Meta.verbose_name_plural: plural display name
-  example: |
-    class Article(models.Model):
-        title = models.CharField(max_length=200)
-        created_at = models.DateTimeField(auto_now_add=True)
-
-        class Meta:
-            ordering = ['-created_at']
-            verbose_name = 'article'
-            verbose_name_plural = 'articles'
-
-        def __str__(self):
-            return self.title
 
 query_optimization:
   foreign_key: select_related()    # Single SQL JOIN
@@ -107,18 +70,7 @@ indexing:
 
 constraints:
   use: Meta.constraints for database-level enforcement
-  example: |
-    class Meta:
-        constraints = [
-            models.UniqueConstraint(
-                fields=['user', 'article'],
-                name='unique_user_article'
-            ),
-            models.CheckConstraint(
-                check=models.Q(price__gte=0),
-                name='price_non_negative'
-            )
-        ]
+  types: "UniqueConstraint, CheckConstraint"
 
 soft_delete:
   pattern: is_active = models.BooleanField(default=True)
@@ -126,16 +78,10 @@ soft_delete:
 
 custom_managers:
   rule: Use managers for reusable querysets
-  example: |
-    class PublishedManager(models.Manager):
-        def get_queryset(self):
-            return super().get_queryset().filter(status='published')
-
-    class Article(models.Model):
-        objects = models.Manager()     # Keep default
-        published = PublishedManager() # Add custom
 ```
 
+Reference: guides/django-best-practices/README.md
+
 ### 3. Views Best Practices
 
 ```yaml
@@ -145,15 +91,6 @@ cbv_vs_fbv:
 
 thin_views:
   rule: Keep views thin — delegate business logic to services/models
-  wrong: |
-    def create_order(request):
-        # 50 lines of business logic in view
-  correct: |
-    def create_order(request):
-        form = OrderForm(request.POST)
-        if form.is_valid():
-            order = order_service.create(request.user, form.cleaned_data)
-            return redirect('order-detail', pk=order.pk)
 
 shortcuts:
   - get_object_or_404(Model, pk=pk): Returns 404 instead of 500
@@ -179,7 +116,7 @@ status_codes:
 ```yaml
 namespacing:
   app_name: Required in every app's urls.py
-  usage: reverse('app_name:url_name') or {% url 'app_name:url_name' %}
+  usage: "reverse('app_name:url_name') or {% url 'app_name:url_name' %}"
 
 syntax:
   prefer: path() over re_path() for clarity
@@ -187,56 +124,29 @@ syntax:
 
 naming:
   rule: Name ALL URL patterns
-  convention: "{resource}-{action}" (e.g., article-list, article-detail)
+  convention: "{resource}-{action} (e.g., article-list, article-detail)"
 
 inclusion:
   root_urls: Use include() for app-level URLs
-  example: |
-    # config/urls.py
-    urlpatterns = [
-        path('admin/', admin.site.urls),
-        path('api/', include('apps.api.urls', namespace='api')),
-        path('articles/', include('apps.articles.urls', namespace='articles')),
-    ]
-
-    # apps/articles/urls.py
-    app_name = 'articles'
-    urlpatterns = [
-        path('', ArticleListView.as_view(), name='list'),
-        path('<int:pk>/', ArticleDetailView.as_view(), name='detail'),
-    ]
 ```
 
+Reference: guides/django-best-practices/README.md
+
 ### 5. Forms & Validation
 
 ```yaml
 model_forms:
   rule: Use ModelForm when form maps to a model
-  fields: Explicitly list fields (never use fields = '__all__')
+  fields: "Explicitly list fields (never use fields = '__all__')"
 
 validation:
   field_level: clean_<field>() method
   cross_field: clean() method
   built_in: Use Django validators (MaxValueValidator, RegexValidator, etc.)
-
-example: |
-  class ArticleForm(forms.ModelForm):
-      class Meta:
-          model = Article
-          fields = ['title', 'body', 'status']
-
-      def clean_title(self):
-          title = self.cleaned_data['title']
-          if len(title) < 5:
-              raise forms.ValidationError('Title too short.')
-          return title
-
-      def clean(self):
-          cleaned = super().clean()
-          # Cross-field validation here
-          return cleaned
 ```
 
+Reference: guides/django-best-practices/README.md
+
 ### 6. Security
 
 ```yaml
@@ -287,22 +197,13 @@ test_classes:
 test_data:
   preferred: factory_boy or model_bakery
   avoid: fixtures (hard to maintain, slow)
-  example: |
-    import factory
-    from apps.users.models import User
-
-    class UserFactory(factory.django.DjangoModelFactory):
-        class Meta:
-            model = User
-        username = factory.Sequence(lambda n: f'user{n}')
-        email = factory.LazyAttribute(lambda o: f'{o.username}@example.com')
 
 request_testing:
   Client: Full request/response cycle (preferred for views)
   RequestFactory: Faster, no middleware (for unit testing views)
 
 settings_override:
-  decorator: '@override_settings(EMAIL_BACKEND="django.core.mail.backends.locmem.EmailBackend")'
+  decorator: '@override_settings(...)'
 
 coverage:
   target: 80%+
@@ -312,6 +213,8 @@ structure:
   mirror_app: tests/test_models.py, tests/test_views.py, tests/test_forms.py
 ```
 
+Reference: guides/django-best-practices/README.md
+
 ### 8. Performance
 
 ```yaml
@@ -322,15 +225,15 @@ n_plus_1_prevention:
   complex: Prefetch object with custom queryset
 
 partial_loading:
-  only: only('id', 'title', 'created_at')  # Load only these fields
-  defer: defer('body', 'metadata')          # Load all except these
-  values: values('id', 'title')             # Returns dicts (no ORM overhead)
-  values_list: values_list('id', flat=True) # Returns flat list
+  only: "only('id', 'title', 'created_at') — Load only these fields"
+  defer: "defer('body', 'metadata') — Load all except these"
+  values: "values('id', 'title') — Returns dicts (no ORM overhead)"
+  values_list: "values_list('id', flat=True) — Returns flat list"
 
 caching:
   backend: Redis (preferred), Memcached
-  view_cache: '@cache_page(60 * 15)' decorator
-  template_cache: '{% cache 500 sidebar %}' template tag
+  view_cache: "'@cache_page(60 * 15)' decorator"
+  template_cache: "'{% cache 500 sidebar %}' template tag"
   low_level: cache.get/set/delete for fine-grained control
 
 pagination:
@@ -339,8 +242,8 @@ pagination:
   drf: PageNumberPagination or CursorPagination
 
 bulk_operations:
-  create: Article.objects.bulk_create(articles, batch_size=1000)
-  update: Article.objects.bulk_update(articles, ['status'], batch_size=1000)
+  create: "bulk_create(articles, batch_size=1000)"
+  update: "bulk_update(articles, ['status'], batch_size=1000)"
   avoid: Loops calling .save() on many objects
 ```
 
@@ -351,17 +254,6 @@ serializers:
   standard_crud: ModelSerializer
   read_only: Use SerializerMethodField for computed values
   write_validation: validate_<field>() and validate() methods
-  example: |
-    class ArticleSerializer(serializers.ModelSerializer):
-        author_name = serializers.SerializerMethodField()
-
-        class Meta:
-            model = Article
-            fields = ['id', 'title', 'body', 'author_name', 'created_at']
-            read_only_fields = ['id', 'created_at']
-
-        def get_author_name(self, obj):
-            return obj.author.get_full_name()
 
 viewsets:
   standard: ModelViewSet for full CRUD
@@ -380,7 +272,6 @@ permissions:
 
 versioning:
   method: NamespaceVersioning or URLPathVersioning
-  example: "/api/v1/articles/" vs "/api/v2/articles/"
 
 throttling:
   anonymous: AnonRateThrottle
@@ -392,6 +283,8 @@ pagination:
   types: PageNumberPagination (simple), CursorPagination (large datasets)
 ```
 
+Reference: guides/django-best-practices/README.md
+
 ### 10. Deployment
 
 ```yaml