fix: add missing YAML frontmatter to codebase-cleanup commands#490
Merged
wshobson merged 1 commit intowshobson:mainfrom Apr 17, 2026
Merged
Conversation
All three commands in the codebase-cleanup plugin had no YAML frontmatter, causing them to silently fail registration in Claude Code. Added minimal description frontmatter to each command. Co-Authored-By: Claude Code <noreply@anthropic.com>
This was referenced Apr 17, 2026
Owner
|
Thanks @xiaolai — merged. Clean one-line-per-file fix that restores three commands to the registry. |
5 tasks
tomjwxf
pushed a commit
to tomjwxf/wshobson-agents
that referenced
this pull request
Apr 17, 2026
Three blocking items + one non-blocking clarification from the review: 1. marketplace.json unicode regression FIXED. Reset the file to upstream HEAD, then inserted ONLY the review-agent-governance entry with a string-based append that preserves every existing UTF-8 character byte-for-byte. No entries other than the new one are modified. `grep -c '\\u' marketplace.json` returns 0 escape sequences. 2. approve-review.md $1 → $ARGUMENTS. The marketplace slash-command convention (per plugins/codebase-cleanup/commands/deps-audit.md from PR wshobson#490) is $ARGUMENTS, which captures the full argument including spaces. $1 only captured the first word. Also JSON-escape the reason before embedding in the approval record (via python3 json.dumps) so quotes, backslashes, and newlines do not break the JSON body. This resolves the non-blocking JSON-escape note too. 3. README honesty on the approval log. Previously claimed the chain "records exactly which actions were human-gated and when," which was overstating: approval log entries under ./review-receipts/approvals/ are plain JSON, not signed. Rewrote that paragraph to explicitly separate the signed PostToolUse chain (covered by @veritasacta/verify) from the operator-trust approval log. Points users at protect-mcp sign directly if they need signed approval records for regulated environments. 4. Added an explicit note on what the signed chain covers when the approval flag is present: PreToolUse short-circuits without calling Cedar, so the downstream PostToolUse receipt has decision:allow but no policy_digest. Auditors walking the chain should expect this. Resolves the "document the short-circuit" non-blocking item. Not addressed (pending Seth's follow-up): - marketplace.json conflict with wshobson#496 will be resolved by rebase order (whichever merges first; the other rebases) Tests: - python3 -m json.tool validates marketplace.json, plugin.json, hooks.json - grep -c '\\u' on marketplace.json = 0
tomjwxf
pushed a commit
to tomjwxf/wshobson-agents
that referenced
this pull request
Apr 19, 2026
Three blocking items + one non-blocking clarification from the review: 1. marketplace.json unicode regression FIXED. Reset the file to upstream HEAD, then inserted ONLY the review-agent-governance entry with a string-based append that preserves every existing UTF-8 character byte-for-byte. No entries other than the new one are modified. `grep -c '\\u' marketplace.json` returns 0 escape sequences. 2. approve-review.md $1 → $ARGUMENTS. The marketplace slash-command convention (per plugins/codebase-cleanup/commands/deps-audit.md from PR wshobson#490) is $ARGUMENTS, which captures the full argument including spaces. $1 only captured the first word. Also JSON-escape the reason before embedding in the approval record (via python3 json.dumps) so quotes, backslashes, and newlines do not break the JSON body. This resolves the non-blocking JSON-escape note too. 3. README honesty on the approval log. Previously claimed the chain "records exactly which actions were human-gated and when," which was overstating: approval log entries under ./review-receipts/approvals/ are plain JSON, not signed. Rewrote that paragraph to explicitly separate the signed PostToolUse chain (covered by @veritasacta/verify) from the operator-trust approval log. Points users at protect-mcp sign directly if they need signed approval records for regulated environments. 4. Added an explicit note on what the signed chain covers when the approval flag is present: PreToolUse short-circuits without calling Cedar, so the downstream PostToolUse receipt has decision:allow but no policy_digest. Auditors walking the chain should expect this. Resolves the "document the short-circuit" non-blocking item. Not addressed (pending Seth's follow-up): - marketplace.json conflict with wshobson#496 will be resolved by rebase order (whichever merges first; the other rebases) Tests: - python3 -m json.tool validates marketplace.json, plugin.json, hooks.json - grep -c '\\u' on marketplace.json = 0
tomjwxf
pushed a commit
to tomjwxf/wshobson-agents
that referenced
this pull request
Apr 20, 2026
Three blocking items + one non-blocking clarification from the review: 1. marketplace.json unicode regression FIXED. Reset the file to upstream HEAD, then inserted ONLY the review-agent-governance entry with a string-based append that preserves every existing UTF-8 character byte-for-byte. No entries other than the new one are modified. `grep -c '\\u' marketplace.json` returns 0 escape sequences. 2. approve-review.md $1 → $ARGUMENTS. The marketplace slash-command convention (per plugins/codebase-cleanup/commands/deps-audit.md from PR wshobson#490) is $ARGUMENTS, which captures the full argument including spaces. $1 only captured the first word. Also JSON-escape the reason before embedding in the approval record (via python3 json.dumps) so quotes, backslashes, and newlines do not break the JSON body. This resolves the non-blocking JSON-escape note too. 3. README honesty on the approval log. Previously claimed the chain "records exactly which actions were human-gated and when," which was overstating: approval log entries under ./review-receipts/approvals/ are plain JSON, not signed. Rewrote that paragraph to explicitly separate the signed PostToolUse chain (covered by @veritasacta/verify) from the operator-trust approval log. Points users at protect-mcp sign directly if they need signed approval records for regulated environments. 4. Added an explicit note on what the signed chain covers when the approval flag is present: PreToolUse short-circuits without calling Cedar, so the downstream PostToolUse receipt has decision:allow but no policy_digest. Auditors walking the chain should expect this. Resolves the "document the short-circuit" non-blocking item. Not addressed (pending Seth's follow-up): - marketplace.json conflict with wshobson#496 will be resolved by rebase order (whichever merges first; the other rebases) Tests: - python3 -m json.tool validates marketplace.json, plugin.json, hooks.json - grep -c '\\u' on marketplace.json = 0
tomjwxf
pushed a commit
to tomjwxf/wshobson-agents
that referenced
this pull request
Apr 26, 2026
Three blocking items + one non-blocking clarification from the review: 1. marketplace.json unicode regression FIXED. Reset the file to upstream HEAD, then inserted ONLY the review-agent-governance entry with a string-based append that preserves every existing UTF-8 character byte-for-byte. No entries other than the new one are modified. `grep -c '\\u' marketplace.json` returns 0 escape sequences. 2. approve-review.md $1 → $ARGUMENTS. The marketplace slash-command convention (per plugins/codebase-cleanup/commands/deps-audit.md from PR wshobson#490) is $ARGUMENTS, which captures the full argument including spaces. $1 only captured the first word. Also JSON-escape the reason before embedding in the approval record (via python3 json.dumps) so quotes, backslashes, and newlines do not break the JSON body. This resolves the non-blocking JSON-escape note too. 3. README honesty on the approval log. Previously claimed the chain "records exactly which actions were human-gated and when," which was overstating: approval log entries under ./review-receipts/approvals/ are plain JSON, not signed. Rewrote that paragraph to explicitly separate the signed PostToolUse chain (covered by @veritasacta/verify) from the operator-trust approval log. Points users at protect-mcp sign directly if they need signed approval records for regulated environments. 4. Added an explicit note on what the signed chain covers when the approval flag is present: PreToolUse short-circuits without calling Cedar, so the downstream PostToolUse receipt has decision:allow but no policy_digest. Auditors walking the chain should expect this. Resolves the "document the short-circuit" non-blocking item. Not addressed (pending Seth's follow-up): - marketplace.json conflict with wshobson#496 will be resolved by rebase order (whichever merges first; the other rebases) Tests: - python3 -m json.tool validates marketplace.json, plugin.json, hooks.json - grep -c '\\u' on marketplace.json = 0
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bug
All three commands in
plugins/codebase-cleanup/commands/have no YAML frontmatter block:tech-debt.md— starts with# Technical Debt Analysis and Remediationdeps-audit.md— starts with# Dependency Audit and Security Analysisrefactor-clean.md— starts with# Refactor and Clean CodeClaude Code requires a
---delimited frontmatter block with at minimum adescriptionfield to register a slash command. Without it, the command is silently absent when users install thecodebase-cleanupplugin — all three slash commands are completely unavailable.Fix
Added minimal frontmatter to each command with a
descriptionderived from the file's title and opening paragraph:No content was changed — only the required registration header was prepended. The descriptions are concise, single-sentence summaries of what each command does.