Skip to content

fix(claude-skills-troubleshooting): use lastUpdated for cache freshness check#110

Open
FearlessLitre wants to merge 195 commits into
daymade:mainfrom
FearlessLitre:fix/marketplace-cache-freshness-lastupdated
Open

fix(claude-skills-troubleshooting): use lastUpdated for cache freshness check#110
FearlessLitre wants to merge 195 commits into
daymade:mainfrom
FearlessLitre:fix/marketplace-cache-freshness-lastupdated

Conversation

@FearlessLitre

Copy link
Copy Markdown

Problem

diagnose_plugins.py's check_cache_freshness() decides whether a marketplace cache is stale by reading the filesystem mtime of the cache directory (~/.claude/plugins/cache/<name>).

That mtime is unreliable. claude plugin marketplace update refreshes files inside the nested cache repo (a git pull into a subdirectory), which does not update the top-level directory's mtime on Windows (and often not on Linux/macOS either). As a result, caches that were just updated are reported as stale forever.

Reproduction

⚠️  Stale marketplace caches detected:
   - superpowers-dev: 126 days old
   - thedotmack: 126 days old

…even immediately after running claude plugin marketplace update <name> for each, and even though known_marketplaces.json shows every lastUpdated timestamp as today:

Marketplace Dir mtime (old logic) lastUpdated (actual)
superpowers-dev 2026-02-21 2026-06-28
thedotmack 2026-02-21 2026-06-28

Fix

Read the authoritative lastUpdated ISO-8601 timestamp from known_marketplaces.json — the value claude plugin marketplace update actually writes — instead of the directory mtime. Falls back to the old directory-mtime behavior only when no lastUpdated field is present, so nothing regresses for older configs.

  • Adds a small _parse_last_updated() helper (handles the trailing Z / timezone normalization).
  • check_cache_freshness() signature unchanged; no other functions touched.
  • Verified python -m py_compile passes and the false-positive stale warnings disappear against a real config.

daymade and others added 30 commits April 4, 2026 12:54
…UDE.md)

Prevents sensitive data (user paths, phone numbers, personal IDs) from
entering git history. Born from redacting 6 historical commits.

- .gitleaks.toml: custom rules for absolute paths, phone numbers, usernames
- .githooks/pre-commit: dual-layer scan (gitleaks + regex fallback)
- CLAUDE.md: updated Privacy section documenting the defense system

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…nciple, add date handling rules

- SKILL.md length driven by information density, not line count
- Factual dates (release dates, "last verified") should be kept — they help readers judge freshness
- Conditional date logic ("before X use old API") should be avoided

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
… recovery

Previously, recover_content.py saved all files flat in the output directory,
causing files with the same name (e.g., src/utils.py and tests/utils.py) to
overwrite each other.

Now the script preserves the original directory structure, creating subdirectories
as needed within the output directory.

- Bump version: 1.0.0 → 1.0.1

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace hardcoded user paths that triggered gitleaks PII detection:
- /Users/username/ → ~/
- /Users/user/ → ~/
- -Users-username- → -Users-<username>- (normalized paths)

Also fix the sed example to use <home> placeholder instead of
regex pattern that would match actual usernames.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Update SKILL.md and workflow_examples.md to reflect the new behavior
of recover_content.py which now preserves original directory structure:

- SKILL.md: Add 'preserving the original directory structure' note
- SKILL.md: Update verification examples to use find command and
  show subdirectory paths (e.g., ./recovered_content/src/components/)
- workflow_examples.md: Update diff example to account for nested paths

Version bump: 1.0.1 → 1.0.2

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
asr-transcribe-to-text:
- Add local MLX transcription path (macOS Apple Silicon, 15-27x realtime)
- Add bundled script transcribe_local_mlx.py with max_tokens=200000
- Add local_mlx_guide.md with benchmarks and truncation trap docs
- Auto-detect platform and recommend local vs remote mode
- Fix audio extraction format (MP3 → WAV 16kHz mono PCM)
- Add Step 5: recommend transcript-fixer after transcription

transcript-fixer:
- Optimize SKILL.md from 289 → 153 lines (best practices compliance)
- Move FALSE_POSITIVE_RISKS (40 lines) to references/false_positive_guide.md
- Move Example Session to references/example_session.md
- Improve description for better triggering (226 → 580 chars)
- Add handoff to meeting-minutes-taker

skill-creator:
- Add "Pipeline Handoff" pattern to Skill Writing Guide
- Add pipeline check reminder in Step 4 (Edit the Skill)

Pipeline handoffs added to 8 skills forming 6 chains:
- youtube-downloader → asr-transcribe-to-text → transcript-fixer → meeting-minutes-taker → pdf/ppt-creator
- deep-research → fact-checker → pdf/ppt-creator
- doc-to-markdown → docs-cleaner / fact-checker
- claude-code-history-files-finder → continue-claude-work

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
SKILL.md: rewritten following Anthropic best practices
- Concise (233 lines, down from 347)
- Critical VHS parser limitations section (base64 workaround)
- Advanced patterns: self-bootstrap, output filtering, frame verification
- Better description for skill triggering

New files:
- references/advanced_patterns.md: production patterns from dbskill project
- assets/templates/self-bootstrap.tape: self-cleaning demo template

auto_generate_demo.py: new flags
- --bootstrap: hidden setup commands (self-cleaning state)
- --filter: regex pattern to filter noisy output
- --speed: post-processing speed multiplier (gifsicle)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
… marketplaces

Encodes proven methodology from real marketplace development:
- 4-phase workflow: Analyze → Create → Validate → PR
- 8 schema hard-rules (verified against Claude Code source)
- 13 anti-patterns from production debugging
- Complete marketplace.json schema reference
- Marketplace maintenance rules (version bumping, description updates)

Also fixes: remove invalid metadata.homepage from our own marketplace.json

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sync check (skills ↔ marketplace.json), metadata audit,
per-plugin validation, and final claude plugin validate gate.
All users installing this skill get these process guards.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
When marketplace-dev is installed, any Write/Edit to a marketplace.json
automatically runs `claude plugin validate` and reports pass/fail.
Users get instant feedback without remembering to validate manually.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Two hooks now active for marketplace-dev users:
1. Edit marketplace.json → auto-validate schema
2. Edit any SKILL.md → warn if version bump needed or skill unregistered

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Use twitter-cli for structured metadata (likes, retweets, bookmarks)
- Use Jina API for content with images
- Auto-download all images to attachments/
- Generate Markdown with YAML frontmatter and local image references
- Security scan passed

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Update description to reflect new fetch_article.py capabilities
- Add keywords: images, attachments, markdown

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
weasyprint renders <pre> blocks with monospace fonts that lack CJK glyphs,
causing Chinese/Japanese/Korean characters to display as garbled text.

Fix: add _fix_cjk_code_blocks() preprocessor that detects CJK in <pre><code>
and converts to <div class="cjk-code-block"> with inherited body font.
Pure-ASCII code blocks are left untouched.

Also adds code/pre/pre-code CSS rules to both themes (default + warm-terra)
that were previously missing entirely.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…e blocks

v1.3.0 incompletely fixed CJK code block rendering. Two gaps remained:

1. _CJK_RANGE only matched Chinese ideographs; Japanese Hiragana/Katakana
   and Korean Hangul were still garbled. Extended range to cover all CJK
   Unicode blocks.

2. Regex `<pre><code>` missed pandoc's syntax-highlighting wrapper
   `<pre class="sourceCode python"><code class="sourceCode python">`,
   so Python/JS/etc. code blocks with CJK comments were skipped.
   Relaxed to `<pre[^>]*><code[^>]*>` and strip <span> highlight
   wrappers inside converted CJK blocks.

Adds scripts/tests/test_cjk_code_blocks.py regression test (6 scenarios)
and fixes README.md quickstart/requirements which still referenced the
obsolete `markdown` Python package (script uses pandoc via subprocess).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Release 1.41.0 adding ima-copilot, a wrapper-layer skill around the official
Tencent IMA skill (ima.qq.com). Installs upstream ima-skill to Claude Code /
Codex / OpenClaw via vercel-labs/skills in its default symlink mode, guides
API key setup, detects and repairs known upstream issues under explicit user
consent, and implements a personalized fan-out search strategy with priority
knowledge base boosting and silent 100-result truncation detection.

Wrapper contract — never vendor upstream files, every repair is a runtime
instruction executed with user consent, so upstream upgrades never collide
with local fixes. Ships only detection + repair instructions, not patched
files, so the skill can stay decoupled from upstream's release cadence.

Bundled: install_ima_skill.sh (staged download + npx skills add), diagnose.sh
(read-only health check with realpath-based dedup across symlinked agents),
search_fanout.py (parallel cross-KB search with priority/skip lists), and
four reference documents covering installation, credentials, known issues,
and search best practices.

Dogfood-driven fixes landed alongside initial scaffolding:
- install_ima_skill.sh now targets the root SKILL.md instead of the first
  match, avoiding accidental selection of a submodule path
- known_issues.md repair commands use `command cp/mv` to bypass any user
  shell aliases that would otherwise hang on "overwrite?" prompts
- diagnose.sh recognizes Strategy-A-applied state (MODULE.md rename) as OK
  instead of treating the missing SKILL.md as a warning
- diagnose.sh groups agents by realpath so symlinked installs report each
  underlying issue exactly once

Release chores: marketplace.json version 1.40.1 → 1.41.0, skill count
43 → 44, new plugin entry, CHANGELOG, README (EN + zh-CN), and repo CLAUDE.md
updated per the release guide.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Release 1.42.0 introducing workflows/wrapper-skill/ — a retrospective
distillation workflow that turns the current conversation into a reusable
companion skill for a third-party CLI tool. The workflow's premise is that
the best raw material for a wrapper skill is a session where a user and
Claude have just finished installing, debugging, and fixing the tool
together. That session contains literal install commands that worked,
literal error messages that were hit, literal fix commands that resolved
them, and the design tradeoffs that were made explicit in conversation.

Step 2 of workflow.md is conversation mining — extracting 2a install flow,
2b credentials, 2c bugs + fixes, 2d design decisions, discarding 2e noise.
The rest of the workflow feeds this mined output into scaffolded skeleton
files following the architecture contract (never vendor upstream, runtime
repair over ship-time patches, explicit consent for upstream-file changes,
idempotent/reversible/alias-safe repair commands, teach agents not humans,
independent evolution from upstream, private preferences stay private).

Bundled: workflow.md (main orchestration), architecture_contract.md (7 hard
principles), patterns.md (copy-pasteable templates for SKILL.md, install
script, diagnose script, known_issues registry, config template — each
annotated with the lesson baked in), verification_protocol.md (post-
generation cross-reference against the source conversation rather than a
full re-dogfood), scripts/init_wrapper_skill.py (bootstrap scaffold with
unmissable FILL-FROM-STEP-X placeholders).

skill-creator/SKILL.md root entry gains a routing section between Capture
Intent and Prior Art Research that tells the agent to jump to the wrapper
workflow when the signals apply, and to skip the generic skill-creation
flow entirely.

Canonical reference implementation: ima-copilot, the Tencent IMA wrapper
distilled during a real session. Every pattern in this workflow traces to
a concrete file in ima-copilot: command-prefix alias bypass, root SKILL.md
detection preferring known layouts, realpath-based symlink dedup in
diagnose, idempotent/reversible repair commands backing up to
/tmp/<skill>-backups/<ts>/, XDG credentials with env-var fallback.

Release chores: marketplace.json metadata.version 1.41.0 → 1.42.0,
skill-creator plugins[].version 1.6.0 → 1.7.0, description mentions the
new wrapper workflow, keywords add wrapper-skill and cli-wrapper,
CHANGELOG entry describing each file added.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…1.7.1

Release 1.43.0. Four adversarial agent reviews (skeptic / contract
enforcer / fresh-user simulator / formal reviewer) surfaced 16 real
findings across the two skills just shipped. This commit lands the 9
fixes from the A track (shipped-code bugs) and the B track (high-value
workflow design improvements). Six findings were deferred to a follow-up
session — they require architectural rework (CLI-binary wrapper support,
second reference implementation) that does not belong in a fix commit.

## ima-copilot v1.0.0 → v1.0.1

Contract violations caught against the skill's own architecture_contract.md:

- Principle 6 (independent evolution) violation: SKILL.md, known_issues.md,
  and installation_flow.md hardcoded `1.1.2` as the observed upstream
  version. All three now use version-agnostic phrasing; the install script
  keeps the version as an overridable default which is explicitly allowed.
- Principle 4 (alias-safe) violation: known_issues.md Strategy A used bare
  `sed -i.bak` and `rm -f` commands. Added `command` prefix to all three,
  matching the existing `command mv` / `command cp` convention. A user
  shell with `alias rm='rm -i'` or `alias sed='sed -i'` would previously
  have hung on a TTY prompt during repair.

Dogfood-driven robustness fixes:

- install_ima_skill.sh: added a Node.js ≥18 preflight check. The `npx
  skills add` distribution path needs a modern Node runtime; the failure
  on old Node is otherwise an opaque error.
- diagnose.sh check_submodule: now explicitly recognizes and warns on the
  dual-state where both SKILL.md and MODULE.md exist simultaneously (can
  happen when a user switched repair strategies mid-session or restored a
  partial backup). Previously reported clean while the install was in a
  conflicted state — a silent correctness bug.
- search_fanout.py rank_groups: added kb_name as a secondary sort key for
  deterministic byte-identical output under network-timing variance.
  Previously the tie-break depended on ThreadPoolExecutor.map completion
  order.

Verified-false-positive from the formal review:

- Agent 4 flagged the SKILL.md description as exceeding a 1024-char cap,
  but the actual length is 921 chars and quick_validate (which enforces
  the 1024 cap at skill-creator/scripts/quick_validate.py:184) already
  passes on this skill. The finding was based on a counting error. No
  change made.

## skill-creator v1.7.0 → v1.7.1

Wrapper-skill workflow hardening from the counter-review:

- workflow.md Step 2: added "How to access the conversation" subsection
  covering three cases (same session → scroll history; follow-up session
  → claude-code-history-files-finder or read ~/.claude/projects/ JSONL
  directly; neither available → stop and tell the user, do not fabricate).
  Previous version told fresh agents to "scan the conversation from its
  beginning" with no tooling guidance — a hard blocker for follow-up
  sessions where the source conversation is not in context.
- workflow.md Step 1: added "AskUserQuestion fallback" subsection making
  clear that the consent requirement is the explicit user choice, not the
  specific tool name. Harnesses without AskUserQuestion (Codex, older
  Claude Code versions, custom builds) can fall back to numbered inline
  options. Previous version treated AskUserQuestion as a hard requirement
  and would have left agents on other harnesses unable to execute the
  workflow.
- patterns.md: new "Runtime-logic patterns shared across wrappers" section
  with three generalizable insights distilled from ima-copilot's
  search_fanout.py but not originally captured in the workflow. The
  patterns — capability partitioning (enumerate vs operate permission
  asymmetry), undocumented limit detection (silent truncation
  heuristics), scoped liveness checks — apply to a much wider class of
  third-party APIs than IMA (GitHub, Slack, Notion, Google Drive, Aliyun,
  Linear examples included). The counter-review identified these as the
  most transferable insights from the original session, which were
  previously treated as ima-copilot-specific detail rather than universal
  patterns.
- verification_protocol.md: restructured from a single "verification is
  not dogfood" dogma into Track 1 (session cross-reference for literal
  transcriptions like install.sh and known_issues.md) and Track 2 (smoke
  test / unit test for runtime logic like scripts/*.py). The previous
  dogma was correct for Track 1 but wrongly exempted Track 2 runtime
  code from testing — search_fanout.py was in fact never exercised
  before shipping, and the old protocol endorsed that. Track 2 files now
  have an explicit mandatory smoke test with a minimum realistic-input
  invocation before commit.

## Deferred to follow-up session

Six findings need architectural rework and are tracked as TODOs:

- B1: wrapper-skill workflow assumes zip + npx skills add distribution,
  over-fits to skill-package wrappers, needs CLI-binary wrapper support
  and a second reference implementation (~300 lines + significant
  restructuring).
- B6: config-template/ should be demoted from universal pattern to
  conditional component.
- Agent 4 M2-M3: additional diagnose.sh and search_fanout.py edge cases
  not on the ship-blocker path.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Release 1.44.0. A fifth adversarial agent audit checked the wrapper-skill
workflow documents against the canonical ima-copilot implementation within
the in-scope distribution model (zip archives distributed via `npx skills
add` to Claude Code / Codex / OpenClaw). The audit surfaced 13 on-scope
lessons — concrete patterns, decisions, and guardrails — that were present
in the ima-copilot source code but had not been elevated to named
patterns in the workflow docs. A careful copy-paste of the patterns.md
templates would catch most of them; a less careful adapter would ship a
wrapper with a known defensive gap. This commit lands all 13.

## Install template additions (patterns.md + workflow.md Step 5)

- Download integrity defense in depth: `curl --fail -o ... -w "%{http_code}"`
  with explicit 200 branch, followed by `wc -c` size sanity check rejecting
  archives below an absolute floor before extraction. The size check is the
  one that catches the worst real upstream failure mode — a redirect to an
  HTML error page returning a "success" status that would otherwise be
  handed to `unzip` to produce confusing downstream errors. Previously the
  template had a `<download and extract>` placeholder.
- Node.js ≥18 prerequisite check parsed separately from the `command -v`
  loop. `command -v node` verifies presence only; `npx skills add` fails
  opaquely on Node 16. Previously absent from the template even though
  ima-copilot's actual install script has it.
- Zero-agents-detected fallback policy named and documented: after auto-
  detection finds no installed target agents, the script prints an
  explicit "looked for: …" list and defaults to claude-code. Three
  alternatives (abort / silent-skip / default) were considered during
  the ima-copilot session; the documented choice is default-to-claude-code
  because abort is hostile and silent-skip is mystifying. Previously
  implicit in the template code but not called out as a decision.

## Known issues template additions (patterns.md + workflow.md Step 6)

- `**Why upstream probably hasn't fixed it**` is now a required schema
  field alongside Symptom / Root cause / Impact. This is the field that
  keeps the repair section load-bearing across upstream upgrades — without
  it, future readers will assume the wrapper is out of date and remove the
  repair on next upgrade.
- Status field guidance updated to prefer version-agnostic phrasing
  ("Observed on recent upstream releases when loaded by X") over
  version-pinned phrasing ("Open in upstream v1.1.2") to avoid drift,
  matching the principle-6 fix applied to ima-copilot in the previous
  commit.
- `Strategy skip` is now a first-class documented third option alongside
  Strategy A and Strategy B. Users on tolerant platforms may legitimately
  not want a repair; naming the skip branch prevents the "did I forget?"
  failure mode by making inaction an explicit choice.
- Backup directory naming convention elevated from inline code to named
  pattern: `/tmp/<wrapper-skill-name>-backups/$(date +%Y%m%d-%H%M%S)` with
  optional `$$` suffix for sub-second rerun uniqueness. Format was chosen
  to sort correctly and be human-readable.
- `sed -i.bak ... && command rm -f *.bak` portability dance documented
  with the cross-BSD/GNU rationale. Bare `-i` fails on BSD sed; `-i ''`
  fails on GNU sed; `.bak` works on both. Previously the template used
  the pattern but didn't explain it.
- `[ -f ... ] &&` guard rationale: the guard makes the backup cp
  idempotent across reruns where the source file has already been
  renamed/consumed by a previous run. Previously shown in the template
  code but not called out as why-it-exists.
- `command` prefix requirement extended explicitly to `rm` and `sed`
  (not just `cp` and `mv`), matching the principle-4 fix applied to
  ima-copilot in the previous commit.

## Diagnose template additions (patterns.md + workflow.md Step 7)

- New "Detection function return-code contract" subsection spelling out
  the full required state enumeration: untouched-good, untouched-broken,
  target-not-present (legitimately different from broken), one healthy
  code per applied strategy, and the dual-state conflicted code. This is
  the single hardest lesson from the ima-copilot session — a detection
  function that doesn't recognize the dual state (e.g., both SKILL.md and
  MODULE.md present after a partial repair) silently passes conflicted
  installs as healthy. The fix is a one-line check at the top of every
  scan function; leaving it out is a latent footgun.
- `find_install` variadic candidate-path rationale: agents whose home-
  directory layout has not stabilized (OpenClaw in ima-copilot is the
  canonical example) should be probed against an ordered list of
  candidate paths rather than a single path, and designing the helper as
  variadic from day one avoids a painful refactor when a second candidate
  path becomes necessary.

## SKILL.md template additions (patterns.md)

- Explicit description-field checklist: literal error strings from the
  session (pattern matching requires the literal form), tool name in
  every language the session used (monolingual descriptions only trigger
  on monolingual queries), self-disambiguation clause naming the upstream
  package (prevents wrapper-vs-upstream trigger fighting), and the
  symptoms that triggered the original session. Plus a pointer to the
  enforced 1024-character cap in `quick_validate.py:184`.
- Routing table gains an explicit "when in doubt → diagnose" default
  since diagnose is the only read-only entry point and is the natural
  front-door for vague user questions.

## Credentials section additions (patterns.md)

- Liveness check verification must match on **response-body shape**, not
  just HTTP status. Many APIs (IMA included) return 200 OK with an error
  JSON body like `{"code": 401, "msg": "..."}` — a naive `curl --fail`
  check will pass a credential that fails the first real operation. The
  correct liveness check parses the response body and matches on a
  success-indicator field (`"code"\s*:\s*0` for IMA-style,
  `"access_token"` for OAuth, etc.).

## Deliberately skipped

The completeness audit was constrained to the scoped distribution model
(zip + npx skills add). Items that were flagged earlier as "CLI-binary
wrapper would do this differently" remain out of scope — this release
does not try to generalize beyond skill-package wrappers. The audit
confirmed the workflow is substantially complete within its scope after
this pass.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
One-stop installer and companion for the full 19-skill Gangtise (岗底斯投研)
catalog — data retrieval, research workflows, utility skills — to Claude Code
/ OpenClaw / Codex with 4 preset modes (full/workshop/minimal/custom), shared
XDG credentials, and a scoped liveness diagnostic.

Distilled from a 5-round discovery session that reverse-engineered the
Gangtise skill catalog. The Gangtise OBS bucket has LIST permission disabled,
so the full 19-skill inventory is not discoverable from any public manifest —
the enumeration took ~250 HEAD probes, 4 rounds of candidate expansion, and
cross-referencing against every SKILL.md's upstream references to converge.

5 ecosystem traps are documented in references/known_issues.md with working
runtime workarounds, none of which require vendoring upstream files:
ISSUE-001 two parallel product lines with unequal capability,
ISSUE-002 two skills distributed only inside the skills-client bundle,
ISSUE-003 double-Bearer prefix producing 'token is invalid',
ISSUE-004 skills-backend admin endpoints return 'the uri can't be accessed',
ISSUE-005 new-upstream-skill drift.

Verified end-to-end in a sandboxed HOME: full preset installs all 19 skills
in 4 HTTP requests, configure_auth.sh passes live oauth/loginV2 verification,
diagnose.sh reports 9/9 pass including scoped rag liveness.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Register claude-export-txt-better, douban-skill, and terraform-skill in
marketplace.json — they were tracked on disk but never added to the catalog.
Bump metadata.version 1.45.2 -> 1.46.0.

marketplace-dev v1.2.0 refine (the marketplace.json hook-rename portion was
piggybacked into the earlier gangtise-copilot commit; this commit adds the
remaining content changes):
- scripts/check_marketplace.sh — one-shot validator running JSON syntax ->
  claude plugin validate -> source+skills resolution -> reverse sync (disk
  SKILL.md -> manifest) in a single command. Zero external deps beyond bash
  + python3.
- Add tables of contents to references/anti_patterns.md (133 lines) and
  references/cache_and_source_patterns.md (176 lines), per Anthropic's
  official best practice for reference files >100 lines.
- Refine SKILL.md: extract inline Node.js resolution check and diff pipeline
  into check_marketplace.sh, document hooks/ auto-activation in a new
  "Bundled hooks" section, correct Phase 0 subagent history-mining paths
  to <session-id>/subagents/agent-*.jsonl.

Docs sync (CLAUDE.md, README.md, README.zh-CN.md): 44 -> 47 skills, 47 -> 50
plugin entries, add skill sections / use cases / quick links for the 3
newly-registered skills, bump marketplace badge 1.45.1 -> 1.46.0.

Security allowlist: douban-skill/.gitleaks.toml marks the two gitleaks
"generic-api-key" hits as false positives — both are the public Douban Android
APK credentials (shared by every app user, discovered via standard APK reverse
engineering), not user secrets. Verified via security_scan before registration.

Pre-commit validation: bash scripts/check_marketplace.sh passes all 4 checks
(JSON syntax, claude plugin validate, source+skills resolution, reverse sync).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
daymade and others added 29 commits June 14, 2026 18:01
…unt-is-not-KPI reframe (v1.3.0)

Methodology hardening from real-world usage (cases 15/16, 2026-06-14):
- Anti-pattern 9 (fake pointers): grep-verify every "→ reference" pointer
  targets content that actually exists before writing it (Step 4 hard gate)
- "Too big/too long" is an investigation trigger, not a license to cut —
  reframe to signal triage before touching line count
- Recommend an independent sub-agent for the 5b content-integrity audit on
  bulk compression (breaks the executor's optimism bias); appendix D adds prompt
- Expand description triggers (优化/精简/瘦身/重构 CLAUDE.md, mid-task handoff)

Bump daymade-claude-code suite 1.2.1 -> 1.3.0 (content update).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…g-network-issues work

claude-code-history-files-finder (daymade-claude-code suite 1.3.0 -> 1.4.0):
- analyze_sessions.py: resolve project paths via expanduser + resolve plus a
  basename reverse-lookup, so a ~ path, a relative path, or a bare project
  name no longer silently returns "No sessions found" (the encoded directory
  name is the ABSOLUTE working-dir path, not the basename). Ambiguous matches
  are listed, never guessed.
- SKILL.md: add a "reverse-look-up before concluding no history" gate; note
  that Claude Desktop cowork sessions also land in ~/.claude/projects/.
- references/session_file_format.md: correct to the real 2.x line schema
  (top-level type + nested message.role); document non-message event lines.

debugging-network-issues (1.2.0 -> 1.3.0): pre-existing in-flight changes that
were already in the working tree (NOT produced in this session), bundled here
at the user's request -- SKILL.md traps 11/12 + client-side proxy/TUN
checklist, references/case-proxy-tun-cname-override.md, marketplace/README sync.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add one-click setup for running multiple LLM providers (Kimi/GLM/DeepSeek/StepFun/Anthropic)
in separate Claude Code CLI windows simultaneously via CLAUDE_CONFIG_DIR isolation.

Includes:
- Portable claude-profiles.sh profile manager
- Marketplace path pollution fixer
- Provider settings templates
- Student setup guide and troubleshooting reference

Co-Authored-By: Claude <noreply@anthropic.com>
- Add claude-switch-models-setup to CLAUDE.md skill list (daymade#65)
- Add claude-switch-models-setup README suite list and numbered section (daymade#67)
- Update Chinese README suite list, numbered section (daymade#67), and badges
- Sync version badges 1.65.0 → 1.66.0 and skill count 64 → 65

Co-Authored-By: Claude <noreply@anthropic.com>
- Add Step 3.4 push-time verification checklist to SKILL.md
- Add references/push_time_gotchas.md
- Extend PR #2634 case study with merge-ready maintenance arc
- Add PR #1624 case study (frontend rebase, async init guards, test coupling)
- Bump marketplace version to 1.2.0 and refresh description

Co-Authored-By: Claude <noreply@anthropic.com>
Suppress false positives from documentation examples:
- placeholder user paths (/Users/username/, /home/username/, C:\Users\username\)
- example JWT literal used in repomix-safe-mixer docs
- public Douban Frodo API key
- repo owner's public contact email in README/marketplace.json

Also change email-personal rule to use a non-capturing group so
allowlist regexes match the full email address instead of just the domain.

Co-Authored-By: Claude <noreply@anthropic.com>
Explain that eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 is the public,
standard jwt.io example header and decodes to plain metadata.

Co-Authored-By: Claude <noreply@anthropic.com>
New skill: evaluate any OpenAI/Anthropic-compatible LLM endpoint across four dimensions — speed (TTFT + thinking-aware decode tok/s), concurrency/stability (success rate, p50/p90, breaking point), Anthropic protocol compliance (thinking-block trigger rate, N>=10), and quality regression against your own use cases (independent blind judges, not model self-grading). Keys passed by env-var name only; use-case library kept outside the bundle.

- Add llm-eval-harness v1.0.0 (4 probe scripts + 2 method references + use-case template)
- Bump marketplace v1.66.0 -> v1.67.0, skills 65 -> 66, plugin entries 45 -> 46
- Sync README.md / README.zh-CN.md / CLAUDE.md / CHANGELOG.md


Claude-Session: https://claude.ai/code/session_01RttcpAYrXuv6ZucP7DqbuD

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- setup-notifications-via-wecom: webhook setup + structured message templates
  for backup completion, alerts, and status updates. Includes best practices
  distilled from a real backup-sync notification debugging session and
  notification/alert research findings.
- notify-wecom: one-shot skill for sending a single WeCom message via
  /notify-wecom <message>.
- Both read webhook URL from ~/.config/setup-notifications-via-wecom/config.json
  and clear proxy env vars before calling Tencent endpoints.
- Register both skills in marketplace.json, bump suite version to 1.68.0.

Co-Authored-By: Claude <noreply@anthropic.com>
…tions-via-wecom

Co-Authored-By: Claude <noreply@anthropic.com>
Agent team review complete; no blockers. Merged per user request.

🤖 Generated with [Claude Code](https://claude.com/code)
- Revert accidental daymade-audio version bump (1.2.2 → 1.2.1)
- Set setup-notifications-via-wecom initial version to 1.0.0
- Handle missing errmsg in WeCom error response

Co-Authored-By: Claude <noreply@anthropic.com>
Merged follow-up fixes for PR daymade#95 review nits.

🤖 Generated with [Claude Code](https://claude.com/code)
Add a skill for scanning and removing sensitive data from GitHub repo
history. Includes:

- scan_repo.py: gitleaks + custom pattern scan
- rewrite_history.py: backup + git-filter-repo wrapper
- verify_cleanup.py: post-rewrite verification from replacements file
- safe_push.py: visibility check + safe force push
- references/incident-lessons.md: hard-won rules from real cleanups
- references/tooling_notes.md: git-filter-repo/BFG guidance
- evals/evals.json: test prompts

Also register the skill in .claude-plugin/marketplace.json.

All examples use safe placeholders; real private domains go in an
untracked .pii-patterns file.

Co-Authored-By: Claude <noreply@anthropic.com>
Merge github-sensitive-data-cleanup skill.

🤖 Generated with [Claude Code](https://claude.com/code)
- safe_push.py: let gh repo view infer repo from cwd; remove fallback
  defaults on forkCount/stargazerCount; abort on incomplete metadata
- rewrite_history.py: verify backup bundle with git bundle verify;
  check clean working tree before rewrite; verify git-filter-repo runs
- verify_cleanup.py: skip empty left-hand patterns from replacements
- evals.json: add refuses-no-verify-bypass eval
- SKILL.md: document .pii-patterns in .gitignore and backup verification

Co-Authored-By: Claude <noreply@anthropic.com>
Merge audit fixes.

🤖 Generated with [Claude Code](https://claude.com/code)
… git grep --perl-regexp

- Replace git log --pickaxe-regex -S with git grep --perl-regexp across all
  commits so Layer 2/3 patterns with \b word boundaries match correctly.
- Parse private-domain-context and private-ip-context from user's gitleaks.toml
  plus optional identities file for Layer 3.
- Add Layer 4 AI semantic review prompt and eval.
- Update verify_cleanup.py to treat literal: and regex: search sides correctly.

Co-authored-by: Claude <noreply@anthropic.com>
…daymade#101)

lark-cli 1.0.55 moved the docs body from .data.markdown (now null) to
.data.document.content (HTML, needs pandoc), and the sheets list nests at
.data.sheets.sheets[] read via `+cells-get`. The skill's old commands
silently return null on 1.0.55. Switch to version-robust probes (try
.data.markdown, fall back to HTML->pandoc; sheets path via //) so it works
on 1.0.32 and 1.0.55 alike. Also document the owner personal-edition
profile for cross-tenant reach and the transient-TLS-timeout retry.


Claude-Session: https://claude.ai/code/session_01XjaNan97MNRJ7s3GqvRmsN

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…can/verify scripts

- Search the full commit history by batching git grep across all commits
  instead of truncating to the newest 1000.
- Propagate git grep errors from verify_cleanup instead of swallowing them.
- Parse gitleaks.toml with tomllib when available to handle TOML escapes
  correctly; keep a minimal fallback parser for older Python.
- Replace tempfile.mktemp with NamedTemporaryFile(delete=False).
- Strip whitespace from literal:/regex: prefixes in replacements.
- Fix docstring path for the identities file.

Co-Authored-By: Claude <noreply@anthropic.com>
fix(github-sensitive-data-cleanup): address code-review findings
…ymade#103)

* feat(daymade-claude-code): add read-claude-web-conversation skill

Pull the full transcript of a Claude.ai web conversation by driving the user's logged-in Chrome and calling Claude.ai's internal conversation API from inside the page — bypasses the login wall (curl fails) and virtual scrolling (get_page_text returns only the last message). Bumps the suite to 1.6.0; complements claude-code-history-files-finder (local sessions) and claude-export-txt-better (exported files), completing the three conversation-source readers.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_0177kBsKH8fXi51UGaCy7qoh

* fix(read-claude-web-conversation): walk active path + content-first extraction

Adversarial review on PR daymade#103 surfaced two medium correctness bugs:
- textOf short-circuited on m.text, silently dropping thinking/tool_use/tool_result blocks whenever top-level text was set (the common agent-turn shape). Now builds from content[] first and folds in m.text.
- tree=True returns the whole message tree including abandoned edit/regeneration branches, but messages were consumed in flat array order. Now walks the active path from current_leaf_message_uuid via parent_message_uuid, falling back to raw order if those fields are absent.
Fix logic verified with a mock (dead-branch exclusion, no block loss, no duplication, fallback). Schema/gotchas/troubleshooting updated to match.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_0177kBsKH8fXi51UGaCy7qoh

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…1.0.55 (v1.2.1) (daymade#104)

- references: `--format csv` does NOT emit CSV for cells-get; it returns a
  JSON cell grid. Convert with jq instead, and add a `.data.has_more`
  pagination check (cells-get caps ~4000-6000 cells per response).
- bump feishu-doc-scraper 1.2.0 -> 1.2.1


Claude-Session: https://claude.ai/code/session_016DDkUYyDUMtpZX9k1zAiYh

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…n-words safety (daymade-audio 1.3.0) (daymade#105)

- uncertain_extractor: surface low-confidence ASR spans for review
- tech_presets: pre-seeded corrections for AI / Claude Code / SWE transcripts
- common_words safety table + test_common_words_safety: guard against
  over-correcting common words
- ai_processor / dictionary_processor / validation / migrations enhancements
- bump daymade-audio suite 1.2.1 -> 1.3.0


Claude-Session: https://claude.ai/code/session_016DDkUYyDUMtpZX9k1zAiYh

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
… (v1.69.0) (daymade#106)

- new skill codex-image-gallery: self-contained local web gallery for browsing
  Codex image outputs (~/.codex/generated_images); bundled Node server + HTML UI
- marketplace: register codex-image-gallery (49->50 plugins), metadata 1.68->1.69
  (feishu 1.2.1 / daymade-audio 1.3.0 from prior PRs preserved)
- doc baseline: README / README.zh-CN / CLAUDE skill lists synced to 71 —
  backfills previously-merged read-claude-web-conversation,
  setup-notifications-via-wecom, notify-wecom, github-sensitive-data-cleanup
  that had drifted out of the human-facing docs
- CHANGELOG 1.69.0 entry

Integrates a concurrent session's codex-image-gallery + doc-backfill work,
reviewed here: security_scan clean, doc-skill-list consistency check green.


Claude-Session: https://claude.ai/code/session_016DDkUYyDUMtpZX9k1zAiYh

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…0.0) (daymade#107)

- new skill frontend-visual-qa: catches rendered UI defects lint/build miss
  (awkward line breaks, wrapped controls, horizontal overflow, double
  scrollbars, page-type drift, AI slop, Chrome DevTools viewport mistakes);
  bundles a history-derived checklist + Chrome-first pass + Playwright-core
  audit script
- marketplace: register frontend-visual-qa (50->51 plugins), metadata 1.69->1.70
- docs: README / README.zh-CN / CLAUDE skill lists synced 71->72, badges 1.70.0

security_scan clean; doc-skill-list consistency check green.


Claude-Session: https://claude.ai/code/session_016DDkUYyDUMtpZX9k1zAiYh

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
daymade#108)

- new skill openclaw: unified CLI to audit/diff/copy/add-model/list/switch
  models across OpenClaw (龙虾/lobster) instance configs; DeepSeek model
  patches, default-model/alias management, config validation
- SANITIZED before publishing to this public repo: real private instance
  nicknames replaced with generic placeholders (甲虾/乙虾)
- marketplace: register openclaw (51->52 plugins), metadata 1.70->1.71
- docs: README / README.zh-CN / CLAUDE skill lists synced 72->73, badges 1.71.0

security_scan clean; doc-skill-list consistency check green.


Claude-Session: https://claude.ai/code/session_016DDkUYyDUMtpZX9k1zAiYh

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
… output to dist/ (daymade-skill 1.3.0) (daymade#109)

- EXCLUDE_DIRS += .pytest_cache, .venv; EXCLUDE_FILES += .security-scan-passed;
  ROOT_EXCLUDE_DIRS += dist — keep build/test artifacts out of .skill bundles
- default artifact output now <skill>/dist/ (next to source, easy to find/clean)
  instead of cwd; clearer source-of-truth vs distribution-artifact messaging
- add test_package_skill.py (16 tests, all passing)
- bump daymade-skill suite 1.2.0 -> 1.3.0


Claude-Session: https://claude.ai/code/session_016DDkUYyDUMtpZX9k1zAiYh

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
check_cache_freshness() read the cache directory's filesystem mtime to
decide whether a marketplace cache was stale. That mtime is unreliable:
`claude plugin marketplace update` refreshes files inside the nested cache
repo without touching the top-level directory's mtime, so caches that were
just updated were reported as stale indefinitely (e.g. "126 days old").

Read the authoritative `lastUpdated` ISO-8601 timestamp from
known_marketplaces.json instead, which is what the update command actually
writes. Fall back to the directory mtime only when no timestamp is present.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants