feat(ai): expand security/design agent coverage, bump agency-agents and superpowers#727
Merged
Merged
Conversation
…nd superpowers Bumps agency-agents to 86a6695 (2026-07-15) and adds 15 security/design/engineering agents after a per-agent prompt-injection and adaptation audit (25 candidates reviewed via dedicated subagents). Caveat-worthy agents (live pentest/DAST, credential rotation, production drills, etc.) get audit-caveat comments mirroring the existing testing-api-tester precedent; security-senior-secops is rejected for hardcoding a fictional internal doc path. Bumps superpowers to d884ae0 (2026-07-02) after reviewing the diff for every changed skill: new subagent-driven-development scripts are well-guarded shell (strict mode, quoting, confined output paths), the brainstorming local server adds real auth hardening (session tokens, Origin checks, path-traversal guards), and remaining skill-doc changes are non-risky workflow refinements. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
agency-agentsto86a6695(2026-07-15, verified current upstream HEAD) and adds 25 curated security/design/engineering agents after a per-agent audit (dedicated subagent per candidate, checking prompt-injection risk and embedded author-specific assumptions).testing-api-testerprecedent.security-senior-secopsis rejected — its prompt is structurally built around a fictional internal doc (security/17-security-pattern.md, cited ~10+ times) rather than a scoped, fixable caveat.superpowerstod884ae0(2026-07-02, verified current) after diffing every changed skill. Highest-risk changes (three new shell scripts insubagent-driven-development/scripts/, the restructuredSKILL.md, and thebrainstorminglocal server) each got a dedicated subagent review: the new scripts useset -euo pipefailwith quoted variables and confined output paths, and the server diff is a real hardening pass (adds session auth tokens, WS Origin checks, path-traversal guards, safer PID handling) — no regressions found.Scope note
Coverage of the upstream
security/design/engineeringcategories is curated, not exhaustive: 9 of 12 security agents, 3 of 9 design agents, and 19 of 52 engineering agents got an explicit present/absent decision (the rest were triaged out on relevance — e.g. WordPress/Drupal/network-hardware/blockchain-specific agents — without a full audit, consistent with how this file already treats unreviewed candidates as silently omitted rather than explicitly rejected).Test plan
git ls-remotechezmoi diff/chezmoi applyrun locally — new agents render correctly across Claude Code, opencode, cursor-as-skills, and antigravity-as-skills targets; diff is clean post-applypresentagents were disturbed (full old-vs-new key diff)🤖 Generated with Claude Code