sync: dev → main (CI fix, community files, GSD auto-install)#24
sync: dev → main (CI fix, community files, GSD auto-install)#24auroracapital merged 5 commits intomainfrom
Conversation
…d org URLs (#11) - All GitHub URLs now point to Lifecycle-Innovations-Limited/claude-ops - Root README: correct /plugin marketplace add + install commands, MCP vs CLI comparison table showing what each path gains/loses per integration - Inner README: consistent /ops:* colon syntax, GSD as optional, integrations split into CLI-only / MCP-only / choose-with-tradeoffs / plugin-bundled - setup.sh: auto-install missing core tools + npm deps on SessionStart - plugin.json: updated author URL, homepage, repository - marketplace.json + SECURITY.md: updated email Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Setup wizard now offers to install GSD (Get Shit Done) as a companion plugin. Pulls latest version via plugin marketplace. Users choose [Install GSD] or [Skip]. Enhances /ops:go, /ops:projects, /ops:next dashboards with project roadmap state. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
|
Mention Blocks like a regular teammate with your question or request: @blocks review this pull request Run |
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (12)
📝 WalkthroughWalkthroughThis PR transfers project ownership from Aurora Capital to Lifecycle Innovations Limited, introduces GitHub governance documentation (contribution guide, issue templates, pull request template), refactors the CI gitleaks workflow from action-based to shell commands, and updates installation/documentation to reflect the new owner with expanded command capabilities and auto-installation setup flows. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Possibly related PRs
Poem
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
| GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} | ||
| - name: Install gitleaks | ||
| run: | | ||
| curl -sSfL https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_8.24.3_linux_amd64.tar.gz | tar xz |
There was a problem hiding this comment.
Bug: The CI script downloads a pinned gitleaks version using the /releases/latest/download/ URL, which will fail with a 404 error once a newer gitleaks version is released.
Severity: HIGH
Suggested Fix
To pin to a specific version, change the URL to use the /releases/download/<tag>/ pattern instead of /releases/latest/download/. For example: https://github.com/gitleaks/gitleaks/releases/download/v8.24.3/gitleaks_8.24.3_linux_amd64.tar.gz.
Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.
Location: .github/workflows/ci.yml#L43
Potential issue: The CI workflow uses `curl` to download a specific version of
`gitleaks` (`gitleaks_8.24.3_linux_amd64.tar.gz`) from the `/releases/latest/download/`
endpoint. This endpoint always points to the assets of the latest release. When a new
version of `gitleaks` is published, the "latest" tag will point to it. The `curl`
command will then try to download the `8.24.3` file from the new release's assets, which
won't exist, resulting in a 404 error. Since `curl` is run with the `-f` flag, this HTTP
error will cause the "Install gitleaks" step to fail, breaking the entire CI pipeline.
Did we get this right? 👍 / 👎 to inform future reviews.
| # ops setup — Auto-install missing tools + validate readiness | ||
| # Called by SessionStart hook and /ops:setup | ||
| set -euo pipefail | ||
|
|
There was a problem hiding this comment.
Bug: The setup.sh script uses set -e and unguarded function calls, causing it to exit on the first missing tool instead of reporting all missing dependencies as intended.
Severity: MEDIUM
Suggested Fix
Guard the auto_install function calls to prevent set -e from triggering an exit. This can be done by appending || true to each call, for example: auto_install jq jq || true.
Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.
Location: claude-ops/scripts/setup.sh#L5
Potential issue: The `setup.sh` script uses `set -e`, which causes it to exit
immediately on any command that returns a non-zero exit code. The script calls the
`auto_install` function for several tools. This function returns `1` if a tool is
missing and cannot be installed (e.g., on a system without Homebrew). Because these
function calls are not guarded, the script will exit on the first missing tool. This
prevents the subsequent diagnostic loop from running, which is intended to collect and
report all missing tools, leaving the user without a complete list of required
dependencies.
Did we get this right? 👍 / 👎 to inform future reviews.
There was a problem hiding this comment.
Pull request overview
Syncs dev into main with updates aimed at fixing CI secret scanning, improving setup automation (including optional companion plugin install), and refreshing community/docs materials to match the current plugin distribution and org URLs.
Changes:
- Replace the GitHub Action-based gitleaks step with a locally downloaded gitleaks binary in CI.
- Extend setup documentation to include optional “companion plugin” (GSD) install guidance and update setup auto-install behavior.
- Add/refresh community health files (CONTRIBUTING + issue/PR templates) and update README/metadata links for the new org.
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
| SECURITY.md | Updates the security contact email address. |
| README.md | Rewrites top-level docs (install flow, MCP vs CLI explanation, repo/org URLs). |
| claude-ops/skills/setup/SKILL.md | Documents companion plugin (GSD) detection/installation in the setup wizard. |
| claude-ops/scripts/setup.sh | Adds auto-install + dependency bootstrap behavior and changes reporting to problem-focused output. |
| claude-ops/README.md | Updates in-plugin documentation (slash command names, install steps, integration guidance). |
| claude-ops/.claude-plugin/plugin.json | Updates author/repo/homepage URLs to the new org. |
| .github/workflows/ci.yml | Switches gitleaks scanning to a downloaded binary and runs it directly. |
| .github/PULL_REQUEST_TEMPLATE.md | Adds a PR template with summary/changes/test plan/checklist sections. |
| .github/ISSUE_TEMPLATE/feature_request.md | Adds a feature request issue template. |
| .github/ISSUE_TEMPLATE/bug_report.md | Adds a bug report issue template. |
| .github/CONTRIBUTING.md | Adds contribution guidelines (branching, style, testing). |
| .claude-plugin/marketplace.json | Updates marketplace owner email to the new contact. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} | ||
| - name: Install gitleaks | ||
| run: | | ||
| curl -sSfL https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_8.24.3_linux_amd64.tar.gz | tar xz |
There was a problem hiding this comment.
The download URL mixes releases/latest with a hard-coded asset name for v8.24.3. As soon as latest points to a newer tag, this will 404 and CI will fail. Pin the URL to the specific tag (e.g. releases/download/v8.24.3/...) or fetch the latest version dynamically and use a matching filename.
| curl -sSfL https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_8.24.3_linux_amd64.tar.gz | tar xz | |
| curl -sSfL https://github.com/gitleaks/gitleaks/releases/download/v8.24.3/gitleaks_8.24.3_linux_amd64.tar.gz | tar xz |
| GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} | ||
| - name: Install gitleaks | ||
| run: | | ||
| curl -sSfL https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_8.24.3_linux_amd64.tar.gz | tar xz |
There was a problem hiding this comment.
CI downloads and executes a prebuilt gitleaks binary without any integrity verification. To reduce supply-chain risk, add a checksum verification step (or use a package manager install with pinned version/signature) before executing the binary.
| curl -sSfL https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_8.24.3_linux_amd64.tar.gz | tar xz | |
| GITLEAKS_VERSION="8.24.3" | |
| GITLEAKS_ARCHIVE="gitleaks_${GITLEAKS_VERSION}_linux_amd64.tar.gz" | |
| GITLEAKS_BASE_URL="https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}" | |
| curl -sSfL "${GITLEAKS_BASE_URL}/${GITLEAKS_ARCHIVE}" -o "${GITLEAKS_ARCHIVE}" | |
| curl -sSfL "${GITLEAKS_BASE_URL}/gitleaks_${GITLEAKS_VERSION}_checksums.txt" -o gitleaks_checksums.txt | |
| grep " ${GITLEAKS_ARCHIVE}\$" gitleaks_checksums.txt | sha256sum -c - | |
| tar xzf "${GITLEAKS_ARCHIVE}" |
| # Run this after installing the ops plugin to check what's available | ||
|
|
||
| # ops setup — Auto-install missing tools + validate readiness | ||
| # Called by SessionStart hook and /ops:setup |
There was a problem hiding this comment.
The header comment says this script is called by SessionStart and /ops:setup, but the repo only references it from the SessionStart hook (the setup wizard uses bin/ops-setup-*). Update the comment to match actual usage so future changes don’t assume it’s part of the interactive wizard flow.
| # Called by SessionStart hook and /ops:setup | |
| # Called by SessionStart hook |
| # Telegram MCP server deps | ||
| if [ -f "$PLUGIN_ROOT/telegram-server/package.json" ] && command -v node &>/dev/null; then | ||
| if [ ! -d "$PLUGIN_ROOT/telegram-server/node_modules" ]; then | ||
| (cd "$PLUGIN_ROOT/telegram-server" && npm install --silent 2>/dev/null) && INSTALLED+=("telegram-deps") |
There was a problem hiding this comment.
npm install for telegram-server deps is fully silenced (--silent 2>/dev/null) and failures aren’t reported or added to MISSING, so SessionStart can silently leave the Telegram MCP server broken. Capture install failures and emit a clear ✗ ops: message (or add to MISSING) when dependency install fails.
| (cd "$PLUGIN_ROOT/telegram-server" && npm install --silent 2>/dev/null) && INSTALLED+=("telegram-deps") | |
| if (cd "$PLUGIN_ROOT/telegram-server" && npm install --silent 2>/dev/null); then | |
| INSTALLED+=("telegram-deps") | |
| else | |
| echo " ✗ ops: failed to install telegram-server dependencies — run /ops:setup to configure" | |
| MISSING+=("telegram-deps") | |
| fi |
| # Plugin bin deps | ||
| if [ -f "$PLUGIN_ROOT/package.json" ] && command -v node &>/dev/null; then | ||
| if [ ! -d "$PLUGIN_ROOT/node_modules" ]; then | ||
| (cd "$PLUGIN_ROOT" && npm install --silent 2>/dev/null) && INSTALLED+=("plugin-deps") | ||
| fi |
There was a problem hiding this comment.
Since both claude-ops/ and telegram-server/ have package-lock.json, using npm install here is non-deterministic and can update the lockfile or resolve different dependency trees across npm versions. Prefer npm ci when a lockfile exists (and fall back to npm install only when it doesn’t).
| On install, run: | ||
|
|
||
| ```bash | ||
| claude plugin marketplace add auroracapital/get-shit-done && claude plugin install gsd@auroracapital-get-shit-done | ||
| ``` |
There was a problem hiding this comment.
The GSD install instructions reference the auroracapital/get-shit-done marketplace and gsd@auroracapital-get-shit-done, but elsewhere in the repo GSD is referenced under Lifecycle-Innovations-Limited/get-shit-done. Align the marketplace slug/plugin ID so the wizard installs the same plugin that the docs reference.
| ```bash | ||
| claude plugin marketplace add auroracapital/get-shit-done && claude plugin install gsd@auroracapital-get-shit-done | ||
| ``` | ||
|
|
||
| Report success/failure. If it fails (e.g. marketplace not reachable), print: | ||
|
|
||
| ``` | ||
| Could not auto-install GSD. You can install it manually later: | ||
| /plugin marketplace add auroracapital/get-shit-done | ||
| /plugin install gsd@auroracapital-get-shit-done | ||
| ``` |
There was a problem hiding this comment.
This section mixes claude plugin ... CLI commands with the in-app /plugin ... slash commands used elsewhere in the setup flow. Since the wizard runs inside Claude Code, prefer one consistent command form (typically /plugin ...) to avoid confusing users about where to run the commands.
|
|
||
| ## Checklist | ||
|
|
||
| - [ ] Tests pass (`npm run type-check && npm run lint && npm run test`) |
There was a problem hiding this comment.
The PR template checklist references npm run type-check && npm run lint && npm run test, but this repo’s claude-ops/package.json does not define these scripts and CI currently runs npm ci, node --check, bash -n, and npx prettier --check. Update the checklist to match the actual project commands so contributors can follow it successfully.
| - [ ] Tests pass (`npm run type-check && npm run lint && npm run test`) | |
| - [ ] Validation commands pass (`npm ci && node --check <changed-js-files> && bash -n <changed-shell-scripts> && npx prettier --check .`) |
| ## Code Style | ||
|
|
||
| - TypeScript: follow existing ESLint/Prettier config (`npm run lint`) | ||
| - Shell scripts: `shellcheck`-clean | ||
| - Python: `ruff` for linting, `black` for formatting | ||
| - No placeholder comments or TODOs — ship complete code only | ||
| - Keep changes surgical; avoid scope creep | ||
|
|
||
| ## Testing | ||
|
|
||
| - Add or update unit tests for any logic you change | ||
| - Run the test suite before opening a PR: | ||
| ```bash | ||
| npm run type-check && npm run lint && npm run test | ||
| ``` |
There was a problem hiding this comment.
CONTRIBUTING recommends npm run lint, npm run type-check, and npm run test, but this repository’s claude-ops/package.json doesn’t define those scripts and CI uses npm ci, syntax checks, and Prettier. Adjust the guidance to the real commands (or add the referenced scripts) so new contributors aren’t blocked by instructions that don’t work.
| ``` | ||
|
|
||
| > Also installable via: `/plugin install claude-ops@claude-plugins-official` | ||
| The setup wizard walks through each integration interactively — install CLIs, connect channels, build your project registry. All credentials stored locally, never transmitted. |
There was a problem hiding this comment.
The README says “All credentials stored locally, never transmitted,” but later describes multiple integrations using OAuth via Claude.ai (which necessarily involves transmitting tokens/authorization flows). Reword this to distinguish local CLI tokens/secrets (stored locally) vs Claude.ai MCP OAuth connectors, to avoid misleading users about data handling.
| The setup wizard walks through each integration interactively — install CLIs, connect channels, build your project registry. All credentials stored locally, never transmitted. | |
| The setup wizard walks through each integration interactively — install CLIs, connect channels, build your project registry. Local CLI tokens and secrets configured by the plugin are stored on your machine. Some integrations may also use Claude.ai/MCP OAuth connectors, which follow the provider's normal authorization flow and necessarily transmit authorization data to complete the connection. |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 4 potential issues.
Bugbot Autofix is ON, but it could not run because the branch was deleted or merged before autofix could start.
Reviewed by Cursor Bugbot for commit 4e35e80. Configure here.
| GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} | ||
| - name: Install gitleaks | ||
| run: | | ||
| curl -sSfL https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_8.24.3_linux_amd64.tar.gz | tar xz |
There was a problem hiding this comment.
Gitleaks CI URL will 404 due to version mismatch
High Severity
The gitleaks download URL uses /releases/latest/download/ which redirects to the latest release, but the filename is pinned to version 8.24.3. Since the latest gitleaks release is v8.30.1, the latest release doesn't contain an asset named gitleaks_8.24.3_linux_amd64.tar.gz, resulting in a 404. The correct URL for a pinned version is /releases/download/v8.24.3/gitleaks_8.24.3_linux_amd64.tar.gz.
Reviewed by Cursor Bugbot for commit 4e35e80. Configure here.
|
|
||
| # Infrastructure (auto-installed if brew available) | ||
| auto_install aws awscli | ||
| auto_install node node |
There was a problem hiding this comment.
Script exits on first missing tool due to set -e
High Severity
The auto_install function returns 1 when a tool is missing and Homebrew is unavailable. Combined with set -euo pipefail, the script aborts on the very first missing tool (e.g. auto_install jq jq) instead of collecting all missing tools into MISSING and reporting them at the end. The remaining tool checks, npm installs, and status reporting never execute.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 4e35e80. Configure here.
| On install, run: | ||
|
|
||
| ```bash | ||
| claude plugin marketplace add auroracapital/get-shit-done && claude plugin install gsd@auroracapital-get-shit-done |
There was a problem hiding this comment.
GSD install commands reference old organization name
Medium Severity
The GSD auto-install commands use auroracapital/get-shit-done, but the GSD link in claude-ops/README.md was updated to Lifecycle-Innovations-Limited/get-shit-done as part of this PR's org migration. The install and fallback instructions will fail if the repository no longer exists under the old org.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 4e35e80. Configure here.
| echo "" | ||
| for tool in "${MISSING[@]}"; do | ||
| echo " ✗ ops: $tool not found — run /ops:setup to configure" | ||
| done |
There was a problem hiding this comment.
Empty array expansion fails under set -u on macOS
Medium Severity
On macOS default bash 3.2, expanding an empty array with "${MISSING[@]}" while set -u (nounset) is active triggers an "unbound variable" error, even though the array is declared via MISSING=(). This affects the happy path where all tools are already installed — MISSING stays empty, and the for loop crashes the script before the registry check on line 58 ever runs. The SessionStart hook silently swallows this via 2>/dev/null, so users never see the missing-registry warning.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 4e35e80. Configure here.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 4e35e80da0
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| brew install "$brew_pkg" 2>/dev/null && INSTALLED+=("$tool") && return 0 | ||
| fi | ||
| MISSING+=("$tool") | ||
| return 1 |
There was a problem hiding this comment.
Prevent setup from exiting when a tool is missing
Because the script is running with set -e, returning non-zero here causes the whole setup script to abort on the first unavailable tool (for example gh on a fresh machine without Homebrew). That means later checks never run and the user gets no missing-tool guidance, which breaks the SessionStart diagnostic flow that expects this script to emit ✗ lines rather than terminate.
Useful? React with 👍 / 👎.
| GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} | ||
| - name: Install gitleaks | ||
| run: | | ||
| curl -sSfL https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_8.24.3_linux_amd64.tar.gz | tar xz |
There was a problem hiding this comment.
Use a stable gitleaks release URL
This URL combines the moving releases/latest alias with a hard-coded 8.24.3 asset name, so CI will fail with a download error as soon as latest points to any other version. Pinning both the tag and filename (or resolving the version dynamically) avoids a latent break in the leak-scan step.
Useful? React with 👍 / 👎.
* docs: rewrite READMEs with correct install flow, MCP vs CLI guide, and org URLs (#11) - All GitHub URLs now point to Lifecycle-Innovations-Limited/claude-ops - Root README: correct /plugin marketplace add + install commands, MCP vs CLI comparison table showing what each path gains/loses per integration - Inner README: consistent /ops:* colon syntax, GSD as optional, integrations split into CLI-only / MCP-only / choose-with-tradeoffs / plugin-bundled - setup.sh: auto-install missing core tools + npm deps on SessionStart - plugin.json: updated author URL, homepage, repository - marketplace.json + SECURITY.md: updated email Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * docs: clarify Telegram setup is fully automated (phone + 2 codes) (#12) Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: add GSD companion plugin auto-install to setup wizard (#13) Setup wizard now offers to install GSD (Get Shit Done) as a companion plugin. Pulls latest version via plugin marketplace. Users choose [Install GSD] or [Skip]. Enhances /ops:go, /ops:projects, /ops:next dashboards with project roadmap state. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: replace gitleaks-action with local binary * Add CONTRIBUTING.md and issue/PR templates Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Summary
Test plan
🤖 Generated with Claude Code
Note
Medium Risk
Medium risk because it changes CI secret-scanning execution and alters
scripts/setup.shbehavior to auto-install dependencies and runnpm install, which can impact developer environments and first-run setup.Overview
Updates CI by replacing the
gitleaksGitHub Action with downloading/running a pinnedgitleaksbinary, aiming to unblock secret scanning in org repos.Expands community/project metadata: adds
CONTRIBUTING.md, issue/PR templates, updates security + marketplace/plugin manifests and rewrites README install/docs (including org/URL updates and consistent/ops:*command naming).Enhances setup flow by making
claude-ops/scripts/setup.shauto-install core tools via Homebrew, auto-install Node dependencies for the plugin/Telegram server, and by adding a documented “Companion plugins” step to optionally install the GSD plugin from the setup skill.Reviewed by Cursor Bugbot for commit 4e35e80. Bugbot is set up for automated code reviews on this repo. Configure here.
Summary by CodeRabbit
Release Notes
Documentation
/ops-*to/ops:*format.New Features
Chores