v1.14.2

Fixed

CI: Release Workflow (v1.14.1)

• test.js — settings.json path updated from config/settings.json to config/defaults/settings.json to match config externalization refactor
• test.js — Test 5 (executable check) result now included in exit condition; previously a failure was logged but did not affect the exit code
• setup.js — file permissions changed from 644 to 755 (executable) to match shebang and bin declaration in package.json

CI: Publish DevContainer Features Workflow (v1.14.1)

• features/README.md — removed from features directory; devcontainers/action@v1 treated it as a feature subdirectory and failed looking for README.md/devcontainer-feature.json
• 11 devcontainer-feature.json files — removed "maintainer" field (not in the DevContainer Feature spec schema, causing strict validation failure): ast-grep, ccburn, ccms, ccstatusline, ccusage, chromaterm, claude-monitor, claude-session-dashboard, lsp-servers, mcp-qdrant, tree-sitter

CI: Publish DevContainer Features Workflow (v1.14.2)

• 6 devcontainer-feature.json files — removed "proposals" field that coexisted with "enum" on the same option (spec schema treats them as mutually exclusive via anyOf): ccburn, ccusage, claude-monitor, claude-session-dashboard, mcp-qdrant, tree-sitter

Docs

• Active sidebar item — increased background opacity from 0.08 to 0.14, added font-weight: 600 and color: var(--sl-color-accent-high) for readable contrast against inactive items

v1.14.1

Fixed

CI: Release Workflow

• test.js — settings.json path updated from config/settings.json to config/defaults/settings.json to match config externalization refactor
• test.js — Test 5 (executable check) result now included in exit condition; previously a failure was logged but did not affect the exit code
• setup.js — file permissions changed from 644 to 755 (executable) to match shebang and bin declaration in package.json

CI: Publish DevContainer Features Workflow

• features/README.md — removed from features directory; devcontainers/action@v1 treated it as a feature subdirectory and failed looking for README.md/devcontainer-feature.json
• 11 devcontainer-feature.json files — removed "maintainer" field (not in the DevContainer Feature spec schema, causing strict validation failure): ast-grep, ccburn, ccms, ccstatusline, ccusage, chromaterm, claude-monitor, claude-session-dashboard, lsp-servers, mcp-qdrant, tree-sitter

v1.14.0

Fixed (CodeRabbit review)

• chromaterm/install.sh — username auto-detection now resets to empty before candidate loop, so ${USERNAME:-root} fallback works correctly
• biome/install.sh — nvm.sh sourcing wrapped in set +u / set -u to prevent unbound variable abort under set -euo pipefail
• setup.js — ccstatusline-settings.json added to DEFAULT_PRESERVE so user customizations survive --force package updates
• docs agent-system.md — spec-writer moved from Full-Access to Read-Only agents table (matches its permissionMode: plan definition)
• guard-readonly-bash.py — docstring corrected from "Returns JSON on stdout" to "Outputs block reason to stderr"
• git-forensics/SKILL.md — misleading "Blame through renames" comment fixed to "Show patch history through renames"

Added

Nuclear Workspace Scope Enforcement

• Blacklist system — /workspaces/.devcontainer/ permanently blocked for ALL operations (read, write, bash). Checked before allowlist, scope check, and cwd bypass. Cannot be overridden, even from workspace root
• Bash enforcement — two-layer detection in guard-workspace-scope.py:
  • Layer 1: 20+ regex patterns extract write targets (>, tee, cp, mv, touch, mkdir, rm, ln, rsync, chmod, chown, dd, wget -O, curl -o, tar -C, unzip -d, gcc -o, sqlite3). System command exemption only when ALL targets resolve to system paths
  • Layer 2: regex scans entire command for any /workspaces/ path string — catches inline scripts, variable assignments, quoted paths. No exemptions, always runs
• CWD context injector (inject-workspace-cwd.py) — fires on SessionStart, UserPromptSubmit, PreToolUse, SubagentStart to reinforce working directory scope
• Fail-closed error handling — JSON parse errors, exceptions, and unknown tools now exit 2 (block) instead of exit 0 (allow)

Agent System Enhancements

• task-completed-check.py — quality gate hook (TaskCompleted) runs test suite before allowing task completion
• teammate-idle-check.py — quality gate hook (TeammateIdle) prevents teammates from going idle with incomplete tasks
• skills/debug/SKILL.md — structured log investigation skill replacing the old /debug slash command
• permissionMode declared on all 17 agent definitions (plan for read-only, default for write-capable)
• Agent-system README — full plugin documentation with hook lifecycle, agent table, quality gates

Skill Engine Enhancements

• 6 new skill matchers in skill-suggester.py: spec-check, spec-init, spec-new, spec-refine, spec-update, team
• Team skill expanded (v0.2.0) — quality gate hooks, plan approval workflow, keyboard shortcuts, use case examples, best practices, limitations
• Skill-engine README — full plugin documentation

New Features

• chromaterm — terminal output colorizer via ChromaTerm2 YAML rules
• kitty-terminfo — xterm-kitty terminfo for Kitty terminal compatibility

Documentation Site

• Astro/Starlight docs (docs/) — full documentation portal with getting-started guides, plugin reference (12 pages), feature docs, customization, and API reference
• GitHub Actions — deploy-docs.yml (docs deployment), publish-features.yml (GHCR feature publishing), release.yml (release workflow)
• Logos — CodeForgeLogo.png, CodeForgeLogoTr.png, github-avatar.png

Plugin Installation Documentation

• Remote install instructions added to all 11 plugin READMEs — "From GitHub" section with clone + enabledPlugins setup from https://github.com/AnExiledDev/CodeForge
• GHCR feature paths — features README updated with ghcr.io/anexileddev/codeforge/<feature-name>:<version> and devcontainer.json usage examples
• READMEs added to session-context, skill-engine, spec-workflow plugins
• Install sections added to workspace-scope-guard, codeforge-lsp, dangerous-command-blocker, protected-files-guard, notify-hook, ticket-workflow

Other

• Marketplace metadata — marketplace.json restructured with metadata object, pluginRoot, and keywords arrays for all plugins
• Port forwarding for Claude Dashboard (port 7847) in devcontainer.json
• ChromaTerm wrapper in setup-aliases.sh — cc/claude/ccw aliases pipe through ct when available
• package.json scripts — added prepublishOnly, docs:dev, docs:build, docs:preview

ccstatusline Config Externalization

• Widget config extracted from inline jq -n generation in install.sh into config/defaults/ccstatusline-settings.json — editable JSON file, single source of truth
• File-manifest deployment — two new entries deploy the config to ~/.config/ccstatusline/settings.json (if-changed) and /usr/local/share/ccstatusline/settings.template.json (always)
• ${HOME} variable expansion added to setup-config.sh — enables manifest entries targeting user home directory paths

Development Rules

• CLAUDE.md (project root) — added changelog and documentation update rules: all changes must have a changelog entry and update relevant docs

Changed

ccstatusline Feature

• install.sh simplified — removed ~90 lines of inline JSON config generation, validation, and template creation. Config deployment now handled by file-manifest system

Workspace Scope Guard

• Reads (Read, Glob, Grep) now hard-blocked outside scope — upgraded from warning (exit 0) to block (exit 2)
• Allowlist trimmed to /workspaces/.claude/ and /tmp/ only — removed /workspaces/.devcontainer/, /workspaces/.tmp/, /home/vscode/
• Hook timeout increased from 5s to 10s
• Matcher expanded to include Bash tool

Hook Output Schema Migration

• All hooks migrated to hookSpecificOutput wrapper with explicit hookEventName
• commit-reminder.py — upgraded from advisory to blocking (decision: block)
• spec-reminder.py — upgraded from advisory to blocking (decision: block)
• advisory-test-runner.py — test failures now block with decision: block; passes/timeouts use systemMessage
• ticket-linker.py — output wrapped in hookSpecificOutput
• git-state-injector.py, todo-harvester.py — output wrapped in hookSpecificOutput

Ticket Workflow

• Migrated from slash commands to skill-based approach — 4 slash commands and system-prompt.md replaced by skills directory

Skill Definitions

• All 21+ SKILL.md files rewritten with USE WHEN / DO NOT USE guidance, action-oriented descriptions, bumped to v0.2.0
• skill-suggester.py keyword maps overhauled with natural phrases and concrete identifiers
• Skill suggestion output changed to mandatory directive format
• SubagentStart hook removed — suggestions now fire on UserPromptSubmit only

Error Output

• block-dangerous.py — errors now written to stderr (was JSON on stdout)
• guard-protected.py, guard-protected-bash.py — errors now written to stderr

Features

• ccstatusline — compact 3-line layout (was 8-line), rawValue: true on token widgets
• claude-session-dashboard — default port 3000 → 7847, --host 0.0.0.0 for external access
• ccms — build cache moved from .devcontainer/.build-cache/ to ${TMPDIR:-/tmp}/ccms-build-cache

Configuration

• CLAUDE.md (devcontainer) — condensed from ~308 to ~90 lines, removed redundant sections
• spec-workflow.md rule — condensed, defers to system prompt <specification_management> section
• main-system-prompt.md — expanded Agent Teams guidance: file ownership, task sizing, quality gate hooks, plan approval
• Plugin plugin.json files — version field removed across all plugins

Fixed

• Stale references to deleted features (mcp-reasoner, splitrail, claude-code) removed from docs
• Documentation counts updated (features: 21, agents: 17, skills: 34)
• Version mismatch in README.md corrected
• Auto-formatter/auto-linter references consolidated to auto-code-quality throughout
• Code-directive plugin references updated to agent-system, skill-engine, spec-workflow
• Personal project paths removed from .gitignore and .npmignore
• setup.js stale feature references fixed (Reasoner MCP, Go → Rust)
• .secrets added to .npmignore for npm publish safety
• Duplicate "### Fixed" header in v1.5.3 changelog entry
• NVM sourcing added to biome install script
• Cleanup trap added to shellcheck install script

Removed

• auto-formatter plugin — deleted entirely (consolidated into auto-code-quality)
• auto-linter plugin — deleted entirely (consolidated into auto-code-quality)
• /debug slash command from agent-system (replaced by debug skill)
• 4 ticket-workflow slash commands (ticket:new, ticket:work, ticket:review-commit, ticket:create-pr) and system-prompt.md (replaced by skills)
• Optional features docs for mcp-reasoner and splitrail (features no longer exist)
• SubagentStart hook from skill-engine (suggestion now UserPromptSubmit only)

---

v1.12.0

What's Changed

Added

• Plugin README documentation — 9 new READMEs for all marketplace plugins
• guard-protected-bash.py — Bash hook blocking commands that write to protected files
• Devcontainer secrets — secrets block for GH_TOKEN, NPM_TOKEN, GH_USERNAME, GH_EMAIL
• Post-start hook system — extensible /usr/local/devcontainer-poststart.d/ runner
• Git worktree support — project detection, system prompt guidance, protected-files-guard coverage
• CLAUDECODE=null — allows nested Claude Code sessions (claude-in-claude)

Changed

• Feature version pinning — all features pinned to explicit versions (agent-browser 0.11.1, ast-grep 0.40.5, biome 2.4.2, ruff 0.15.1, pyright 1.1.408, node 1.6, rust 1.4, claude-code 1.1, etc.)
• Default shell: bash → zsh — VS Code terminal and tmux profiles
• Security hardening — dangerous-command-blocker adds 7 new patterns (Docker escape, bare force push, find -exec rm, git clean -f); both guard scripts fail closed on JSON parse errors
• ccms build cache — cached binary for faster container rebuilds
• setup.sh — Claude Code update runs in background; failure diagnostics; post-start hooks
• inotify-tools — moved to build-time install (tmux feature)
• Container memory — 4GB/8GB → 6GB/12GB recommendation
• Writing system prompt — new Emotional Architecture section

Removed

• mcp-reasoner — entire feature deleted
• splitrail — entire feature deleted

Full changelog: CHANGELOG.md

Install: npx codeforge-dev

v1.11.0

What's New

New Features

• ccms — Session history search CLI (Rust binary) for searching Claude Code JSONL transcripts with boolean queries, role filtering, time scoping, and project isolation
• ccw — Writing-mode alias with dedicated creative-writing system prompt
• workspace-scope-guard — Safety plugin that blocks writes and warns on reads outside the working directory
• /spec-build — Orchestrates full implementation lifecycle from an approved spec (plan → build → review → close)
• /spec-review — Standalone deep implementation review against a spec
• CWD status line widget — Shows current working directory in ccstatusline
• inject-cwd hook — Injects working directory context into every tool response
• Rust runtime added as a devcontainer feature

Bug Fixes

• setup-aliases.sh idempotency — Fixed aliases disappearing on container re-open. Replaced cleanup+guard pattern with block-marker delete-and-rewrite strategy

Spec Workflow Overhaul

• Domain-based organization — Specs now live in .specs/{domain}/{feature}.md instead of version directories
• ROADMAP → MILESTONES — Renamed throughout all skills and templates
• Acceptance criteria markers — Three-state tracking: [ ] (not started), [~] (implemented), [x] (verified)
• Expanded lifecycle — /spec-review inserted before /spec-update in post-implementation workflow

Other Changes

• LSP plugin gains declarative lspServers configuration (pyright, typescript, gopls)
• git-state-injector now injects working directory even outside git repos
• System prompt formatting cleanup (line unwrapping, no content changes)
• __pycache__ excluded from npm tarball and git tracking
• Skill count: 28 (was 26)

Full changelog: see CHANGELOG.md

Install: npx codeforge-dev@1.11.0