Merge staging: official plugins, guard fix, docs sync

.codeforge/config/settings.json

@@ -53,7 +53,10 @@
 		"command": "/usr/local/bin/ccstatusline-wrapper"
 	},
 	"enabledPlugins": {
-		"frontend-design@claude-plugins-official": true,
+		"frontend-design@anthropics/claude-code": true,
+		"code-review@anthropics/claude-code": true,
+		"feature-dev@anthropics/claude-code": true,
+		"pr-review-toolkit@anthropics/claude-code": true,
 		"codeforge-lsp@devs-marketplace": true,
 		"ticket-workflow@devs-marketplace": true,
 		"notify-hook@devs-marketplace": true,

.devcontainer/CHANGELOG.md

@@ -1,47 +1,5 @@
 # CodeForge Devcontainer Changelog
 
-## [Unreleased]
-
-### Security
-- Removed environment variable injection vector in agent redirect log path (S2-01)
-- Narrowed config deployment allowed destinations from `/usr/local` to `/usr/local/share` (S2-09)
-- Protected files guard now fails closed on unexpected errors instead of failing open (S2-04)
-
-### Testing
-- **Plugin test suite** — 289 pytest tests covering 6 critical plugin scripts that previously had zero tests:
-  - `block-dangerous.py` (62 tests) — all 33 dangerous command patterns with positive/negative/edge cases
-  - `guard-workspace-scope.py` (40 tests) — blacklist, scope, allowlist, bash enforcement layers, primary command extraction
-  - `guard-protected.py` (56 tests) — all protected file patterns (secrets, locks, keys, credentials, auth dirs)
-  - `guard-protected-bash.py` (49 tests) — write target extraction, multi-target commands, and protected path integration
-  - `guard-readonly-bash.py` (69 tests) — general-readonly and git-readonly modes, bypass prevention, global flag handling
-  - `redirect-builtin-agents.py` (13 tests) — redirect mapping, passthrough, output structure
-- Added `test:plugins` and `test:all` npm scripts for running plugin tests
-- Python plugin tests (`pytest`) added to CI pipeline (Q3-08)
-
-### Dangerous Command Blocker
-- **Force push block now suggests `git merge` as workaround** — error message explains how to avoid diverged history instead of leaving the agent to improvise destructive workarounds
-- **Block `--force-with-lease`** — was slipping through regex; all force push variants now blocked uniformly
-- **Block remote branch deletion** — `git push origin --delete` and colon-refspec deletion (`git push origin :branch`) now blocked; deleting remote branches closes associated PRs
-- **Fixed README** — error handling was documented as "fails open" but code actually fails closed; corrected to match behavior
-- Dangerous command blocker handles prefix bypasses (`\rm`, `command rm`, `env rm`) and symbolic chmod (S2-03)
-
-### Guards
-- Fixed greedy alternation in write-target regex — `>>` now matched before `>` (Q3-01)
-- Unified write-target extraction patterns across guards — protected-files bash guard expanded from 5 to 20 patterns (C1-02)
-- Multi-target command support — `rm`, `touch`, `mkdir`, `chmod`, `chown` with multiple file operands now check all targets
-- Bare `git stash` (equivalent to push) now blocked in read-only mode (Q3-04)
-- Fixed git global flag handling — `git -C /path stash list` no longer misidentifies the stash subcommand
-
-### Documentation
-- **DevContainer CLI guide** — dedicated Getting Started page for terminal-only workflows without VS Code
-- **v2 Migration Guide** — path changes, automatic migration, manual steps, breaking changes, and troubleshooting
-- Documented 4 previously undocumented agents in agents.md: implementer, investigator, tester, documenter
-- Added missing git-workflow and prompt-snippets to configuration.md enabledPlugins example
-- Added CONFIG_SOURCE_DIR deprecation note in environment variables reference
-- Added cc-orc orchestrator command to first-session launch commands table
-- Tabbed client-specific instructions on the installation page
-- Dedicated port forwarding reference page covering VS Code auto-detect, devcontainer-bridge, and SSH tunneling
-
 ## v2.0.0 — 2026-02-26
 
 ### .codeforge/ Configuration System
@@ -100,6 +58,8 @@
 - **worktree skill** — git worktree creation, management, cleanup, `EnterWorktree` tool, `.worktreeinclude` setup
 
 ### Plugins
+- **Expanded Anthropic official plugins** — added `code-review`, `feature-dev`, and `pr-review-toolkit` from `anthropics/claude-code`
+- **Migrated plugin identifiers** — switched from `@claude-plugins-official` to `@anthropics/claude-code` format
 - **Git workflow** — `/ship` (commit/push/PR with code review and approval) and `/pr:review` (PR review by number/URL, posts findings as comment)
 - **Prompt snippets** — `/ps` command for quick behavioral mode switches (noaction, brief, plan, go, review, ship, deep, hold, recall, wait); composable (`/ps noaction brief`)
 
@@ -113,16 +73,20 @@
 - POSIX redirect, bash-required installer shell, quoted `${TARGET}`, directory pre-creation
 
 ### Testing
-- **241 pytest tests** covering 6 critical plugin scripts (previously zero tests):
-  - `block-dangerous.py` (46), `guard-workspace-scope.py` (40), `guard-protected.py` (55), `guard-protected-bash.py` (24), `guard-readonly-bash.py` (63), `redirect-builtin-agents.py` (13)
+- **289 pytest tests** covering 6 critical plugin scripts (previously zero tests):
+  - `block-dangerous.py` (62), `guard-workspace-scope.py` (40), `guard-protected.py` (56), `guard-protected-bash.py` (49), `guard-readonly-bash.py` (69), `redirect-builtin-agents.py` (13)
 - `test:plugins` and `test:all` npm scripts
+- Python plugin tests (`pytest`) added to CI pipeline (Q3-08)
 
 ### Authentication
 - `CLAUDE_AUTH_TOKEN` support in `.secrets` for long-lived tokens from `claude setup-token`
 - Auto-creates `.credentials.json` from token on container start (idempotent)
 - `CLAUDE_AUTH_TOKEN` in devcontainer.json secrets declaration
 
 ### Security
+- Removed environment variable injection vector in agent redirect log path (S2-01)
+- Narrowed config deployment allowed destinations from `/usr/local` to `/usr/local/share` (S2-09)
+- Protected files guard now fails closed on unexpected errors instead of failing open (S2-04)
 - Protected-files-guard blocks `.credentials.json` modifications
 - Replaced `eval` tilde expansion with `getent passwd` lookup (prevents shell injection)
 - Auth token JSON-escaped before writing; credential directory with restrictive umask (700)
@@ -153,8 +117,17 @@
 - Force push block now suggests `git merge` as workaround
 - Block `--force-with-lease` — all force push variants now blocked uniformly
 - Block remote branch deletion (`git push origin --delete`, colon-refspec `git push origin :branch`)
+- Handles prefix bypasses (`\rm`, `command rm`, `env rm`) and symbolic chmod (S2-03)
 - Fixed README — error handling documented as "fails open" but code actually fails closed
 
+### Guards
+- **Allowed `.env.example` edits** — `.env.example` is no longer blocked by the `.env.*` pattern; actual secret files (`.env.local`, `.env.production`, etc.) remain protected
+- Fixed greedy alternation in write-target regex — `>>` now matched before `>` (Q3-01)
+- Unified write-target extraction patterns across guards — protected-files bash guard expanded from 5 to 20 patterns (C1-02)
+- Multi-target command support — `rm`, `touch`, `mkdir`, `chmod`, `chown` with multiple file operands now check all targets
+- Bare `git stash` (equivalent to push) now blocked in read-only mode (Q3-04)
+- Fixed git global flag handling — `git -C /path stash list` no longer misidentifies the stash subcommand
+
 ### Session Context & Code Quality
 - **Commit reminder** — switched to advisory (was blocking); tiered logic for meaningful changes; only fires when session modified files
 - **Advisory test runner** — reads from correct tmp file prefix (`claude-cq-edited` instead of `claude-edited-files`)
@@ -198,6 +171,8 @@
 - Missing plugin pages for git-workflow and prompt-snippets
 - Port Forwarding reference, CLI guide cross-link, slimmed Installation page
 - Documented 4 workhorse agents, cc-orc command, CONFIG_SOURCE_DIR deprecation, CLAUDE_AUTH_TOKEN setup
+- Added missing git-workflow and prompt-snippets to configuration.md enabledPlugins example
+- Tabbed client-specific instructions on the installation page
 - MD040 compliance (language specifiers on fenced code blocks)
 - Architecture docs — `.checksums/` and `.markers/` in `.codeforge/` tree
 - Troubleshooting — "Reset to Defaults" renamed to "How to Reset", clarified `--reset` behavior

.devcontainer/CLAUDE.md

@@ -50,6 +50,9 @@ Declared in `settings.json` under `enabledPlugins`, auto-activated on start:
 - **git-workflow** — Standalone ship (commit/push/PR) + PR review
 - **notify-hook** — Desktop notifications on completion
 - **frontend-design** (Anthropic official) — UI/frontend design skill
+- **code-review** (Anthropic official) — Code review skill
+- **feature-dev** (Anthropic official) — Feature development skill
+- **pr-review-toolkit** (Anthropic official) — PR review commands + agents
 - **prompt-snippets** — Quick behavioral mode switches via /ps command
 
 ## Rules System

.devcontainer/plugins/devs-marketplace/plugins/protected-files-guard/README.md

@@ -10,7 +10,7 @@ Intercepts file operations and checks target paths against a set of protected pa
 
 | Category | Patterns | Reason |
 |----------|----------|--------|
-| Environment secrets | `.env`, `.env.*` | Contains secrets |
+| Environment secrets | `.env`, `.env.*` (except `.env.example`) | Contains secrets |
 | Git internals | `.git/` | Managed by git |
 | Lock files | `package-lock.json`, `yarn.lock`, `pnpm-lock.yaml`, `Gemfile.lock`, `poetry.lock`, `Cargo.lock`, `composer.lock`, `uv.lock` | Must be modified via package manager |
 | Certificates & keys | `.pem`, `.key`, `.crt`, `.p12`, `.pfx` | Sensitive cryptographic material |
@@ -60,7 +60,7 @@ The Bash guard parses commands for write-indicating patterns and extracts the ta
 | Scenario | Behavior |
 |----------|----------|
 | JSON parse failure | Fails closed (exit 2) — blocks the operation |
-| Other exceptions | Fails open (exit 0) — logs error, allows the operation |
+| Other exceptions | Fails closed (exit 2) — logs error, blocks the operation |
 
 ### Timeout
 

.devcontainer/plugins/devs-marketplace/plugins/protected-files-guard/scripts/guard-protected-bash.py

@@ -17,7 +17,7 @@
 PROTECTED_PATTERNS = [
     (r"(^|/)\.env$", "Blocked: .env contains secrets - edit manually if needed"),
     (
-        r"(^|/)\.env\.[^/]+$",
+        r"(^|/)\.env\.(?!example$)[^/]+$",
         "Blocked: .env.* files contain secrets - edit manually if needed",
     ),
     (r"(^|/)\.git(/|$)", "Blocked: .git is managed by git"),

.devcontainer/plugins/devs-marketplace/plugins/protected-files-guard/scripts/guard-protected.py

@@ -16,7 +16,7 @@
     # Environment secrets
     (r"(^|/)\.env$", "Blocked: .env contains secrets - edit manually if needed"),
     (
-        r"(^|/)\.env\.[^/]+$",
+        r"(^|/)\.env\.(?!example$)[^/]+$",
         "Blocked: .env.* files contain secrets - edit manually if needed",
     ),
     # Git internals

.devcontainer/scripts/setup-plugins.sh

@@ -22,7 +22,7 @@ fi
 echo "[setup-plugins] Installing plugins..."
 
 # --- Official Anthropic Plugins ---
-DEFAULT_OFFICIAL_PLUGINS="frontend-design@claude-plugins-official svelte@sveltejs/mcp"
+DEFAULT_OFFICIAL_PLUGINS="frontend-design@anthropics/claude-code code-review@anthropics/claude-code feature-dev@anthropics/claude-code pr-review-toolkit@anthropics/claude-code svelte@sveltejs/mcp"
 IFS=' ' read -ra OFFICIAL_PLUGINS <<< "${OFFICIAL_PLUGINS:-$DEFAULT_OFFICIAL_PLUGINS}"
 
 for plugin in "${OFFICIAL_PLUGINS[@]}"; do

README.md

@@ -106,7 +106,7 @@ CodeForge operates in three layers, each building on the one below:
 
 **DevContainer** — The foundation. A Python 3.14 container with Node.js, Rust, and Bun runtimes, plus 22 custom features that install development tools (ast-grep, tree-sitter, biome, ruff, and others).
 
-**CodeForge Layer** — The intelligence. 13 plugins register hooks that validate commands, inject context, and enforce safety. 17 agents provide specialized personas. 35 skills offer on-demand reference material. System prompts and rules shape behavior.
+**CodeForge Layer** — The intelligence. 17 plugins register hooks that validate commands, inject context, and enforce safety. 21 agents provide specialized personas. 38 skills offer on-demand reference material. System prompts and rules shape behavior.
 
 **Claude Code** — The AI assistant, executing tools and coordinating work. CodeForge enhances it through configuration — replacing built-in subagents, adding safety guardrails, and wiring up quality checks that run automatically.
 

docs/src/content/docs/customization/configuration.md

@@ -96,7 +96,10 @@ The `enabledPlugins` section controls which plugins are active:
     "codeforge-lsp@devs-marketplace": true,
     "git-workflow@devs-marketplace": true,
     "prompt-snippets@devs-marketplace": true,
-    "frontend-design@claude-plugins-official": true
+    "frontend-design@anthropics/claude-code": true,
+    "code-review@anthropics/claude-code": true,
+    "feature-dev@anthropics/claude-code": true,
+    "pr-review-toolkit@anthropics/claude-code": true
   }
 }
 ```

docs/src/content/docs/features/index.md

@@ -17,7 +17,7 @@ Out of the box, CodeForge gives you:
 - **38 domain knowledge packs** (skills) for frameworks, patterns, and workflows
 - **22 CLI tools** for session management, code quality, and development
 - **3 layers of code intelligence** — AST-based search, syntax parsing, and LSP semantic analysis
-- **14 plugins** that wire everything together with hooks, guards, and automation
+- **17 plugins** that wire everything together with hooks, guards, and automation
 
 All of these features work together. An agent can load skills for domain expertise, use CLI tools for code quality checks, and leverage code intelligence for precise navigation — all orchestrated automatically.
 

docs/src/content/docs/getting-started/first-session.md

@@ -36,7 +36,7 @@ If something isn't working as expected in a CodeForge session, try `ccraw` to se
 When your session starts, several systems activate behind the scenes. You don't need to configure any of this — it just works.
 
 - **System prompt** — gives Claude context about your project, coding standards, and how to communicate. Customizable via [System Prompts](../customization/system-prompts/).
-- **Plugin hooks** — 14 plugins fire automatically at key moments: blocking dangerous commands, guarding workspace scope, injecting git state, running code quality checks, and more. See the [Plugins Overview](../plugins/) for details on each one.
+- **Plugin hooks** — 17 plugins fire automatically at key moments: blocking dangerous commands, guarding workspace scope, injecting git state, running code quality checks, and more. See the [Plugins Overview](../plugins/) for details on each one.
 - **Session context** — Claude always knows your current branch, uncommitted changes, recent commits, and active TODOs without you having to explain it.
 
 ## What to Try First

docs/src/content/docs/getting-started/index.md

@@ -5,7 +5,7 @@ sidebar:
   order: 1
 ---
 
-CodeForge is a DevContainer configuration that transforms your development environment into an AI-powered workspace. It bundles 14 plugins, 22 tools, 21 specialized agents, and 38 skills into a single `npx codeforge-dev` install.
+CodeForge is a DevContainer configuration that transforms your development environment into an AI-powered workspace. It bundles 17 plugins, 22 tools, 21 specialized agents, and 38 skills into a single `npx codeforge-dev` install.
 
 ## What is CodeForge?
 

docs/src/content/docs/getting-started/installation.md

@@ -51,7 +51,7 @@ your-project/
 │   ├── devcontainer.json       # Container definition and feature list
 │   ├── .env                    # Setup flags
 │   ├── features/               # 22 custom DevContainer features
-│   ├── plugins/                # 14 plugins with hooks and scripts
+│   ├── plugins/                # 17 plugins with hooks and scripts
 │   └── scripts/                # Setup and verification scripts
 ├── .codeforge/
 │   ├── file-manifest.json      # Controls config file deployment
@@ -187,7 +187,7 @@ A few features ship with `"version": "none"` by default (shfmt, dprint, shellche
 
 ### Plugins
 
-All 14 plugins are installed and active by default. They're configured through `settings.json` and managed by the plugin system. See the [Plugins Overview](../plugins/) for details on each plugin and how to enable or disable them.
+All 17 plugins are installed and active by default. They're configured through `settings.json` and managed by the plugin system. See the [Plugins Overview](../plugins/) for details on each plugin and how to enable or disable them.
 
 ## Configuration
 

docs/src/content/docs/plugins/index.md

@@ -131,7 +131,10 @@ These plugins connect CodeForge to external tools and add quality-of-life featur
 | [Session Context](./session-context/) | Injects git state, harvests TODOs, and reminds about uncommitted work |
 | [Notify Hook](./notify-hook/) | Desktop notifications when tasks complete |
 | [CodeForge LSP](./codeforge-lsp/) | Language server protocol integration for Python, TypeScript, and Go |
-| [Frontend Design](./frontend-design/) | Frontend design patterns and UI component skills (external Anthropic plugin) |
+| [Frontend Design](./frontend-design/) | Frontend design patterns and UI component skills (Anthropic official) |
+| Code Review | Automated code review skill (Anthropic official) |
+| Feature Dev | Feature development guidance skill (Anthropic official) |
+| PR Review Toolkit | PR review commands and agents (Anthropic official) |
 
 ## Enabling and Disabling Plugins
 
@@ -151,7 +154,10 @@ Plugins are declared in `settings.json` under the `enabledPlugins` key. Every pl
     "codeforge-lsp",
     "ticket-workflow",
     "notify-hook",
-    "frontend-design"
+    "frontend-design",
+    "code-review",
+    "feature-dev",
+    "pr-review-toolkit"
   ]
 }
 ```