Require npm registry signature verification wherever workflow npm audit checks run.
- add npm audit signatures to CI Security Scan and maintenance security audit jobs
- teach the workflow security validator to reject npm audit without signature verification
- keep the repair and Copilot prompt tests portable across Windows path/case and CRLF frontmatter behavior
Validation:
- node tests/run-all.js (2376 passed, 0 failed)
- CI current-head matrix green on #1846
Adds GitHub Copilot VS Code instruction and prompt files for ECC workflows, with VS Code prompt frontmatter/settings aligned to current docs and tests covering the surface.
Co-authored-by: Girish Kanjiyani <girish.kanjiyani5040@gmail.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Remove shell access from two agents that do not need it and reword PyTorch autograd guidance that AgentShield flagged as encoded-payload-like text. AgentShield remains B/75 while findings drop 316->310 and high findings drop 26->21. Local tests passed 2369/2369; full GitHub Actions matrix green.
Backport Jamkris's fix for case-insensitive core.hooksPath overrides and the git commit -tn template-path false positive. Verified locally on current main with 25/25 block-no-verify tests and node tests/run-all.js passing 2369/2369.
Add compact prompt-defense baselines to active ECC prompt surfaces and copied CLAUDE examples. AgentShield prompt-defense findings are now zero; local tests passed 2366/2366.
- run non-test workflow installs with npm ci --ignore-scripts where lifecycle scripts are not needed\n- reject plain npm ci in workflows with write permissions\n- reject actions/cache in id-token: write workflows to reduce OIDC publish cache-poisoning risk
* feat: add homelab config skills (VLAN, Pi-hole, WireGuard)
Adds three homelab configuration skills, extracted from the stale PR #1413
with the same safety treatment applied to the previously accepted batch:
- homelab-vlan-segmentation: IoT/guest/trusted/server VLAN design for UniFi,
pfSense/OPNsense, and MikroTik. All firewall rules add isolation, not remove
protections. Added change-window guidance and AP trunk port clarification.
- homelab-pihole-dns: Pi-hole install, blocklists, DNS-over-HTTPS, local DNS
records, troubleshooting. Docker is now the lead install method; bare-metal
uses inspect-first pattern before running the installer script.
- homelab-wireguard-vpn: WireGuard server, peer config, split tunnel, DDNS.
Replaced broad iptables FORWARD ACCEPT with scoped directional rules
(wg0→eth0 forward + established return only). Credentials moved to env
files with explicit notes against inline secrets and version control.
Continues the contribution from PR #1413; the eight skills/agents from
that PR are already in main via #1729 and #1731.
* docs: harden homelab skill pack
---------
Co-authored-by: Affaan Mustafa <affaan@dcube.ai>
Source: maintainer-owned salvage of useful Django reviewer/build-resolver/Celery work from stale PR #1310 by mrigank2seven.
- add django-reviewer and django-build-resolver agents
- add django-celery skill with timezone-aware scheduling example
- update catalog counts to 60 agents / 221 skills and record the May 12 salvage gap pass
Co-authored-by: MRIGANK GUPTA <mrigank2seven@users.noreply.github.com>
