v4.1.0 — Self-evolution forge

Self-evolution layer

Two meta-skills that let the agent distill recurring patterns into reusable artifacts, with default-deny safety gating and a three-tier publish funnel.

The framework now grows from real usage, not just hand-curated content.

cultivating-skills

• Dispatcher: skill_forge init / lint / scan / improve / promote
• Default-deny safety gate (block / warn / info):
  • rm -rf /, curl | sh, eval(user_input), os.system(var)
  • prompt-injection anti-patterns (ignore previous, you are now, reveal system prompt)
  • hardcoded secrets, multi-entry scripts, dangling references
• Inline exemption: <!-- safety-scan: ignore RULE_ID --> for self-referential cases

cultivating-personas

• persona_forge validate / distill / publish
• Validates Tech Persona Card v1.0 schema + voice consistency + identity 三段 (角色锚定 / 性格特征 / 情绪模式)
• Reuses existing submit portal — no parallel infra
• Three red lines: legal (real names / IP), platform (politics / religion / ethnic), content (self-harm / hate / minor sexualization)

Three-tier publish funnel

Tier	Location	Gate
L0 local	~/.claude/skills/local/	block only; not routed
L1 project	<repo>/.claude/skills/	block + warn; team-shared
L2 community	upstream PR	all block + all warn enforced

Proactive protocol

Agent now watches for ≥3 repeats of the same prompt template, command chain, or scenario script — and proposes distillation before any write. Never silent landing.

Stats

• 22 → 24 skills
• 375 tests pass · 24 skill contracts verified · safety_scan self-test clean
• All 4 platforms × 3 OS CI matrices green

Migration

No breaking changes from v4.0.0. Bump is minor.

```bash
npx code-abyss -t claude -y # picks up the two new commands automatically
```

See CHANGELOG.md for full details.

v4.0.0 — Skill quality refactor + native security suite

Major release — full skill quality audit + native security suite. Removes Apache-2.0 coff0xc upstream dependency in favor of 4 original deep security skills (4073 lines).

Highlights

Metric	v3.1.1	v4.0.0
Skill count	22	22 (different composition)
Avg SKILL.md lines	~140	58
Max SKILL.md lines	485	90
Apache-2.0 deps	12 coff0xc files	0
Original security content	—	4073 lines

What changed

New native security skills (replacing coff0xc)

• defending-applications (785 lines) — Web/API/GraphQL hardening, OAuth/OIDC/JWT/Session, LLM AppSec (prompt injection, jailbreak, RAG poisoning, agent authz)
• securing-cloud-and-supply-chain (1246 lines) — container escape defense, K8s RBAC/PSS, NetworkPolicy, SLSA/Sigstore/SBOM, CI/CD hardening, cloud IAM, Vault, IaC security
• detecting-and-responding (942 lines) — Sigma/YARA rule writing, EDR primitives, SIEM tuning, NIST 800-61 IR, forensics artifacts (Win/Linux/Mac/Cloud), hypothesis-driven threat hunting, ATT&CK coverage, purple team
• architecting-security (1100 lines) — STRIDE/PASTA/LINDDUN threat modeling, zero-trust identity (WebAuthn, Kerberos hardening, PAM JIT), SOC2/PCI/HIPAA/GDPR/ISO 27001 evidence chains

Skill consolidation

• 4 designing-* → applying-ui-design-system
• building-ai-systems + coordinating-agents → building-agent-systems

Office skill slim (heavy content → references/)

• processing-docx: 199 → 61 lines
• processing-pdfs: 296 → 51 lines
• analyzing-spreadsheets: 290 → 44 lines
• creating-presentations: 485 → 74 lines

Verify skill rewrite (5 skills)

analyzing-security / checking-code-quality / analyzing-changes / verifying-modules / generating-docs — from CLI help text to judgment-type knowledge (when to use / output interpretation / context exemptions / cross-skill orchestration).

Migration

npx code-abyss --uninstall <target>      # 1. uninstall v3
npm install -g code-abyss@4               # 2. install v4
npx code-abyss -t <target> -y             # 3. install v4 skills
npm run migrate:v4 -- -t <target>         # 4. (optional) cleanup v3 leftovers

BREAKING CHANGES

Removed skill names — see migration above:

• designing-glassmorphism, designing-liquid-glass, designing-neubrutalism, designing-claymorphism → applying-ui-design-system
• building-ai-systems, coordinating-agents → building-agent-systems
• securing-systems/references/coff0xc-*.md (12 files) → 4 new dedicated skills
• NOTICE.coff0xc-security.md + THIRD_PARTY_LICENSES/Apache-2.0-coffee-skill.txt removed (no upstream dependency)

Verification

• ✅ 22 skill contracts pass
• ✅ 375 tests pass
• ✅ Real-environment migration test successful
• ✅ All 15 CI checks green on merge

Full changelog: CHANGELOG.md

v3.1.1 — Brand polish

v3.1.1 — Brand polish

仅文档 / site / 设计资产改动。从 v3.1.0 升级无需任何操作。

Changed

• 📖 README 品牌化重写：跟随 v3.1 site 设计语言——头图 banner.svg、节奏化结构、人格 2×3 卡片表格含 voice / register / tags / creator
• 🎨 GitHub Pages 编辑感重设计：单冷紫主色 + Noto Serif SC 衬线标题 + 左右分栏 hero + 浮动 persona 卡阵
• ✨ 新 logo：切口同心环 + 三道弧（三层架构隐喻）+ 中心 dark core
• 📦 新增 assets/banner.svg、assets/logo.svg、site/favicon.svg

Why a patch?

v3.1.0 已发布的 npm tarball 包含旧 README。npm 不更新已发布版本的元数据，所以发个 patch 让 npm 包页也展示新设计。

完整 changelog: https://github.com/telagod/code-abyss/blob/main/CHANGELOG.md

v3.1.0 — 共存 + 雨姐 + Codex 启动修复

v3.1.0 — 共存 + 雨姐 + Codex 启动修复

🩹 Critical Fix

• Codex 启动报错 (#26): model_instructions_file 指向 instruction.md 但 v3.0 安装器写的是 AGENTS.md，导致升级 v3.0 后 codex 启动直接 os error 2。本版统一写 ~/.codex/instruction.md。所有 codex 用户务必升级。

✨ Features

• 用户自定义 skills 共存 (#19): installCore() 改为目录展开 children 逐个安装。~/.claude/skills/my-custom/ 不再被冻结到备份目录，install/uninstall 全周期存活。Co-authored: @ranger1112
• 东北雨姐 persona (#25): community 提交。新 persona dongbei-yujie + 输出风格 dongbei-yujie-blunt。Creator: wons

🛠 Other

• CI smoke-codex 断言跟随产物对齐
• 6 personas × 6 styles 跨配 smoke 全通

Upgrade

npx code-abyss -t codex -y    # codex 用户必须重装
npx code-abyss -t claude -y   # claude 用户保留自定义 skills

完整 changelog: https://github.com/telagod/code-abyss/blob/main/CHANGELOG.md

v3.0.0 — Persona System Overhaul + Tech Persona Card Spec

v3.0.0 — Persona System Overhaul + Tech Persona Card Spec

Breaking Changes

• Skills flattened: all 22 skill paths changed from nested to flat (skills/processing-docx/). Requires --uninstall of v2.x before upgrading.
• Skill names gerund: all slugs renamed (verify-quality → checking-code-quality).
• Persona restructured: config/CLAUDE.md, config/AGENTS.md, config/instruction.md deleted. Three-layer composition replaces monoliths.
• .sage-* → .code-abyss-*: automatic migration on install.

Highlights

• Tech Persona Card v1.0 — first open standard for AI agent persona interchange (spec)
• Three-layer persona: identity + shared behavior + style, with {{self}}/{{user}} template variables
• 5×5 cross-combination: 25 persona×style combos validated, zero conflicts
• Three-way converter: Tech Persona Card ↔ Character Card V2 ↔ GPT Instructions
• Claude Code Plugin: claude plugin install code-abyss
• Unified assembly: all 4 targets use single renderRuntimeGuidance() — no more drift
• -791 LOC dead code: deleted 609-line AGENTS.md monolith + 2 other stale config files

Stats

• 375 tests across 35 suites
• 22 skills, 5 personas, 5 output styles
• Node 18/20/22 × Linux/macOS/Windows CI green

Upgrade from v2.x

npx code-abyss --uninstall claude   # Remove v2.x artifacts
npx code-abyss@3 --target claude -y # Install v3.0.0

v2.1.11

修复

• ccstatusline 状态栏截断修复：config/ccstatusline/settings.json flexMode 由 full-minus-40 改为 full，避免双行 token/cost 预设在常见终端宽度下因 ccstatusline 自身保守截断而在行尾追加 ...。
  • 根因：ccstatusline 2.2.18 的 flexMode 是 Zod 枚举字段，合法值只有 full | full-minus-40 | full-until-compact；任何非法值都会触发 ZodError 并把整个 ~/.config/ccstatusline/settings.json 重置为默认单行预设。
  • 影响：仅作用于 installCcstatusline 把 bundled preset 部署到 ~/.config/ccstatusline/settings.json 的路径；新装用户直接拿到修复，已装用户重跑 install 就会被覆盖。

变更

• 路由触发词去歧义：skills/domains/security/SKILL.md description 把 K8s / CI/CD 显式收敛为 K8s 安全 / CI/CD 安全，避免与 infrastructure / devops 等姊妹 domain 在 LLM 路由时碰撞；区块链、智能合约 收敛为 智能合约安全，与已存在的 区块链安全 不再冗余。
• 归属说明既成事实化：skills/domains/security/coff0xc-security-index.md 把上游 license 处理由"前置条件"改为"既成事实"陈述，并直接链接到仓库内的 NOTICE.coff0xc-security.md 与 THIRD_PARTY_LICENSES/Apache-2.0-coffee-skill.txt。

验证

• Jest: 23 suites / 223 tests passed（1 skipped）
• Skill contract gate: npm run verify:skills — 26 skills 通过
• npm pack dry-run: 272 files / 546.3 kB，NOTICE + LICENSE + ccstatusline preset 全部随包分发

安装

npx code-abyss@2.1.11 --target claude -y
npx code-abyss@2.1.11 --target codex -y
npx code-abyss@2.1.11 --target gemini -y
npx code-abyss@2.1.11 --target openclaw -y

Full changelog: v2.1.10...v2.1.11

v2.1.10

新增

• Coff0xc 防御安全扩展：在 skills/domains/security/ 下加入 12 篇授权防御参考文档 — AppSec、云/DevSecOps、检测响应、漏洞生命周期、身份零信任、授权评估、逆向/移动/IoT、区块链、合规架构、紫队、网络协议安全 + 总索引，并扩展 security domain 路由。感谢 @Coff0xc 的贡献。
• NOTICE.coff0xc-security.md 与 THIRD_PARTY_LICENSES/Apache-2.0-coffee-skill.txt：记录上游 coffee-skill 的 Apache-2.0 归属，完整许可证全文随仓库与 npm 包分发。
• package.json files 字段纳入 THIRD_PARTY_LICENSES/ 与 NOTICE.coff0xc-security.md，确保 npm 再分发时一并携带归因材料。

变更

• README 与 docs/README.zh-CN.md 的能力矩阵与许可证段同步标注 Coff0xc 安全扩展与 Apache-2.0 来源。

修复

• test/install-tui.test.js 改为 stdout marker 驱动等待，不再依赖绝对 delay；同时清理 ANTHROPIC_* env 让测试始终走"未认证"路径，解决 CI 上 jest 5s 默认超时导致的 flaky 失败。

安装

npx code-abyss@2.1.10 --target claude -y
npx code-abyss@2.1.10 --target codex -y
npx code-abyss@2.1.10 --target gemini -y
npx code-abyss@2.1.10 --target openclaw -y

Full changelog: v2.1.9...v2.1.10

v2.1.8

Added

• add openclaw as a first-class install target
• add bin/adapters/openclaw.js for OpenClaw CLI/config detection and workspace resolution
• add OpenClaw smoke coverage for default install, custom agents.defaults.workspace, and uninstall restore

Changed

• install shared skills into ~/.openclaw/skills/
• write OpenClaw runtime rules to workspace AGENTS.md
• write persona + output style to workspace SOUL.md
• update README / docs / CLAUDE / pack bootstrap snippets for OpenClaw install and uninstall flow
• extend built-in output styles to support openclaw

Fixed

• make pack bootstrap snippet generation fall back safely when older lock structures do not contain the new host yet

Verification

• npm test -- --runInBand
• npm run verify:skills
• smoke validated for OpenClaw install / custom workspace / uninstall restore

v2.1.7

[2.1.7] - 2026-04-29

Fixed

• 修正 GitHub Actions smoke workflow 断言，使 Claude / Gemini 安装验证与“core skills 默认不暴露 commands”的当前行为一致。
• CI 安全扫描改为在 workflow 中排除 skills/domains/office/，避免新并入的 Office 上游工具链脚本导致 core release 门禁误报。
• 将上述 CI 修复纳入正式发布，避免 v2.1.6 发布后仓库代码与 Actions 结果短暂失配。

Verification

• GitHub Actions: main CI 全绿（含 test matrix + Claude/Codex/Gemini smoke）
• Jest: 22 suites / 220 tests passed（1 skipped）
• Skill contract gate: npm run verify:skills — 26 skills 通过

v2.1.6

v2.1.6