You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
maxvision-skills contribution pipeline (deferred from v0.1.0)
This issue tracks the full A+C+N contribution pipeline scope deferred from
v0.1.0 to a follow-up release after CEO + Codex outside-voice reviews flagged
scope miscalibration.
Full pipeline plan archived at .maxvision/plans/2026-05-22-maxvision-skills-pipeline.md
(status: SUPERSEDED).
Spec preserved at .maxvision/specs/2026-05-22-maxvision-skills-pipeline-design.md.
CRITICAL fixes required before pipeline implementation lands
CD1 — TOS gate proper design
Plan injected gate only into Write|Edit PreToolUse hook. Bash flows bypass
it while unrelated edits get over-blocked. Redesign: separate accept-terms
gate that wraps /maxvision:* commands at the slash-command layer, not at
PreToolUse for arbitrary write operations.
CD2 — Wire sanitize_skill into PR builder scripts/contribute_skill.py:open_pr_for_skill (planned Task 10) copied
skill files directly without invoking the sanitizer. Sanitization regex was
spec'd but never called. Wire it: every file copied through sanitize_text +
diff shown to user pre-commit.
CD4 — Cross-platform implementation
Plan is Bash-first end-to-end (#!/usr/bin/env bash, chmod +x, mktemp -d, /tmp/) while this repo already ships hooks/run-hook.cmd polyglot wrapper
for exactly this case. Sole-Windows-maintainer testing is required.
Use existing polyglot pattern.
C2 — synthesize-skill E2E smoke before wiring
Pipeline wires into skills/synthesize-skill/SKILL.md post-synthesis hook.
No E2E test of synthesize-skill in current repo. Verify it produces ~/.claude/skills/maxvision-<name>/ with valid sidecar BEFORE wiring.
C3 — gh CLI absence handling
TOS gate must detect gh missing and gracefully default to mode=disabled.
Plugin already requires gh for catalog ops — surface this as install
prerequisite in plugin docs.
WARNINGS (robustness, address during implementation)
WD1 — Anonymous mode honest about identifiability
Submission via GitHub issue is tied to authenticated account. Signatures can
identify. Replace "no PII" claim with "minimal identifiable surface".
WD2 — Sidecar schema alignment
PR builder expects use_case, fit_score, use_count, upstream_license_lines.
Current synthesis sidecar schema does not define these. Align both.
WD3 — Hook context merge tested
Existing SessionStart hook emits additionalContext. New TOS hook also emits.
Verify merge/precedence behavior; one must not clobber the other.
WD4 — Plugin path resolution version-independent
CLI hardcoded ~/.claude/plugins/cache/maxvision/maxvision/0.1.0/.... Patch
drift breaks propose-pr. Resolve via env var or glob.
WD6 — Telemetry anti-spam + dedupe rate-limit: none + no dedupe against existing issues. Add: max 1 issue per
7 days OR min 10 entries batched; dedupe by signature hash against open issues.
WD7 — Legal model (DCO or CLA)
"By submitting PR you confirm" is not equivalent to DCO Signed-off-by: or
CLA. Add DCO bot (probot/dco) or CLA tool.
WD8 — Scope re-evaluation per release
This issue is already the outcome of WD8. Document the lesson:
"ship lean, iterate" as a release-policy note in CONTRIBUTING.md.
W1-W10 from CEO review (overlapping with above; see plan)
Fork race, gh API rate-limit, subprocess error wrapping, PR mid-flow recovery,
read-before-patch, missing tests, accept-terms idempotency, hook latency cache,
PR logging, restart-required note.
Acceptance criteria for v0.1.1 ship
All CRITICAL items checked
WARNINGS triaged (some may defer further)
E2E test pass on Windows + macOS + Linux
TERMS.md drafted + reviewed
maxvision-skills repo accepts first synthesized PR end-to-end
maxvision-skills contribution pipeline (deferred from v0.1.0)
This issue tracks the full A+C+N contribution pipeline scope deferred from
v0.1.0 to a follow-up release after CEO + Codex outside-voice reviews flagged
scope miscalibration.
Context:
maxvision-skillsv0.0.1 repo creation + Tier 2source registration in
skill-sources.json)..maxvision/plans/2026-05-22-maxvision-skills-pipeline.md(status: SUPERSEDED).
.maxvision/specs/2026-05-22-maxvision-skills-pipeline-design.md.CRITICAL fixes required before pipeline implementation lands
CD1 — TOS gate proper design
Plan injected gate only into
Write|EditPreToolUse hook. Bash flows bypassit while unrelated edits get over-blocked. Redesign: separate
accept-termsgate that wraps
/maxvision:*commands at the slash-command layer, not atPreToolUse for arbitrary write operations.
CD2 — Wire sanitize_skill into PR builder
scripts/contribute_skill.py:open_pr_for_skill(planned Task 10) copiedskill files directly without invoking the sanitizer. Sanitization regex was
spec'd but never called. Wire it: every file copied through sanitize_text +
diff shown to user pre-commit.
CD3 — accept-terms command Windows-compatible
Heredoc snippet
<<'PY'with"${CLAUDE_PLUGIN_ROOT}/scripts"inside Pythonfails env-var expansion. First-run acceptance deadlocks. Replace inline
Python with proper script invocation (
python3 .../accept_terms.py "$MODE").CD4 — Cross-platform implementation
Plan is Bash-first end-to-end (
#!/usr/bin/env bash,chmod +x,mktemp -d,/tmp/) while this repo already shipshooks/run-hook.cmdpolyglot wrapperfor exactly this case. Sole-Windows-maintainer testing is required.
Use existing polyglot pattern.
C1 — Sanitization regex coverage gaps
Current spec covers
/Users/,/home/,C:\Users\, env vars (*_KEY/_TOKEN/_SECRET),*.internal/*.local/*.lan/*.corp/*.intranet. Missing: SSH private keys, JWTtokens, BR CPF/CNPJ (LGPD!), AWS ARNs, internal IPs (10.x/172.16-31.x/192.168.x),
GraphQL endpoints. Expand patterns + document as "best-effort".
C2 — synthesize-skill E2E smoke before wiring
Pipeline wires into
skills/synthesize-skill/SKILL.mdpost-synthesis hook.No E2E test of synthesize-skill in current repo. Verify it produces
~/.claude/skills/maxvision-<name>/with valid sidecar BEFORE wiring.C3 — gh CLI absence handling
TOS gate must detect
ghmissing and gracefully default to mode=disabled.Plugin already requires gh for catalog ops — surface this as install
prerequisite in plugin docs.
WARNINGS (robustness, address during implementation)
WD1 — Anonymous mode honest about identifiability
Submission via GitHub issue is tied to authenticated account. Signatures can
identify. Replace "no PII" claim with "minimal identifiable surface".
WD2 — Sidecar schema alignment
PR builder expects
use_case,fit_score,use_count,upstream_license_lines.Current synthesis sidecar schema does not define these. Align both.
WD3 — Hook context merge tested
Existing SessionStart hook emits
additionalContext. New TOS hook also emits.Verify merge/precedence behavior; one must not clobber the other.
WD4 — Plugin path resolution version-independent
CLI hardcoded
~/.claude/plugins/cache/maxvision/maxvision/0.1.0/.... Patchdrift breaks
propose-pr. Resolve via env var or glob.WD5 — E2E test coverage
Mock/unit only. Add E2E for: gh auth missing, network down, fork without
permissions, branch protection errors, retry/idempotency.
WD6 — Telemetry anti-spam + dedupe
rate-limit: none+ no dedupe against existing issues. Add: max 1 issue per7 days OR min 10 entries batched; dedupe by signature hash against open issues.
WD7 — Legal model (DCO or CLA)
"By submitting PR you confirm" is not equivalent to DCO
Signed-off-by:orCLA. Add DCO bot (probot/dco) or CLA tool.
WD8 — Scope re-evaluation per release
This issue is already the outcome of WD8. Document the lesson:
"ship lean, iterate" as a release-policy note in
CONTRIBUTING.md.W1-W10 from CEO review (overlapping with above; see plan)
Fork race, gh API rate-limit, subprocess error wrapping, PR mid-flow recovery,
read-before-patch, missing tests, accept-terms idempotency, hook latency cache,
PR logging, restart-required note.
Acceptance criteria for v0.1.1 ship
References