<feed xmlns='http://www.w3.org/2005/Atom'>
<title>rulesets/.claude/commands/security-check.md, branch main</title>
<subtitle>Claude Code skills, rules, and language bundles
</subtitle>
<id>https://git.cjennings.net/rulesets/atom?h=main</id>
<link rel='self' href='https://git.cjennings.net/rulesets/atom?h=main'/>
<link rel='alternate' type='text/html' href='https://git.cjennings.net/rulesets/'/>
<updated>2026-05-22T19:38:16+00:00</updated>
<entry>
<title>docs(commands): update security-check to OWASP 2021 + scanner tooling</title>
<updated>2026-05-22T19:38:16+00:00</updated>
<author>
<name>Craig Jennings</name>
<email>c@cjennings.net</email>
</author>
<published>2026-05-22T19:38:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.cjennings.net/rulesets/commit/?id=9480b424cb5069ace4979a9efd49a983c5526481'/>
<id>urn:sha1:9480b424cb5069ace4979a9efd49a983c5526481</id>
<content type='text'>
Two audit fixes to the OWASP review. It now maps each finding to an OWASP Top 10 2021 category or a WSTG area, adding the four that were missing (Insecure Design, Software and Data Integrity Failures, Security Logging and Monitoring Failures, SSRF) with explicit checks for object and function-level authorization, SSRF URL fetches, update and dependency integrity, and logging gaps. A new optional-scanners step adds gitleaks/trufflehog, semgrep, OSV, and lockfile-diff review, with a network caveat: a scan that can't run reports "not run", never a silent pass.
</content>
</entry>
<entry>
<title>chore(commands): mark user-invoked commands disable-model-invocation</title>
<updated>2026-05-07T02:59:52+00:00</updated>
<author>
<name>Craig Jennings</name>
<email>c@cjennings.net</email>
</author>
<published>2026-05-07T02:59:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.cjennings.net/rulesets/commit/?id=5710b7865549b923467f5e4b1056e040273fc6aa'/>
<id>urn:sha1:5710b7865549b923467f5e4b1056e040273fc6aa</id>
<content type='text'>
Add disable-model-invocation: true to the user-triggered slash commands so the harness drops their descriptions from the model's preloaded skill listing while keeping /&lt;name&gt; routing intact. Skills meant for model recommendation (add-tests, debug, five-whys, frontend-design, humanizer, pairwise-tests, playwright-js, playwright-py, root-cause-trace) are unchanged.
</content>
</entry>
<entry>
<title>refactor(skills): convert 16 user-invoked skills to commands</title>
<updated>2026-05-06T11:17:08+00:00</updated>
<author>
<name>Craig Jennings</name>
<email>c@cjennings.net</email>
</author>
<published>2026-05-06T11:17:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.cjennings.net/rulesets/commit/?id=aa6924591127970d3241ab6b1a50f4bab457da27'/>
<id>urn:sha1:aa6924591127970d3241ab6b1a50f4bab457da27</id>
<content type='text'>
I converted 16 user-invoked skills to commands. Skills cost ~150-300 tokens each per session for descriptions the model uses to auto-route. Commands cost nothing until you type the slash. These 16 are workflows I always trigger deliberately. The auto-routing wasn't earning its keep. This reclaims ~4-5k tokens per session.

Nine skills stayed where auto-routing genuinely helps: debug, root-cause-trace, five-whys, add-tests, frontend-design, humanizer, playwright-js, playwright-py, and pairwise-tests. Pairwise-tests stays a skill because its helper files don't fit a single-file command shape.

For arch-decide, I preserved the upstream MIT LICENSE alongside the command at .claude/commands/arch-decide.LICENSE so attribution stays intact.
</content>
</entry>
</feed>
