feat(plugin-creator): context/plugin creator (working name) v0.1.0#17
Conversation
…view Working-name draft, not published. Six skills implementing the composition-plan flow (understand -> gather -> plan -> build); eval is handed off to skill-optimizer, not woven in. Lints clean; all skills materialise on install. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…cenarios - build-composition / decompose-into-skills: stop instructing `tessl skill new` per sub-skill (it nests a standalone plugin that `pack` silently drops); author skills/<name>/SKILL.md directly, and verify with `pack`, not just `lint` - plan-composition / choosing-the-shape: add explicit skill-vs-rule checkpoint for always-on-convention requests - build-composition: correct `tessl plugin new` flag guidance (--skill/--rules, --workspace) - shaping-and-decomposition: distinguish peer-skills vs orchestrator shapes - add 5 generated eval scenarios (evals/) QA: sonnet-4-6 content eval 65% -> 97% avg (no regressions); skill reviews 85-100. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Important Review skippedAuto incremental reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
📝 WalkthroughWalkthroughThis PR introduces a new ChangesPlugin-creator plugin
Estimated code review effort: 2 (Simple) | ~15 minutes Sequence Diagram(s)sequenceDiagram
participant CreateContext
participant GatherContext
participant PlanComposition
participant BuildComposition
participant PublishPlugin
CreateContext->>GatherContext: hand off to gather context
GatherContext->>PlanComposition: confirm gathered artefacts
PlanComposition->>BuildComposition: confirm composition plan
BuildComposition->>PublishPlugin: hand off completed composition
Related PRs: None found. Suggested labels: documentation, plugin-creator Suggested reviewers: None found. A plugin takes root, drafts unfurled, 🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 6
🧹 Nitpick comments (2)
plugin-creator/skills/decompose-into-skills/SKILL.md (1)
14-20: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winState the verb-form naming rule explicitly.
The split criteria still leaves the sub-skill naming convention implicit. The downstream eval for this flow expects verb-form skill names, so call that out here rather than relying on the reader to infer it.
♻️ Proposed wording
- Draft a decomposition: one skill per responsibility, each with its own clear trigger. Show the user the proposed structure and the reasoning. + Draft a decomposition: one skill per responsibility, each with its own clear trigger and a verb-form skill name. Show the user the proposed structure and the reasoning.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@plugin-creator/skills/decompose-into-skills/SKILL.md` around lines 14 - 20, State the split naming rule explicitly in the decomposition guidance for SKILL.md: when proposing or creating sub-skills under skills/<name>/SKILL.md, require verb-form names so the downstream eval can match them reliably. Update the “Propose the split” and/or “Restructure” guidance around the symbols “split”, “Restructure”, and “skills/<name>/SKILL.md” to make this convention explicit instead of implied.plugin-creator/evals/scenario-4/criteria.json (1)
36-39: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winBroaden the fabricated-evidence check.
Baking in
/find-optimizationsandtessl agent-logsmakes the rubric brittle and misses equivalent false claims about other tools. Generalise the criterion to the behaviour you care about instead of the current command names.♻️ Suggested wording
- "description": "The output does NOT claim to have run `/find-optimizations` or `tessl agent-logs` with specific results; any mention of these tools is framed as what could be done next, not as already completed", + "description": "The output does NOT claim to have run any inspection or evaluation command, or to have specific results that are not present in the provided artefacts; any mention of such tools is framed as a possible next step, not as already completed",🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@plugin-creator/evals/scenario-4/criteria.json` around lines 36 - 39, Generalize the “No fabricated evidence” criterion so it checks for any false claim of having run tools or obtained results, rather than hard-coding /find-optimizations and tessl agent-logs. Update the description in criteria.json to focus on the behavior—claims about completed tool use or specific results must only appear if actually performed—so equivalent fabricated evidence with other commands is also covered.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@plugin-creator/evals/scenario-1/inputs/SKILL.md`:
- Around line 36-40: The backup workflow is using wildcard globs that can
accidentally target older dump files instead of the newly created one. In the
backup steps around the pg_dump, gzip, aws s3 cp, aws s3 ls, and rm commands,
capture the timestamped filename once in a variable and reuse that exact name
for compression, upload, verification, and deletion. Make sure the logic in
SKILL.md consistently references the same backup file throughout the sequence.
In `@plugin-creator/evals/scenario-4/inputs/SKILL.md`:
- Around line 13-23: The deploy instructions in SKILL.md are still vague and too
easy to run against the wrong target. Update the checklist around the deploy
command so it explicitly names the required preflight checks, the environment
variables that must be set before running deployment, and a post-deploy smoke
test to verify success. Also make the command block safer by clearly indicating
the intended environment through the deploy step tied to deploy --env
production, and keep the guidance anchored in the existing checklist and
Commands section so it is easy to find and copy correctly.
In `@plugin-creator/skills/build-composition/SKILL.md`:
- Around line 48-58: The pack smoke test in the validation step only checks for
SKILL.md, so it can miss missing rules or commands. Update the validation
guidance around the tessl plugin pack and tar inspection flow to assert every
artifact the plugin can emit, using the existing pack output and the plugin
plan’s expected files as the reference. Keep the lint-and-pack sequence, but
broaden the tar check so it verifies skills plus rules, commands, and any other
generated artifacts materialize.
In `@plugin-creator/skills/create-context/SKILL.md`:
- Line 30: Tighten the CLI guidance in the create-context skill to match the
actual decomposition flow: the current mention of “tessl skill new” alongside
“tessl plugin new” can imply a nested-plugin workflow that this path no longer
uses. Update the wording near the existing CLI guidance in SKILL.md so it
directs users to create sub-skills directly under skills/<name>/SKILL.md and
keep the advice focused on inspecting tessl --help for the real CLI commands.
In `@plugin-creator/skills/plan-composition/SKILL.md`:
- Line 3: The composition plan template in SKILL.md only lists skills, rules,
and MCP servers, but it should also support command-shaped work as a first-class
option. Update the plan decision guidance and any related wording in the
composition flow to include command alongside the existing primitives, using the
existing shape-selection logic in the plan template so command-based cases are
not misclassified as skills or rules.
In `@plugin-creator/tessl.json`:
- Around line 2-3: The package name in the plugin config is creating a second
identity, so update the name in tessl.json to match the plugin manifest and
install docs. Keep the existing plugin-creator configuration intact, but change
the identity used by the plugin metadata so it consistently refers to
tessl/plugin-creator.
---
Nitpick comments:
In `@plugin-creator/evals/scenario-4/criteria.json`:
- Around line 36-39: Generalize the “No fabricated evidence” criterion so it
checks for any false claim of having run tools or obtained results, rather than
hard-coding /find-optimizations and tessl agent-logs. Update the description in
criteria.json to focus on the behavior—claims about completed tool use or
specific results must only appear if actually performed—so equivalent fabricated
evidence with other commands is also covered.
In `@plugin-creator/skills/decompose-into-skills/SKILL.md`:
- Around line 14-20: State the split naming rule explicitly in the decomposition
guidance for SKILL.md: when proposing or creating sub-skills under
skills/<name>/SKILL.md, require verb-form names so the downstream eval can match
them reliably. Update the “Propose the split” and/or “Restructure” guidance
around the symbols “split”, “Restructure”, and “skills/<name>/SKILL.md” to make
this convention explicit instead of implied.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 2e50e4ad-fe4e-4d76-82d3-3327f9190f92
📒 Files selected for processing (35)
plugin-creator/.tessl-plugin/plugin.jsonplugin-creator/.tesslignoreplugin-creator/DRAFT-NOTES.mdplugin-creator/README.mdplugin-creator/TRY-THIS.mdplugin-creator/evals/scenario-0/criteria.jsonplugin-creator/evals/scenario-0/scenario.jsonplugin-creator/evals/scenario-0/task.mdplugin-creator/evals/scenario-1/criteria.jsonplugin-creator/evals/scenario-1/inputs/SKILL.mdplugin-creator/evals/scenario-1/scenario.jsonplugin-creator/evals/scenario-1/task.mdplugin-creator/evals/scenario-2/criteria.jsonplugin-creator/evals/scenario-2/scenario.jsonplugin-creator/evals/scenario-2/task.mdplugin-creator/evals/scenario-3/criteria.jsonplugin-creator/evals/scenario-3/my-plugin/.tessl-plugin/plugin.jsonplugin-creator/evals/scenario-3/scenario.jsonplugin-creator/evals/scenario-3/task.mdplugin-creator/evals/scenario-4/criteria.jsonplugin-creator/evals/scenario-4/inputs/SKILL.mdplugin-creator/evals/scenario-4/inputs/pr-feedback.jsonplugin-creator/evals/scenario-4/scenario.jsonplugin-creator/evals/scenario-4/task.mdplugin-creator/skills/build-composition/SKILL.mdplugin-creator/skills/build-composition/references/plugin-anatomy.mdplugin-creator/skills/build-composition/references/shaping-and-decomposition.mdplugin-creator/skills/create-context/SKILL.mdplugin-creator/skills/decompose-into-skills/SKILL.mdplugin-creator/skills/gather-context/SKILL.mdplugin-creator/skills/gather-context/references/hunting-artifacts.mdplugin-creator/skills/plan-composition/SKILL.mdplugin-creator/skills/plan-composition/references/choosing-the-shape.mdplugin-creator/skills/publish-plugin/SKILL.mdplugin-creator/tessl.json
| 2. Run a full dump: `pg_dump $DATABASE_URL > backup_$(date +%Y%m%d_%H%M%S).sql` | ||
| 3. Compress: `gzip backup_*.sql` | ||
| 4. Upload to S3: `aws s3 cp backup_*.sql.gz s3://company-db-backups/postgres/<env>/` | ||
| 5. Verify the upload: `aws s3 ls s3://company-db-backups/postgres/<env>/ | tail -5` | ||
| 6. Delete the local copy after confirming upload: `rm backup_*.sql.gz` |
There was a problem hiding this comment.
🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win
Use the exact backup filename instead of globs.
backup_*.sql / backup_*.sql.gz can match older dumps in the working directory, so compression, upload, verification, and deletion may hit the wrong files. Capture the timestamped name once and reuse it end to end.
♻️ Proposed fix
- pg_dump $DATABASE_URL > backup_$(date +%Y%m%d_%H%M%S).sql
- gzip backup_*.sql
- aws s3 cp backup_*.sql.gz s3://company-db-backups/postgres/<env>/
- aws s3 ls s3://company-db-backups/postgres/<env>/ | tail -5
- rm backup_*.sql.gz
+ backup_file="backup_$(date +%Y%m%d_%H%M%S).sql"
+ pg_dump "$DATABASE_URL" > "$backup_file"
+ gzip "$backup_file"
+ aws s3 cp "${backup_file}.gz" s3://company-db-backups/postgres/<env>/
+ aws s3 ls "s3://company-db-backups/postgres/<env>/${backup_file}.gz"
+ rm "${backup_file}.gz"📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| 2. Run a full dump: `pg_dump $DATABASE_URL > backup_$(date +%Y%m%d_%H%M%S).sql` | |
| 3. Compress: `gzip backup_*.sql` | |
| 4. Upload to S3: `aws s3 cp backup_*.sql.gz s3://company-db-backups/postgres/<env>/` | |
| 5. Verify the upload: `aws s3 ls s3://company-db-backups/postgres/<env>/ | tail -5` | |
| 6. Delete the local copy after confirming upload: `rm backup_*.sql.gz` | |
| backup_file="backup_$(date +%Y%m%d_%H%M%S).sql" | |
| pg_dump "$DATABASE_URL" > "$backup_file" | |
| gzip "$backup_file" | |
| aws s3 cp "${backup_file}.gz" s3://company-db-backups/postgres/<env>/ | |
| aws s3 ls "s3://company-db-backups/postgres/<env>/${backup_file}.gz" | |
| rm "${backup_file}.gz" |
🧰 Tools
🪛 SkillSpector (2.3.7)
[warning] 38: [E5] Cloud Storage Exfiltration: Data is uploaded to cloud storage (S3 / GCS / Azure Blob). This may be a legitimate backup or exfiltration to an external bucket. Manual review is recommended.
Remediation: Verify the destination bucket is trusted and owned by you. Never upload credentials, secrets, or workspace contents to external or unverified cloud storage.
(Data Exfiltration (E5))
[warning] 44: [E5] Cloud Storage Exfiltration: Data is uploaded to cloud storage (S3 / GCS / Azure Blob). This may be a legitimate backup or exfiltration to an external bucket. Manual review is recommended.
Remediation: Verify the destination bucket is trusted and owned by you. Never upload credentials, secrets, or workspace contents to external or unverified cloud storage.
(Data Exfiltration (E5))
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@plugin-creator/evals/scenario-1/inputs/SKILL.md` around lines 36 - 40, The
backup workflow is using wildcard globs that can accidentally target older dump
files instead of the newly created one. In the backup steps around the pg_dump,
gzip, aws s3 cp, aws s3 ls, and rm commands, capture the timestamped filename
once in a variable and reuse that exact name for compression, upload,
verification, and deletion. Make sure the logic in SKILL.md consistently
references the same backup file throughout the sequence.
| - Sometimes you need to set environment variables first | ||
| - The deploy might take a while | ||
| - If it fails, look at the logs | ||
|
|
||
| ## Commands | ||
|
|
||
| ```bash | ||
| deploy --env production | ||
| ``` | ||
|
|
||
| Watch for errors in the output. |
There was a problem hiding this comment.
🩺 Stability & Availability | 🟠 Major | ⚡ Quick win
Make the deploy steps explicit and safer to copy.
The checklist still leaves the preflight checks, required environment variables, and post-deploy smoke test undefined, so the recurring feedback in pr-feedback.json remains unresolved. deploy --env production is also too easy to copy into the wrong environment.
♻️ Suggested fix
- - Sometimes you need to set environment variables first
- - The deploy might take a while
- - If it fails, look at the logs
+ - Set the required environment variables before deploying
+ - The deploy may take a while
+ - After deploy, verify the /health endpoint
@@
- deploy --env production
+ deploy --env <environment>📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - Sometimes you need to set environment variables first | |
| - The deploy might take a while | |
| - If it fails, look at the logs | |
| ## Commands | |
| ```bash | |
| deploy --env production | |
| ``` | |
| Watch for errors in the output. | |
| - Set the required environment variables before deploying | |
| - The deploy may take a while | |
| - After deploy, verify the /health endpoint | |
| ## Commands | |
🧰 Tools
🪛 LanguageTool
[grammar] ~14-~14: The word ‘deploy’ is a verb. Did you mean the noun “deployment” (= release, placement)?
Context: ...o set environment variables first - The deploy might take a while - If it fails, look ...
(PREPOSITION_VERB)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@plugin-creator/evals/scenario-4/inputs/SKILL.md` around lines 13 - 23, The
deploy instructions in SKILL.md are still vague and too easy to run against the
wrong target. Update the checklist around the deploy command so it explicitly
names the required preflight checks, the environment variables that must be set
before running deployment, and a post-deploy smoke test to verify success. Also
make the command block safer by clearly indicating the intended environment
through the deploy step tied to deploy --env production, and keep the guidance
anchored in the existing checklist and Commands section so it is easy to find
and copy correctly.
| ## 5. Validate with lint AND pack | ||
|
|
||
| Lint checks structure; pack confirms what actually ships. Because lint can pass on a mis-nested skill, always do both: | ||
|
|
||
| ```bash | ||
| tessl plugin lint <plugin-dir> | ||
| tessl plugin pack <plugin-dir> --output /tmp/check.tgz | ||
| tar tzf /tmp/check.tgz | grep SKILL.md # every intended skill must appear | ||
| ``` | ||
|
|
||
| Optionally install into a throwaway project (a `file:` dependency) and confirm the skills, rules, and any MCP servers materialise. |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win
Broaden the pack smoke test.
tar tzf ... | grep SKILL.md only proves skills survived packing. A plugin can still drop rules or commands and pass this validation, so the test does not protect the full plugin contract. Extend the check to cover every artefact the plan can emit.
Suggested tweak
tar tzf /tmp/check.tgz | grep SKILL.md # every intended skill must appear
+tar tzf /tmp/check.tgz | grep -E '(^|/)rules/[^/]+\.md$'
+tar tzf /tmp/check.tgz | grep -E '(^|/)commands/[^/]+\.md$'📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| ## 5. Validate with lint AND pack | |
| Lint checks structure; pack confirms what actually ships. Because lint can pass on a mis-nested skill, always do both: | |
| ```bash | |
| tessl plugin lint <plugin-dir> | |
| tessl plugin pack <plugin-dir> --output /tmp/check.tgz | |
| tar tzf /tmp/check.tgz | grep SKILL.md # every intended skill must appear | |
| ``` | |
| Optionally install into a throwaway project (a `file:` dependency) and confirm the skills, rules, and any MCP servers materialise. | |
| ## 5. Validate with lint AND pack | |
| Lint checks structure; pack confirms what actually ships. Because lint can pass on a mis-nested skill, always do both: | |
🧰 Tools
🪛 LanguageTool
[style] ~58-~58: Would you like to use the Oxford spelling “materialize”? The spelling ‘materialise’ is also correct.
Context: ... the skills, rules, and any MCP servers materialise. ## 6. Hand off The composition now e...
(OXFORD_SPELLING_Z_NOT_S)
🪛 SkillSpector (2.3.7)
[error] 45: [AS2] MCP Config Access: Skill accesses MCP server configuration files (mcp.json). MCP configs contain server URLs, authentication tokens, and tool definitions — reading them allows the skill to discover and potentially abuse other tool integrations.
Remediation: Remove all code or instructions that read MCP configuration files (mcp.json). MCP server details should be managed by the agent runtime, not read by individual skills.
(Agent Snooping (AS2))
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@plugin-creator/skills/build-composition/SKILL.md` around lines 48 - 58, The
pack smoke test in the validation step only checks for SKILL.md, so it can miss
missing rules or commands. Update the validation guidance around the tessl
plugin pack and tar inspection flow to assert every artifact the plugin can
emit, using the existing pack output and the plugin plan’s expected files as the
reference. Keep the lint-and-pack sequence, but broaden the tar check so it
verifies skills plus rules, commands, and any other generated artifacts
materialize.
| - **Honour what the user brings.** Restructure rather than rewrite. Change a user's skill content only if a review flags a real problem and they agree. | ||
| - **Narrate the why.** Make the value of decomposition or packaging visible. | ||
| - **Default to the smallest thing that solves the problem.** If a single skill does it, stop there. A plugin must earn its place. | ||
| - **Know the real CLI.** Scaffold with `tessl skill new` / `tessl plugin new`; inspect `tessl --help` rather than inventing commands. |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Tighten the CLI guidance to the final shape.
"tessl skill new" here reads as a blanket recommendation, but the decomposition flow below writes sub-skills directly under skills/<name>/SKILL.md. As written, this can send people back towards the nested-plugin pattern the stack already fixed.
♻️ Proposed wording
- - **Know the real CLI.** Scaffold with `tessl skill new` / `tessl plugin new`; inspect `tessl --help` rather than inventing commands.
+ - **Know the real CLI.** Use `tessl skill new` for standalone skills and `tessl plugin new` for plugin-level scaffolding; inside a plugin, let `build-composition` write sub-skills directly, and inspect `tessl --help` rather than inventing commands.📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - **Know the real CLI.** Scaffold with `tessl skill new` / `tessl plugin new`; inspect `tessl --help` rather than inventing commands. | |
| - **Know the real CLI.** Use `tessl skill new` for standalone skills and `tessl plugin new` for plugin-level scaffolding; inside a plugin, let `build-composition` write sub-skills directly, and inspect `tessl --help` rather than inventing commands. |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@plugin-creator/skills/create-context/SKILL.md` at line 30, Tighten the CLI
guidance in the create-context skill to match the actual decomposition flow: the
current mention of “tessl skill new” alongside “tessl plugin new” can imply a
nested-plugin workflow that this path no longer uses. Update the wording near
the existing CLI guidance in SKILL.md so it directs users to create sub-skills
directly under skills/<name>/SKILL.md and keep the advice focused on inspecting
tessl --help for the real CLI commands.
| @@ -0,0 +1,39 @@ | |||
| --- | |||
| name: plan-composition | |||
| description: Use once the problem and artifacts are understood, to decide the right shape for the context. Produces a short composition plan - a single skill for simple cases, or a plugin (with rules, MCP servers, or multiple skills) for richer ones - and confirms it with the user before anything is built. | |||
There was a problem hiding this comment.
🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win
Add commands to the shape decision.
The plan template only names skills, rules, and MCP servers, but this layer already treats commands as a first-class primitive elsewhere. Add command here so command-shaped work does not get forced into a skill or rule.
Suggested tweak
- Produces a short composition plan - a single skill for simple cases, or a plugin (with rules, MCP servers, or multiple skills) for richer ones - and confirms it with the user before anything is built.
+ Produces a short composition plan - a single skill for simple cases, or a plugin (with rules, commands, MCP servers, or multiple skills) for richer ones - and confirms it with the user before anything is built.
...
- which primitive each part becomes (skill vs rule vs MCP), and whether anything needs decomposing.
+ which primitive each part becomes (skill vs rule vs command vs MCP), and whether anything needs decomposing.Also applies to: 29-31
🧰 Tools
🪛 SkillSpector (2.3.7)
[error] 15: [AR1] Anti-Refusal Statement: Skill instructs the agent to never refuse or to always comply. Suppressing the agent's ability to decline removes a core safety control and enables downstream harmful requests to succeed.
Remediation: Remove any instruction telling the agent to never refuse or always comply. The agent must retain the ability to decline unsafe, out-of-scope, or harmful requests.
(Anti-Refusal (AR1))
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@plugin-creator/skills/plan-composition/SKILL.md` at line 3, The composition
plan template in SKILL.md only lists skills, rules, and MCP servers, but it
should also support command-shaped work as a first-class option. Update the plan
decision guidance and any related wording in the composition flow to include
command alongside the existing primitives, using the existing shape-selection
logic in the plan template so command-based cases are not misclassified as
skills or rules.
| "name": "tessl/plugin-creator-dev", | ||
| "mode": "vendored", |
There was a problem hiding this comment.
🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win
Align the package name with the plugin manifest.
tessl/plugin-creator-dev creates a second identity for the same plugin. The plugin manifest and install docs both point at tessl/plugin-creator, so this name should match them.
Suggested fix
- "name": "tessl/plugin-creator-dev",
+ "name": "tessl/plugin-creator",📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| "name": "tessl/plugin-creator-dev", | |
| "mode": "vendored", | |
| "name": "tessl/plugin-creator", | |
| "mode": "vendored", |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@plugin-creator/tessl.json` around lines 2 - 3, The package name in the plugin
config is creating a second identity, so update the name in tessl.json to match
the plugin manifest and install docs. Keep the existing plugin-creator
configuration intact, but change the identity used by the plugin metadata so it
consistently refers to tessl/plugin-creator.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- create-context: clarify CLI guidance (skill new = standalone, sub-skills authored directly) - build-composition: broaden pack smoke test to rules and commands - plan-composition: add commands to the shape decision - decompose-into-skills: require verb-form sub-skill names - .tesslignore the dev tessl.json so it does not ship a second identity Skipped: the two eval-fixture SKILL.md nits (fixtures are intentionally imperfect inputs). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Addressed substantive comments in follow-up commits (CLI guidance, pack check, dev-manifest naming via .tesslignore, verb-form names). Skipped the two eval-fixture nits (fixtures are intentionally imperfect inputs). Merging per owner authorisation.
…kill - gather-context: read .tessl/memory/preferences (plugins/agents/source-control-and-ci) for grounding - build-composition: run security review for plugins touching MCP/scripts/secrets/auth/CI - choosing-the-shape: point deterministic-check / verifier behaviours at change-verify, not skills/rules Replicates the old harness-engineering plugin-creator's remaining behaviour so this can supersede it. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Draft plugin that helps a user turn a problem, or a messy existing skill, into well-shaped agent context (a skill, or a plugin with the right primitives). Problem-first; eval stays in skill-optimizer as a downstream step. Working name.
Do not merge yet. Merging to `main` auto-publishes via CI. The manifest is `private: true`, so it publishes private (workspace-installable, reversible). Marc to review eval results, then decide merge (private publish) and, separately, the irreversible public flip.
Quality (QA'd on this branch)
Open flag
Notes
🤖 Generated with Claude Code
Summary by CodeRabbit
New Features
Documentation
Chores