You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This pull request makes a minor update to the plugin manifest by refining the plugin's description to be more concise and focused.
Updated the description field in plugin.json to clarify and streamline the explanation of the plugin's features, emphasizing its CLI nature and the main evaluation tasks it supports.
Single self-contained HTML at docs/claude-code-bleeding-edge.html
covering post-May-2025 features (/btw, v2.1 permission modes,
2026 hook extensions), hidden/undocumented env vars (curated subset
of ~330), CLI flags, settings.json power moves, Boris Cherny's top
tips, and unusual community tricks.
Prominent top-of-page callout corrects the widely-mistyped
CLAUDE_CODE_EXPERIMENTAL_TEAM=1 to the actual
CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS=1 env var.
Interactive: instant case-insensitive search, toggleable category
filter pills, per-row copy-to-clipboard, deep-link anchors that
auto-expand the targeted <details> section, dark-by-default with
light-mode toggle. Inline CSS+JS, no CDN, no localStorage,
WCAG-AA contrast, keyboard navigable, semantic HTML.
Built on Thariq's pattern 14 (research-feature-explainer) DNA with
the filter-pill + copy-button mechanics from pattern 18
(editor-triage-board), retoned to a dark Anthropic-coral palette.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Relocates docs/claude-code-bleeding-edge.html to
plugins/html-effectiveness/claude-code-bleeding-edge.html so the
artifact lives next to the skill that documents the production
pattern it follows (pattern 14, research-feature-explainer).
No sibling plugin has a docs/ folder; the monorepo's top-level
docs/ holds cross-plugin guides (ARCHITECTURE.md, WORKFLOWS.md, etc.),
not plugin-specific deliverables. The plugin root is the natural home.
Wires the file into plugins/html-effectiveness/README.md alongside
the existing otel-semconv-demo entry, with an open command and a
one-line summary of the search/filter/copy interactions.
File contents unchanged — pure relocation + README link.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
… canon
Pivots the bleeding-edge reference to match the html-effectiveness
skill's own canon (patterns.json):
* Palette flip: coral becomes the default (was dark); github_dark moves
to a `[data-theme="dark"]` toggle. Both palettes are taken verbatim
from patterns.json:palettes — no invented "Anthropic-ish dark" mix.
The original brief's #0d0e10/#e8e6e3 spec is overridden by the
in-plugin source of truth, as requested.
* Placement: moved from plugins/html-effectiveness/ to
plugins/html-effectiveness/skills/html-effectiveness/assets/, where
otel-semconv-demo.html and agent-spawn-deck-demo.html already live
as pattern proof-of-concepts. This artifact is the same shape — a
PoC for pattern 14 (research-feature-explainer) applied to a real
reference catalog.
* Active-state text color hardcoded to #141413 (slate) on accent/
success backgrounds so contrast passes AA in both palettes:
#141413 on #D97757 (clay) ≈ 6.5:1; #141413 on #58a6ff (blue) ≈ 7.5:1;
#141413 on #788C5D/#3fb950 (olive/green) ≈ 5:1+.
* README updated: bullet rewritten as "third pattern-PoC alongside
OTel and agent-spawn demos", open-command repointed to new path.
* Theme toggle JS: `data-theme` attribute is absent in default coral
mode, set to "dark" on toggle, removed again on toggle-back — cleaner
than always-present attr with two values.
No content changes; structure, sections, search/filter/copy/deep-link
mechanics all preserved. 1543 LOC, 71KB.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
… canonical Anthropic practice
Skills (5):
- third-person canonical voice ("This skill should be used when the user asks to ...")
matching anthropics/claude-plugins-official plugin-dev meta-skill prescription
- add version: 0.1.0 + author: AncpLua to all frontmatters
- progressive disclosure: CCxxx-dense priorities replaced with pointers into
references/component-validators.md (eliminates 3x duplication)
- collapse verbose Commands/Workflow sections to lean Subcommands one-liners
- harmonize Reference -> References (plural) across all 5
Evaluator (src/evaluators/skill.js):
- CC203 regex now accepts "should be used when" alongside "use when" / "trigger";
the prior pattern flagged the canonical Anthropic voice as missing-trigger
- CC212 ALLOWED_FRONTMATTER_KEYS adds `version` (used by every plugin-dev
skill in claude-plugins-official) and `author` (ecosystem convention),
with rationale comments documenting the divergence from the May-2026
docs.claude.com SKILL.md spec
Manifest (.claude-plugin/plugin.json):
- description trimmed 258 -> 197 chars (clears CC105)
Result: per-skill score 60-66 (bronze) -> 91/100 (Gold per tonsofskills.com
rubric, B per the plugin's letter scale), 100/100 tests pass, 0 fail per
skill. Plugin-level F remains because the evaluator over-counts src/ as
deferred tokens (separate evaluator bug, not skill quality).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Both files were build-time scaffolding:
- SPEC.md (1195 lines, 93k) was the parallel-implementation spec
for Writers A/B/C. The plugin is built; README covers the load-bearing
mission and architecture-diff content; the code IS the current
architecture. References to /tmp/plugin-compare/ paths that no
longer exist.
- REVIEW.md (283 lines, 32k) was the 2026-05-05 pre-ship review with 4
CRIT findings. All four verified applied in current source:
CRIT-1 manifest "real-codex" string -> "real claude" (this branch
further trimmed to 197 chars)
CRIT-2 monitors.js:95 names.add(path.basename(fullPath))
CRIT-3 monitors.js CC605/CC608 size-gate removed
CRIT-4 hooks.js mcp_tool handler reads handler.server OR
handler.command.split("/")[0]
100/100 tests pass.
THIRD_PARTY_NOTICES.md kept (canonical MIT attribution). Git history
preserves both removed files for archaeology.
Bonus: removes ~31k tokens from the plugin's deferred-budget count,
which the evaluator currently over-counts (separate evaluator bug).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Added nuget-opensrc plugin to fetch NuGet packages pinned to exact GitHub commits
Added interactive Claude Code bleeding-edge reference page with search, filtering, dark mode, and deep-linking
Bug Fixes
Fixed marketplace JSON syntax and hardcoded file paths to be portable
Documentation
Reorganized cc-plugin-eval plugin documentation with streamlined specifications and new metadata fields
Updated skill documentation with structured frontmatter and routing guidance
Chores
Updated validation tooling for improved file handling and shell script discovery
Walkthrough
PR expands plugin ecosystem by introducing nuget-opensrc (NuGet→GitHub commit resolver with CLI, command, and skill), standardizes cc-plugin-eval sub-skill metadata and workflow routing, adds interactive html-effectiveness bleeding-edge reference asset (1562 lines), normalizes html-effectiveness hardcoded paths to portable cache directory, refactors weave-validate.sh to use null-delimited file processing, and registers both plugins in marketplace with CHANGELOG entries.
Estimated code review effort
🎯 4 (Complex) | ⏱️ ~55 minutes
Rationale: 65 files touched with substantial heterogeneous changes: new 254-line CLI with NuGet API fallback logic (medium density), 1562-line interactive HTML/JS asset with filtering/search/clipboard/theme state (high density), five SKILL.md rewrites across different concerns (workflow vs. metadata), shell script refactoring with null-delimiter semantics, and path normalization spanning six files. Cross-domain edits (CLI logic, HTML interactivity, manifest/docs) demand separate reasoning per checkpoint.
ANcpLua/ancplua-claude-plugins#108: Earlier validation tooling changes to tooling/scripts/weave-validate.sh script discovery and iteration logic.
Important
Pre-merge checks failed
Please resolve all errors before merging. Addressing warnings is optional.
❌ Failed checks (2 errors, 2 warnings)
Check name
Status
Explanation
Resolution
Title check
❌ Error
Title lacks conventional commit format (feat/fix/refactor/etc.) and required scope in parentheses.
Rewrite as conventional commit with scope, e.g., 'docs(html-effectiveness): add bleeding-edge reference' or 'feat(infra): new nuget-opensrc plugin'.
No Hardcoded Absolute Paths
❌ Error
Unquoted tilde paths in generated bash commands (lines 350, 361, 370 of agent-spawn-deck-demo.html) break for home dirs with spaces; line 348 was fixed but others were not.
Quote all generated bash paths: replace ~/repo-audit/ with "$HOME/repo-audit/" in buildCli() and buildFanOutScript() functions.
Description check
⚠️ Warning
Description claims only plugin.json refinement but changeset includes new plugin (nuget-opensrc), HTML asset, shell script refactoring, and multiple skill specs.
Rewrite description to reflect actual scope: new nuget-opensrc plugin, html-effectiveness asset updates, cc-plugin-eval skill specs, and validation tooling changes.
Plugin Version And Marketplace Sync
⚠️ Warning
cc-plugin-eval code was modified (evaluator logic, multiple SKILL definitions rewritten) but version not bumped from 0.1.0 in plugin.json or marketplace.json.
Bump cc-plugin-eval version in plugins/cc-plugin-eval/.claude-plugin/plugin.json and .claude-plugin/marketplace.json to reflect code/skill changes.
✅ Passed checks (5 passed)
Check name
Status
Explanation
Linked Issues check
✅ Passed
Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check
✅ Passed
Check skipped because no linked issues were found for this pull request.
Changelog Updated
✅ Passed
CHANGELOG.md updated with entries for nuget-opensrc plugin (0.1.0 new) and html-effectiveness plugin (1.2.0→1.2.1) under [Unreleased], covering all plugin code, skills, and command changes in the PR.
No C# Or .Net Code
✅ Passed
No .cs, .csproj, .sln, or .fsproj files found in repository; PR adds only Node.js, JSON, Markdown, and HTML assets.
Skill.Md Frontmatter Required
✅ Passed
All 7 modified SKILL.md files have valid YAML frontmatter with required name and description fields present.
Comment @coderabbitai help to get the list of available commands and usage tips.
The reason will be displayed to describe this comment to others. Learn more.
Preserve null-delimited paths for ShellCheck inputs
find output is now stored as plain text and piped through xargs, which splits on whitespace; any *.sh path containing spaces/tabs/newlines will be broken into multiple arguments, so shellcheck can fail on non-existent paths or silently miss real files. This regresses the prior -print0 + array behavior and can make the hard-fail validation step unreliable when plugin/script paths are not whitespace-free.
The reason will be displayed to describe this comment to others. Learn more.
Pull Request Overview
The PR introduces significant functional changes to the CI validation scripts and the Claude Code skill evaluator that are not fully covered by tests.
Key issues that should prevent merging:
CI Regression: The refactor of weave-validate.sh introduces a regression in path handling; filenames containing spaces will cause the ShellCheck and JSON validation loops to fail.
Portability: A hardcoded absolute local path (~/RiderProjects/...) was detected in the documentation/assets, which will cause failures for other users and in CI environments.
Testing Gap: The expansion of regex patterns and allowed metadata keys in the cc-plugin-eval validator lacks unit tests to ensure correct behavior and prevent regressions in skill validation.
While Codacy reports the PR as 'up to standards', these functional and portability issues require correction.
About this PR
No unit tests were added to plugins/cc-plugin-eval/src/evaluators/skill.js to verify the new regex patterns for trigger phrases or the allowance of 'version' and 'author' keys.
The PR description underrepresents the scope of changes. It includes a 1,500-line HTML reference and refactors core CI scripts, which are unrelated to the stated intent of minor manifest updates.
1 comment outside of the diff[REDACTED:HIGH_ENTROPY]
line 51 🔴 HIGH RISK
The absolute path is hardcoded to a specific local directory (~/RiderProjects/...), which makes this command non-portable. Use a relative path from the plugin root or a placeholder like $(pwd) to make the example functional for other users.
open ./skills/html-effectiveness/assets/claude-code-bleeding-edge.html
Test suggestions
Verify 'triggerPattern' regex in skill.js correctly matches 'should be used when' in addition to existing patterns.
Verify that 'version' and 'author' frontmatter keys in SKILL.md files are accepted as valid metadata by the evaluator.
Verify the 'weave-validate.sh' script correctly identifies and iterates through shell and JSON files after the loop refactor.
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verify 'triggerPattern' regex in `skill.js` correctly matches 'should be used when' in addition to existing patterns.
2. Verify that 'version' and 'author' frontmatter keys in SKILL.md files are accepted as valid metadata by the evaluator.
3. Verify the 'weave-validate.sh' script correctly identifies and iterates through shell and JSON files after the loop refactor.
The reason will be displayed to describe this comment to others. Learn more.
🟡 MEDIUM RISK
This refactor introduces a regression in robustness. Using $(find ...) followed by xargs without null-termination splits on any whitespace. If any filename contains a space, the validation will fail. Revert to using find -print0 and xargs -0 (or the previous array-based logic) to safely handle filenames with spaces.
The reason will be displayed to describe this comment to others. Learn more.
⚪ LOW RISK
This implementation relies on Bash here-strings and is brittle when handling paths with spaces. It is safer to pipe find results directly into the while loop using find . -name "*.json" ... -print0 | while IFS= read -r -d '' f; do ... for maximum robustness.
The reason will be displayed to describe this comment to others. Learn more.
⚪ LOW RISK
Suggestion: Expanding the regex improves the detection of valid trigger sentences and reduces false-positive warnings for descriptions that use the 'This skill should be used when...' phrasing.
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 5
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@plugins/cc-plugin-eval/skills/cc-plugin-eval/SKILL.md`:
- Line 21: Replace the hardcoded user-specific path string
"~/.claude/plugins/cache/<plugin-id>" in SKILL.md with a neutral placeholder or
variable (e.g., "Claude plugin cache path" or "CLAUDE_PLUGIN_CACHE_PATH") so the
routing instruction is environment-agnostic; update the sentence that currently
reads `~/.claude/plugins/cache/<plugin-id>` to use the chosen placeholder and
ensure any surrounding text still indicates local-first resolution (then
repo-local `plugins/<name>` or `skills/<name>`), and remove any
absolute/home-directory references to satisfy the "no user-specific directories"
guideline.
In `@plugins/cc-plugin-eval/skills/evaluate-skill/SKILL.md`:
- Line 14: The README line embeds a user-specific home path
(~/.claude/plugins/cache/...), which must be replaced with a generic cache
location placeholder; update the skill-resolution instruction in SKILL.md (the
default entrypoint text "Evaluate this skill." and the following resolution
rule) to use a variable like <PLUGIN_CACHE_DIR> or ${PLUGIN_CACHE_DIR} (or "the
plugin cache directory") instead of the absolute ~ path, and state “resolve
under <PLUGIN_CACHE_DIR>/skills/<skill-name> first, then repo-local
skills/<skill-name>”; keep the ambiguity behavior (ask one short clarifying
question if ambiguous) unchanged.
In `@plugins/cc-plugin-eval/src/evaluators/skill.js`:
- Line 253: The current triggerPattern (/ (use when|should be used
when|trigger|triggers on)/i) is too permissive because the lone "trigger"
alternative causes false matches; update the triggerPattern variable (and any
similar patterns in the nearby block handling CC203 between lines 255-268) to
require phrase-level trigger wording such as "use when", "should be used when",
"triggered when", "triggers when", or "triggers on" (use word boundaries) so
standalone "trigger" doesn't match; adjust the regex to include these full
phrases (e.g., require "trigger" only when followed/preceded by contextual
words) and replace the existing triggerPattern with the tighter expression.
In
`@plugins/html-effectiveness/skills/html-effectiveness/assets/claude-code-bleeding-edge.html`:
- Around line 1521-1541: In openHashSection(), after the requestAnimationFrame
callback that calls el.scrollIntoView(...), set a temporary tabindex="-1" on the
target element (el), call el.focus() to give keyboard/screen-reader context, and
then remove that tabindex if the element did not originally have a tabindex;
ensure you treat el as an HTMLElement (the variable named el in openHashSection)
and perform the focus call inside the same requestAnimationFrame callback (after
scrollIntoView) so focus occurs post-scroll while respecting the existing
prefersReducedMotion logic.
In `@tooling/scripts/weave-validate.sh`:
- Around line 71-75: The current SHELL_FILES/SHELL_COUNT flow builds a
space/newline-delimited string from find and re-parses it with xargs which is
not path-safe; update the find invocation(s) that populate SHELL_FILES (and the
similar block at lines 128-137) to use null-delimited output (find ... -print0)
and then consume it with a null-safe consumer (either xargs -0 shellcheck ... or
a while IFS= read -r -d '' loop) so file paths with spaces/newlines are handled
correctly and counts are computed reliably (adjust SHELL_COUNT calculation to
count null-delimited entries rather than echo|wc -l). Ensure you replace
references to echo "$SHELL_FILES" | xargs ... with the null-safe alternative and
keep the same failure/exit behavior.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
Push a commit to this branch (recommended)
Create a new PR with the fixes
ℹ️ Review info⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: 8bef7b8d-d0c5-4066-9071-8cb20f04bcc9
📥 Commits
Reviewing files that changed from the base of the PR and between 2f33422 and a9be3b2.
📜 Review details⏰ Context from checks skipped due to timeout of 120000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
plugins/**/SKILL.md: Skill definitions consumed by Claude Code agents. Review for: YAML frontmatter with required fields (name, description), name is kebab-case and max 64 chars, description is max 1024 chars and clearly explains WHEN to use the skill. Skill body should have clear workflow steps, verification criteria, and failure conditions. Flag phantom tool references (tools that don't exist in Claude Code). Flag skills that reference absolute paths or user-specific directories.
STRUCTURAL INVARIANTS — flag violations as blocking: 1. Every SKILL.md must start with valid YAML frontmatter (--- delimiters). 2. name and description fields are required in frontmatter. 3. Skills must not reference MCP tools that may not be installed. 4. Skills should not duplicate content already in CLAUDE.md.
Shell scripts must use set -euo pipefail at script start, quote all variables as "$var", and pass shellcheck validation
Files:
tooling/scripts/weave-validate.sh
tooling/scripts/**
⚙️ CodeRabbit configuration file
Build and validation scripts. weave-validate.sh is the single validation entrypoint — all CI checks must be reproducible locally through this script. Review for: shellcheck compliance, idempotency, clear error messages, and that new validation steps are added to both weave-validate.sh and ci.yml.
Route agent output to single self-contained .html files using Thariq Shihipar's html-effectiveness pattern catalog with data-driven decision tree for pattern selection
Unescaped angle brackets in quoted attributes are valid HTML5; escaping is optional.
The < and > characters inside a properly closed double-quoted attribute value conform to HTML5's tokenization rules. While escaping them (< / >) improves consistency and silences non-conforming validators, it is not required for correctness. Consider escaping for uniformity across the file if other attributes follow that pattern, but this is not a blocking issue.
thread iM6DV9D5 from @chatgpt-codex-connector: needs-human — no rule matched — keeping blocked for manual review...
Addressed with commit 0289180: tooling/scripts/weave-validate.sh now counts shell script entries via null-delimited byte counting (tr -cd '\0' | wc -c), removing the fragile grep/exit-code edge case that was keeping the ShellCheck safety thread unresolved.
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 2
♻️ Duplicate comments (1)
plugins/nuget-opensrc/bin/nuget-opensrc (1)
43-87: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win
Keep the timeout active until the body is consumed.
Line 44 and Line 72 clear the abort timers before r1.json() / r2.arrayBuffer(), so a stalled body read can still hang this CLI indefinitely.
Patch sketch
- let r1;+ let r1;+ let idx1 = null;
try {
r1 = await fetch(SEMVER1(lower), { signal: c1.signal });
- clearTimeout(t1);+ if (r1.ok) idx1 = await r1.json();
} catch (e) {
- clearTimeout(t1);
if (e.name === 'AbortError') {
throw new Error(`Request timeout after 15s for semver1 endpoint`);
}
throw e;
+ } finally {+ clearTimeout(t1);
}
- if (r1.ok) {- const idx1 = await r1.json();+ if (r1.ok) {
Apply the same pattern to both SemVer2 branches so arrayBuffer() stays inside the timed scope as well.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@plugins/nuget-opensrc/bin/nuget-opensrc` around lines 43 - 87, The abort
timers (t1, t2) are cleared before consuming the response body (r1.json() and
r2.arrayBuffer()), which allows a stalled body read to hang; update the SEMVER1
and SEMVER2_GZ fetch flows so the clearTimeout(t1) and clearTimeout(t2) calls
occur after the awaited body consumption (i.e., move clearTimeout(t1) to after
await r1.json() and clearTimeout(t2) to after await r2.arrayBuffer()/gunzip
handling), keeping the AbortController signal in scope so the timeout can still
abort both the fetch and the body read.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In
`@plugins/html-effectiveness/skills/html-effectiveness/assets/agent-spawn-deck-demo.html`:
- Line 350: The shell redirection string that builds the path using ~ (e.g. " >
~/repo-audit/scans/" + t.id + ".log 2>&1 &") should quote the tilde-expanded
path so home directories with spaces are handled; update each occurrence (the
string concatenation that uses t.id) to wrap the path in quotes inside the shell
command (for example change > ~/repo-audit/... to > " ~/repo-audit/... " or
better > " ~/repo-audit/scans/" + t.id + ".log" 2>&1 &) ensuring proper escaping
for the surrounding JS/HTML string literal so the final shell sees a quoted
path.
In `@plugins/nuget-opensrc/bin/nuget-opensrc`:
- Around line 52-90: The current loop over idx1.items fetches SemVer1 pages to
check for wantedVersion but does not preserve the discovered item/page, causing
a second walk in findEntry(); update fetchRegistration() so when you find the
matching catalogEntry (inside the for (const page of idx1.items) / for (const it
of items) loops) you either return that matching item immediately (so
fetchRegistration() yields the versioned entry) or assign the fetched items back
to page.items (e.g., page.items = items) before returning idx1 so subsequent
findEntry() reuses the hydrated page and avoids re-fetching; ensure this change
references idx1, page, items, wantedVersion, and findEntry() so lookups stay
single-pass.
---
Duplicate comments:
In `@plugins/nuget-opensrc/bin/nuget-opensrc`:
- Around line 43-87: The abort timers (t1, t2) are cleared before consuming the
response body (r1.json() and r2.arrayBuffer()), which allows a stalled body read
to hang; update the SEMVER1 and SEMVER2_GZ fetch flows so the clearTimeout(t1)
and clearTimeout(t2) calls occur after the awaited body consumption (i.e., move
clearTimeout(t1) to after await r1.json() and clearTimeout(t2) to after await
r2.arrayBuffer()/gunzip handling), keeping the AbortController signal in scope
so the timeout can still abort both the fetch and the body read.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
Push a commit to this branch (recommended)
Create a new PR with the fixes
ℹ️ Review info⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: 51fbf347-cef7-41e4-8691-7fa41ca8a3d7
📥 Commits
Reviewing files that changed from the base of the PR and between 339a788 and 0289180.
📜 Review details⏰ Context from checks skipped due to timeout of 120000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
Shell scripts must use set -euo pipefail at script start, quote all variables as "$var", and pass shellcheck validation
Files:
tooling/scripts/weave-validate.sh
tooling/scripts/**
⚙️ CodeRabbit configuration file
Build and validation scripts. weave-validate.sh is the single validation entrypoint — all CI checks must be reproducible locally through this script. Review for: shellcheck compliance, idempotency, clear error messages, and that new validation steps are added to both weave-validate.sh and ci.yml.
Files:
tooling/scripts/weave-validate.sh
🧠 Learnings (1)📓 Common learnings
Learnt from: CR
Repo: ANcpLua/ancplua-claude-plugins
Timestamp: 2026-05-20T04:51:19.520Z
Learning: Rider IDE hints from the daemon must be applied to an isolated dry-run branch via JetBrains MCP server; never commit, push, or suppress hints
Learnt from: CR
Repo: ANcpLua/ancplua-claude-plugins
Timestamp: 2026-05-20T04:51:19.520Z
Learning: Release workflow for .NET repos must auto-detect three patterns: auto-bump on main, tag with manual approval, or tag-direct; never edit <Version> lines, never reassign ghost tags
Learnt from: CR
Repo: ANcpLua/ancplua-claude-plugins
Timestamp: 2026-05-20T04:51:19.520Z
Learning: Mutation-minded testing must prioritize kill power over code coverage; tests should focus on behavior-first quality with mutation testing as the signal
Learnt from: CR
Repo: ANcpLua/ancplua-claude-plugins
Timestamp: 2026-05-20T04:51:19.520Z
Learning: Code elegance is measured as problem-complexity / solution-complexity; prefer less code, compile-time solutions over runtime, and zero suppression
Learnt from: CR
Repo: ANcpLua/ancplua-claude-plugins
Timestamp: 2026-05-20T04:51:19.520Z
Learning: Multi-agent orchestration workflows must use reactive collaboration via Teams API (SendMessage) instead of fire-and-fire subagents
Learnt from: CR
Repo: ANcpLua/ancplua-claude-plugins
Timestamp: 2026-05-20T04:51:19.520Z
Learning: Commit integrity checks and CI verification scripts must be part of the cognitive amplification stack for epistemic validation
Learnt from: CR
Repo: ANcpLua/ancplua-claude-plugins
Timestamp: 2026-05-20T04:51:19.520Z
Learning: Agent output must be routed to single self-contained .html files based on Thariq Shihipar's html-effectiveness pattern catalog with 20 canonical patterns
Learnt from: CR
Repo: ANcpLua/ancplua-claude-plugins
Timestamp: 2026-05-20T04:51:19.520Z
Learning: Correctness in agent systems must be inferred exclusively from externally observable behavior, not code opaqueness
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In
`@plugins/html-effectiveness/skills/html-effectiveness/assets/agent-spawn-deck-demo.html`
at line 350, The shell redirection string that builds the path using ~ (e.g. "
> ~/repo-audit/scans/" + t.id + ".log 2>&1 &") should quote the tilde-expanded
path so home directories with spaces are handled; update each occurrence (the
string concatenation that uses t.id) to wrap the path in quotes inside the shell
command (for example change > ~/repo-audit/... to > " ~/repo-audit/... " or
better > " ~/repo-audit/scans/" + t.id + ".log" 2>&1 &) ensuring proper escaping
for the surrounding JS/HTML string literal so the final shell sees a quoted
path.
The reason will be displayed to describe this comment to others. Learn more.
🧹 Nitpick | 🔵 Trivial | ⚡ Quick win
Do not walk the SemVer1 feed twice for Pkg@ver.
This probe fetches every SemVer1 page to decide whether to fall back, then Line 140 walks the same pages again in findEntry(). Return the matching item from fetchRegistration() or hydrate page.items once so versioned lookups stay single-pass.
Also applies to: 139-140
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@plugins/nuget-opensrc/bin/nuget-opensrc` around lines 52 - 90, The current
loop over idx1.items fetches SemVer1 pages to check for wantedVersion but does
not preserve the discovered item/page, causing a second walk in findEntry();
update fetchRegistration() so when you find the matching catalogEntry (inside
the for (const page of idx1.items) / for (const it of items) loops) you either
return that matching item immediately (so fetchRegistration() yields the
versioned entry) or assign the fetched items back to page.items (e.g.,
page.items = items) before returning idx1 so subsequent findEntry() reuses the
hydrated page and avoids re-fetching; ensure this change references idx1, page,
items, wantedVersion, and findEntry() so lookups stay single-pass.
🔵 iM6DXWVE — nuget-opensrc/bin/nuget-opensrc Line 90 (Nitpick)
fetchRegistration() walks all semver1 pages inline to probe for wantedVersion, but doesn't cache the fetched items — so findEntry() re-fetches the same inline pages. Fix: assign page.items = items during the probe loop before returning idx1, so findEntry() reuses the already-hydrated data:
for (const page of idx1.items) {
- const items = page.items || (await fetchJson(page['`@id`'])).items;+ const items = page.items ?? (await fetchJson(page['`@id`'])).items;+ page.items = items; // cache so findEntry() doesn't re-fetch
for (const it of items) {
if (it.catalogEntry.version === wantedVersion) {
found = true; break;
}
}
Third-party threads — all require manual dismissal
Thread
Bot
Status
iM6DV9KY, iM6DV9Kb
Codacy
weave-validate.sh now uses `find -print0 + tr -cd '\0'
Complains about grep -zc producing 0\n0 — current code uses tr-based counting instead, making this thread stale — dismiss
iM6DXRSM
Copilot
Unquoted $HOME — fixed in autofix commit 3e0f262 — dismiss
iM6DV9vM / iM6DXRSQ
Copilot
PR title says docs-only but includes validation/plugin additions — update the PR title to reflect actual scope or dismiss
iM6DV9vQ
Copilot
html-effectiveness already bumped to 1.2.1 in the manifest — dismiss
iM6DXINz, iM6DXIN1
chatgpt-codex
Semver2 fallback for pinned versions — fixed in current fetchRegistration() — dismiss
iM6DXINv
chatgpt-codex
Claims gunzipSync double-decompresses: NuGet's registration5-gz-semver2 uses content-level gzip (Content-Type: application/gzip), not HTTP transport encoding — Node's fetch only auto-decodes Content-Encoding: gzip, so gunzipSync is correct. Dismiss after verifying locally with curl -I on the endpoint.
iM6DV9D5
chatgpt-codex-connector
Configure a Codex environment or dismiss manually — won't self-resolve
Treating spec with a trailing @ as valid causes silent mis-resolution: for input like Microsoft.Extensions.Logging@, wantedVersion becomes an empty string, and downstream checks (if (wantedVersion)) treat it as “no version provided,” so the command fetches the latest package instead of failing fast. In a commit-pinning tool this typo path can silently return the wrong source revision; it should be a usage error (exit 2) rather than defaulting to latest.
The reason will be displayed to describe this comment to others. Learn more.
Reject unexpected extra CLI arguments
The CLI accepts any additional tokens after <Pkg>[@<ver>] and silently ignores them because it only reads args[1]. That means invocations like nuget-opensrc path Microsoft.Extensions.Logging @8.0.0 resolve Microsoft.Extensions.Logging as if no version was requested, returning the latest commit instead of failing. For a commit-accuracy tool, extra positional arguments should be treated as invalid usage rather than partially parsed.
Informational confirmations of already-applied regex/key changes
iM6DXRSF
Copilot
Complained about grep -zc; that's gone, replaced by tr-based counting
iM6DXRSM
Copilot
Line 348 already reads "--add-dir \"$HOME/repo-audit\""
iM6DV9vM, iM6DXRSQ
Copilot
Scope/title mismatch — update PR title to reflect actual content or dismiss
iM6DV9vQ
Copilot
html-effectiveness already at 1.2.1
iM6DXINv
chatgpt-codex
gunzipSync is correct: NuGet's registration5-gz-semver2 delivers content-level gzip (Content-Type: application/gzip), not transport-level (Content-Encoding: gzip); Node fetch only auto-decodes the latter
iM6DXINz, iM6DXIN1
chatgpt-codex
SemVer2/prerelease fallback is now in fetchRegistration — probe loop + gz-semver2 retry when version not found in semver1
iM6DV9D5
chatgpt-codex-connector
Configure a Codex environment or dismiss manually
🔴 Remaining code fixes
iM6DXWVC — Lines 350, 361, 370 in agent-spawn-deck-demo.html still use bare ~ (only line 348 was fixed):
iM6DXWVE — fetchRegistration walks every semver1 page in the probe loop but doesn't cache page.items, so findEntry re-fetches the same pages (double network round-trips). Fix: assign page.items = items inside the probe loop before returning idx1.
iM6DXYrC (codex P2) — Pkg@ produces wantedVersion = "", which is falsy, silently falling back to latest. Fix:
const wantedVersion = at >= 0 ? spec.slice(at + 1) : null;
if (!id) throw new Error(`empty package id in '${spec}'`);
+ if (at >= 0 && !wantedVersion) {+ process.stderr.write('usage: nuget-opensrc (path|info) <Package.Id>[@<version>]\n');+ return 2;+ }
iM6DXYrD (codex P2) — Extra args silently ignored; nuget-opensrc path Pkg @8.0.0`` resolves as if no version was given. Fix: check args.length > 2:
if (!['path', 'info'].includes(cmd) || !spec) {
+ if (args.length > 2) {+ process.stderr.write('usage: nuget-opensrc (path|info) <Package.Id>[@<version>]\n');+ return 2;+ }
Running autofix on the two CodeRabbit threads now.
iM6DXWVE — nuget-opensrc/bin/nuget-opensrc — double-walk of SemVer1 pages (nitpick): fetchRegistration already walks all pages in its probe loop but doesn't cache page.items; findEntry then re-fetches the same inline pages. Fix is one line per iteration:
for (const page of idx1.items) {
- const items = page.items || (await fetchJson(page['`@id`'])).items;+ const items = page.items ?? (await fetchJson(page['`@id`'])).items;+ page.items = items; // hydrate so findEntry() reuses without re-fetching
for (const it of items) {
⚠️ New chatgpt-codex threads — real bugs, manual action required
Both are in nuget-opensrc/bin/nuget-opensrc. The bugs are genuine:
iM6DXYrC — Pkg@ → wantedVersion = "" (falsy) → treated as "no version" → silently fetches latest instead of erroring. Fix in resolve():
+ if (at >= 0 && !wantedVersion) throw new Error(`empty version in '${spec}'; use 'Pkg' or 'Pkg@1.2.3'`);
iM6DXYrD — nuget-opensrc path Foo @1.0.0`` silently resolves Foo without version because only `args[1]` is consumed. Fix in `main()`:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
This pull request makes a minor update to the plugin manifest by refining the plugin's description to be more concise and focused.
descriptionfield inplugin.jsonto clarify and streamline the explanation of the plugin's features, emphasizing its CLI nature and the main evaluation tasks it supports.