|
|
-- 🛡️ **`supply-chain-defense` skill** - Behavioural-first defense against the 2026 npm/PyPI/Composer worm campaign (Shai-Hulud / Mini Shai-Hulud) that `npm audit` misses in the publish-to-advisory window — the proactive sibling to `security-ops`. Free-first Socket.dev integration (open-source CLI, $0 tier, zero-auth `depscore` MCP for Claude Code) plus two advisory hooks covering both ways a dependency enters: install commands and the agent editing a manifest. `exposure-check.py` answers "are we running a named-bad version?" by matching installed lockfiles across npm/pnpm/yarn/bun, PyPI, Composer, Cargo, Go, RubyGems + editor extensions against a cited-IOC catalog (axios 1.14.1, Laravel-Lang tag-rewrite, Nx Console 18.95.0, durabletask 1.4.1–1.4.3); `integrity-audit.sh` hunts worm persistence in Claude/editor configs, shell rc files, and `.npmrc`; `scan-extensions.sh` adds inventory + recency + opt-in GuardDog triage; `preinstall-check.sh` enforces a 7-day release-age cooldown. A global `rules/supply-chain.md` carries the doctrine to every project, and four references map the free-OSS complements (GuardDog, OSV-Scanner, zizmor, Harden-Runner). 42-assertion offline test suite; IOC-catalog format borrowed from Perplexity's [Bumblebee](https://github.com/perplexityai/bumblebee).
|
|
|
+- 🛡️ **`supply-chain-defense` skill** - Behavioural-first defense against the 2026 npm/PyPI/Composer worm campaign (Shai-Hulud) that `npm audit` misses in the publish-to-advisory window — the proactive sibling to `security-ops`. Free-first Socket.dev integration (open-source CLI, zero-auth `depscore` MCP) plus advisory hooks on both install commands and manifest edits. `exposure-check.py` matches installed lockfiles (npm/pnpm/yarn/bun, PyPI, Composer, Cargo, Go, RubyGems + editor extensions) against a cited-IOC catalog; `integrity-audit.sh` hunts worm persistence in configs, shell rc, and `.npmrc`; `preinstall-check.sh` enforces a 7-day release-age cooldown. A global `rules/supply-chain.md` carries the doctrine everywhere; 42-assertion offline test suite, IOC format from Perplexity's [Bumblebee](https://github.com/perplexityai/bumblebee).
|
|
|
+- 🔒 **`settings.local.json` secret-safety** - `.claude/settings.local.json` accumulates API keys inside permission rules, so it's now gitignored and untracked repo-wide. Three layers keep it off any remote: the `.gitignore` rule, `setperms` self-healing that rule on every permissions write, and the `git-ops` push-safety gate refusing any push that adds the file.
|
|
|
- 🩺 **`mac-ops` skill** - Comprehensive macOS workstation diagnostics, peer to `windows-ops`. 23 scripts + 11 reference docs along an 8-rung ladder: `health-audit` orchestrates and `quickrun` gives a one-shot "what's wrong with my Mac?" verdict. Mac-unique probes cover TCC privacy permissions (the "can't screen-share" cause), wake reasons, Spotlight, and APFS storage pressure (the "disk full but `du` disagrees" mystery).
|