From b7cdac697bdc535832ebbe1947e4933110e2a7aa Mon Sep 17 00:00:00 2001 From: James Prial Date: Mon, 26 Jan 2026 02:38:22 -0500 Subject: [PATCH 1/5] docs: add gh secret set pattern to CLAUDE.md Co-Authored-By: Claude Opus 4.5 --- CLAUDE.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CLAUDE.md b/CLAUDE.md index 7321657..1a5b5ab 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -33,6 +33,9 @@ Claude Code plugin marketplace with seven plugins: /plugin list /hooks claude --debug + +# Set GitHub secret from current auth token (no intermediate files) +gh auth token | gh secret set SECRET_NAME ``` ### Development Workflow From 060d2358e3fdd9a1f77f58f4a0f3f5d59974a7d0 Mon Sep 17 00:00:00 2001 From: James Prial Date: Mon, 26 Jan 2026 02:50:32 -0500 Subject: [PATCH 2/5] fix(security-hooks): exit with BLOCKED (2) when secrets detected Previously exited with SUCCESS (0) even when secrets found, causing Claude to ignore the deny decision. Per hooks.md: 'Claude Code does not see stdout if the exit code is 0'. Fixes codex review comment on PR #4. Co-Authored-By: Claude Opus 4.5 --- security-hooks/scripts/check_secrets.py | 2 +- security-hooks/scripts/test_check_secrets.py | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/security-hooks/scripts/check_secrets.py b/security-hooks/scripts/check_secrets.py index 0d75f70..8ad439c 100755 --- a/security-hooks/scripts/check_secrets.py +++ b/security-hooks/scripts/check_secrets.py @@ -413,7 +413,7 @@ def _run_secret_check(project_root: Path) -> None: } } print(json.dumps(output)) - sys.exit(ExitCode.SUCCESS) # Use exit 0 with JSON output + sys.exit(ExitCode.BLOCKED) # Exit 2 ensures Claude sees the deny decision sys.exit(ExitCode.SUCCESS) diff --git a/security-hooks/scripts/test_check_secrets.py b/security-hooks/scripts/test_check_secrets.py index 801f618..6936ff2 100644 --- a/security-hooks/scripts/test_check_secrets.py +++ b/security-hooks/scripts/test_check_secrets.py @@ -1135,8 +1135,8 @@ def mock_subprocess_run( with pytest.raises(SystemExit) as exc_info: main() - # With JSON output, exit code is 0 (success) but with deny decision - assert exc_info.value.code == ExitCode.SUCCESS + # Exit code 2 (BLOCKED) ensures Claude respects the deny decision + assert exc_info.value.code == ExitCode.BLOCKED # Verify JSON output structure captured = capsys.readouterr() From 0884b1e66b373034611702c2b8adaeba76433dd0 Mon Sep 17 00:00:00 2001 From: James Prial Date: Mon, 26 Jan 2026 02:50:32 -0500 Subject: [PATCH 3/5] fix(ci): detect all commits in multi-commit pushes Previously only checked HEAD~1, missing changes in earlier commits when multiple commits pushed together. Now uses github.event.before to capture full push range. Fixes codex review comment on PR #25. Co-Authored-By: Claude Opus 4.5 --- .github/workflows/detect-plugin-changes.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/.github/workflows/detect-plugin-changes.yml b/.github/workflows/detect-plugin-changes.yml index e64bf9d..8f05b26 100644 --- a/.github/workflows/detect-plugin-changes.yml +++ b/.github/workflows/detect-plugin-changes.yml @@ -53,7 +53,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 with: - fetch-depth: 2 # Need HEAD~1 for diff comparison + fetch-depth: 0 # Full history for multi-commit push detection - name: Detect changed plugins id: changes @@ -63,8 +63,13 @@ jobs: # Local plugins to check (excludes external golang-workflow) LOCAL_PLUGINS=("security-hooks" "todo-log" "version-control" "bash-workflow" "claude-code-guide" "slash-command-guide") - # Get changed files between HEAD and HEAD~1 - CHANGED_FILES=$(git diff --name-only HEAD~1 HEAD 2>/dev/null || git diff --name-only HEAD) + # Get changed files since push started (handles multi-commit pushes) + if [ "${{ github.event.before }}" != "0000000000000000000000000000000000000000" ]; then + CHANGED_FILES=$(git diff --name-only "${{ github.event.before }}" HEAD) + else + # Initial push or force push - compare with HEAD~1 as fallback + CHANGED_FILES=$(git diff --name-only HEAD~1 HEAD 2>/dev/null || git diff --name-only HEAD) + fi echo "Changed files:" echo "$CHANGED_FILES" From 028f9f2153cef2b03d7b160a0b123e8ee8b6b1e2 Mon Sep 17 00:00:00 2001 From: James Prial Date: Mon, 26 Jan 2026 02:50:33 -0500 Subject: [PATCH 4/5] fix(ci): create release tags on correct commit SHA Previously tagged HEAD after git pull, which could include commits that landed after the version bump. Now explicitly tags the commit_sha from the workflow dispatch payload. Fixes codex review comment on PR #25. Co-Authored-By: Claude Opus 4.5 --- .github/workflows/create-release-tags.yml | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/.github/workflows/create-release-tags.yml b/.github/workflows/create-release-tags.yml index 38078c6..aeec41d 100644 --- a/.github/workflows/create-release-tags.yml +++ b/.github/workflows/create-release-tags.yml @@ -38,11 +38,6 @@ jobs: git config user.name "github-actions[bot]" git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - - name: Pull latest changes - run: | - # Ensure we have the version bump commit - git pull origin main - - name: Create tags id: tags run: | @@ -66,11 +61,17 @@ jobs: continue fi - # Create annotated tag - git tag -a "$TAG" -m "Release ${plugin} v${VERSION} + # Create annotated tag on the version bump commit (not HEAD which may have moved) + COMMIT_SHA="${{ github.event.client_payload.commit_sha }}" + if [ -z "$COMMIT_SHA" ]; then + echo "::error::commit_sha not provided in payload" + exit 1 + fi + + git tag -a "$TAG" "$COMMIT_SHA" -m "Release ${plugin} v${VERSION} Auto-generated by GitHub Actions workflow. -Trigger commit: ${{ github.event.client_payload.trigger_sha }}" +Version bump commit: $COMMIT_SHA" echo "Created tag: $TAG" CREATED_TAGS+=("$TAG") @@ -115,4 +116,5 @@ Trigger commit: ${{ github.event.client_payload.trigger_sha }}" echo "" >> $GITHUB_STEP_SUMMARY echo "---" >> $GITHUB_STEP_SUMMARY - echo "**Trigger commit:** \`${{ github.event.client_payload.trigger_sha }}\`" >> $GITHUB_STEP_SUMMARY + echo "**Version bump commit (tagged):** \`${{ github.event.client_payload.commit_sha }}\`" >> $GITHUB_STEP_SUMMARY + echo "**Original trigger commit:** \`${{ github.event.client_payload.trigger_sha }}\`" >> $GITHUB_STEP_SUMMARY From cb316f056d2e6c8f3416893b02050d27fd110235 Mon Sep 17 00:00:00 2001 From: James Prial Date: Mon, 26 Jan 2026 02:50:34 -0500 Subject: [PATCH 5/5] feat(bash-workflow): add 4 Plan agent definitions Creates agent definitions referenced in implement.md Wave 1b: - plan-implementation: Script structure and dependencies - plan-testing: Bats test strategy and edge cases - plan-security: Input validation and secret handling - plan-devops: Portability and CI/CD considerations Fixes codex review comment on PR #20. Co-Authored-By: Claude Opus 4.5 --- bash-workflow/agents/plan-devops.md | 21 ++++++++++++++++++++ bash-workflow/agents/plan-implementation.md | 22 +++++++++++++++++++++ bash-workflow/agents/plan-security.md | 21 ++++++++++++++++++++ bash-workflow/agents/plan-testing.md | 21 ++++++++++++++++++++ 4 files changed, 85 insertions(+) create mode 100644 bash-workflow/agents/plan-devops.md create mode 100644 bash-workflow/agents/plan-implementation.md create mode 100644 bash-workflow/agents/plan-security.md create mode 100644 bash-workflow/agents/plan-testing.md diff --git a/bash-workflow/agents/plan-devops.md b/bash-workflow/agents/plan-devops.md new file mode 100644 index 0000000..d7cb1ff --- /dev/null +++ b/bash-workflow/agents/plan-devops.md @@ -0,0 +1,21 @@ +--- +name: plan-devops +description: "Analyze operational considerations for bash tasks. Focuses on portability, CI/CD, and idempotency." +model: haiku +color: purple +--- + +Analyze operational requirements for the given bash task. + +## Focus Areas + +1. **Portability** - macOS vs Linux, BSD vs GNU, path differences +2. **CI/CD** - Exit codes, output parsing, env expectations +3. **Deployment** - Installation, dependencies, upgrades +4. **Idempotency** - Safe reruns, state management, cleanup + +## Output + +Write to `~/.claude/bash-workflow/plan-devops.md`: +- Platform compatibility notes +- CI/CD and idempotency strategy diff --git a/bash-workflow/agents/plan-implementation.md b/bash-workflow/agents/plan-implementation.md new file mode 100644 index 0000000..46fd44a --- /dev/null +++ b/bash-workflow/agents/plan-implementation.md @@ -0,0 +1,22 @@ +--- +name: plan-implementation +description: "Design implementation approach for bash tasks. Focuses on script structure, function decomposition, and dependencies." +model: haiku +color: blue +--- + +Design the implementation approach for the given bash task. + +## Focus Areas + +1. **Script Structure** - Entry points, module separation, config handling +2. **Function Decomposition** - Single responsibility, reusable utilities +3. **Dependencies** - Implementation order, shared resources +4. **Codebase Patterns** - Existing conventions, error/logging patterns + +## Output + +Write to `~/.claude/bash-workflow/plan-implementation.md`: +- Proposed file structure +- Key functions and responsibilities +- Implementation order diff --git a/bash-workflow/agents/plan-security.md b/bash-workflow/agents/plan-security.md new file mode 100644 index 0000000..c6a4305 --- /dev/null +++ b/bash-workflow/agents/plan-security.md @@ -0,0 +1,21 @@ +--- +name: plan-security +description: "Design security considerations for bash tasks. Focuses on input validation, permissions, and secrets." +model: haiku +color: orange +--- + +Identify security considerations for the given bash task. + +## Focus Areas + +1. **Input Validation** - Sanitization, path traversal, injection prevention +2. **Permissions** - File modes, sudo usage, umask +3. **Secrets** - No hardcoding, env vars, secure storage +4. **Unsafe Patterns** - eval, unquoted vars, glob risks, temp files + +## Output + +Write to `~/.claude/bash-workflow/plan-security.md`: +- Input validation requirements +- Permission model and secret handling diff --git a/bash-workflow/agents/plan-testing.md b/bash-workflow/agents/plan-testing.md new file mode 100644 index 0000000..0b9952e --- /dev/null +++ b/bash-workflow/agents/plan-testing.md @@ -0,0 +1,21 @@ +--- +name: plan-testing +description: "Design test strategy for bash tasks. Focuses on bats tests, edge cases, and failure modes." +model: haiku +color: green +--- + +Design comprehensive test coverage for the given bash task. + +## Focus Areas + +1. **Behaviors** - Happy path, error handling, edge cases +2. **Edge Cases** - Empty input, missing files, bad permissions, signals +3. **Failure Modes** - Network, disk full, permission denied +4. **Platforms** - macOS vs Linux, BSD vs GNU tools + +## Output + +Write to `~/.claude/bash-workflow/plan-testing.md`: +- Test scenarios by feature +- Edge cases and failure modes