All notable changes to this project will be documented in this file.
This release focuses on scan accuracy, source-aware scoring, and safer interpretation of example and manifest-heavy repositories.
- Added first-class source confidence for
docs-example,plugin-manifest, andhook-codefindings alongside existingtemplate-exampleandproject-local-optionaloutput. - Downgraded structural findings from docs/example config and rewrote report wording so risky shipped examples no longer read like confirmed active runtime exposure.
- Extended example classification beyond
docs/andcommands/toexamples/,example/,samples/, andsample/. - Re-added standalone docs/example
CLAUDE.mdfiles to scanning so real secrets in example guidance are not silently missed. - Improved hook analysis for manifest-resolved non-shell implementations, including explicit context injection, transcript access, and remote shell payloads executed via child-process wrappers.
- Tightened hook-manifest handling so declarative config is distinguished from executable hook implementations.
- Expanded structured agent coverage for
.claude/subagents/*.jsonand.claude/slash-commands/*.json. - Refined report scoring so template, project-local, docs/example, and plugin-manifest findings no longer inflate grades like active runtime exposure.
npm run typechecknpm testnpm run build- Live rescans of
everything-claude-code,PMX-backend, andbasket-trader
- The GitHub Action bundle under
dist/must be committed before tagging a release. - The release workflow verifies that the pushed tag matches
package.json, reruns the full gate, rebuildsdist/, and refuses to publish if generated action artifacts are out of sync.