Add a repo-level supply-chain incident response playbook for npm/GitHub Actions package-registry incidents, anchored on the May 2026 TanStack compromise and prior Shai-Hulud-style npm incidents.
- add `docs/security/supply-chain-incident-response.md` with exposure checks, immediate response steps, workflow rules, publication rules, and escalation triggers
- link the playbook from `SECURITY.md`
- reject `pull_request_target` workflows that restore or save shared dependency caches
- add a regression test for the new `pull_request_target + actions/cache` guardrail
Validation:
- node tests/ci/validate-workflow-security.test.js (12 passed, 0 failed)
- node scripts/ci/validate-workflow-security.js (validated 7 workflow files)
- npx markdownlint-cli 'SECURITY.md' 'docs/security/supply-chain-incident-response.md'
- npx markdownlint-cli '**/*.md' --ignore node_modules
- git diff --check
- node tests/run-all.js (2377 passed, 0 failed)
- GitHub CI for #1848 green across Ubuntu, Windows, and macOS
No release, tag, npm publish, plugin tag, marketplace submission, or announcement was performed.
Add compact prompt-defense baselines to active ECC prompt surfaces and copied CLAUDE examples. AgentShield prompt-defense findings are now zero; local tests passed 2366/2366.
* feat: add homelab config skills (VLAN, Pi-hole, WireGuard)
Adds three homelab configuration skills, extracted from the stale PR #1413
with the same safety treatment applied to the previously accepted batch:
- homelab-vlan-segmentation: IoT/guest/trusted/server VLAN design for UniFi,
pfSense/OPNsense, and MikroTik. All firewall rules add isolation, not remove
protections. Added change-window guidance and AP trunk port clarification.
- homelab-pihole-dns: Pi-hole install, blocklists, DNS-over-HTTPS, local DNS
records, troubleshooting. Docker is now the lead install method; bare-metal
uses inspect-first pattern before running the installer script.
- homelab-wireguard-vpn: WireGuard server, peer config, split tunnel, DDNS.
Replaced broad iptables FORWARD ACCEPT with scoped directional rules
(wg0→eth0 forward + established return only). Credentials moved to env
files with explicit notes against inline secrets and version control.
Continues the contribution from PR #1413; the eight skills/agents from
that PR are already in main via #1729 and #1731.
* docs: harden homelab skill pack
---------
Co-authored-by: Affaan Mustafa <affaan@dcube.ai>
Source: maintainer-owned salvage of useful Django reviewer/build-resolver/Celery work from stale PR #1310 by mrigank2seven.
- add django-reviewer and django-build-resolver agents
- add django-celery skill with timezone-aware scheduling example
- update catalog counts to 60 agents / 221 skills and record the May 12 salvage gap pass
Co-authored-by: MRIGANK GUPTA <mrigank2seven@users.noreply.github.com>
Records AgentShield PR #59 in the ECC 2.0 GA roadmap and moves the next AgentShield roadmap slice to the remaining prompt-injection benchmark/PDF decision work.
Validation:
- npx --yes markdownlint-cli docs/ECC-2.0-GA-ROADMAP.md
- npm test (2324 tests)
- npm run harness:audit -- --format json (70/70)
- npm run harness:adapters -- --check (PASS, 11 adapters)
- npm run observability:ready (14/14)
- GitHub Actions matrix green on PR #1796
