I4cTime · I4cTime · Apr 27, 2026 · Apr 25, 2026 · Apr 25, 2026 · Apr 25, 2026
@@ -12,7 +12,7 @@
       "name": "qring",
       "source": "cursor-plugin",
       "description": "Quantum keyring for AI agents — manage secrets, scan for leaks, rotate keys, and enforce policy directly from Cursor.",
-      "version": "0.10.1",
+      "version": "0.11.5",
       "keywords": [
         "secrets",
         "keyring",
@@ -22,7 +22,7 @@
         "dotenv",
         "credential-management"
       ],
-      "logo": "https://raw.githubusercontent.com/I4cTime/quantum_ring/main/web/public/assets/logo.png"
+      "logo": "https://raw.githubusercontent.com/I4cTime/quantum_ring/main/assets/logo.png"
     }
   ]
 }
@@ -33,6 +33,19 @@ package-lock.json
 !cursor-plugin/commands/*secret*.md
 !cursor-plugin/commands/*token*.md
 !.cursor/rules/secret-*.mdc
-
+!claude-code-plugin/.claude/skills/secret-*/
+!claude-code-plugin/.claude/skills/secret-*/**
+!claude-code-plugin/.claude/skills/exec-with-secrets/
+!claude-code-plugin/.claude/skills/exec-with-secrets/**
+!claude-code-plugin/.claude/agents/secret-*.md
+!claude-code-plugin/.claude/commands/*secret*.md
+!claude-code-plugin/.claude/commands/*token*.md
+!kiro-plugin/steering/qring-secret-*.md
+!kiro-plugin/steering/qring-*-secrets.md
+!kiro-plugin/steering/qring-exec-with-secrets.md
+marketing/
 # Local-only publishing checklist (not pushed to GitHub)
 docs/publishing-log.md
+
+# Local-only GTM / campaign drafts (see marketing/README.md)
+local/
@@ -4,6 +4,22 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+## [0.11.5] — 2026-04-27
+
+### Added
+- **Kiro Power pack** (`kiro-plugin/`) — steering files, hook templates, and `mcp.json` for [Kiro](https://kiro.dev); `pnpm run plugin:sync:kiro` copies into `~/.kiro` or a project `.kiro` path.
+- **Claude Code plugin** (`claude-code-plugin/`) — `CLAUDE.md`, project `.mcp.json`, agents, slash commands, skills, and hooks; `pnpm run plugin:sync:claude` for project install or `--user` for `~/.claude`.
+
+### Removed
+- **In-repo marketing site (`web/`)** — the embedded Next.js app was removed from this repository; public docs and marketing are served from **https://qring.i4c.studio**. Removed GitHub Actions workflows `deploy-pages.yml` and `nextjs.yml`, and the `web:extract-repo` script.
+
+### Changed
+- **`package.json` `homepage`** — now `https://qring.i4c.studio`.
+- **Cursor plugin / marketplace metadata** — logo URL points at repo-root `assets/logo.png` on GitHub raw (replacing deleted `web/public/` paths).
+- **README** — new “Editor plugins” section for Cursor, Kiro, and Claude Code, including sync commands and contributor notes.
+- **`.gitignore`** — ignore `marketing/` and `local/` for local-only drafts.
+- **MCP tool descriptions** — clearer operator guidance for `detect_anomalies`, `health_check`, `remove_hook`, `set_secret`, `delete_secret`, `entangle_secrets`, `disentangle_secrets`, and `agent_scan` (read-only versus mutating behavior and related tools).
+
 ## [0.11.0] — 2026-04-25
 
 ### Changed

@@ -811,21 +811,66 @@ Add to `~/.claude/claude_desktop_config.json`:
 }
 ```
 
-## Cursor Plugin
+## Editor Plugins
+
+The q-ring repo ships three first-party editor packs — each one adds rules/steering, agents, commands, skills, hooks, and the MCP connector to its host editor.
+
+| Plugin | Editor | Highlights |
+|--------|--------|-----------|
+| [`cursor-plugin/`](cursor-plugin/README.md) | [Cursor](https://cursor.com) | 3 rules, 5 skills, 2 agents, 8 slash commands, 3 hooks, MCP autoconnect |
+| [`kiro-plugin/`](kiro-plugin/README.md) | [Kiro](https://kiro.dev) | Official [Power](https://kiro.dev/docs/powers/create/) layout: `POWER.md`, root `mcp.json`, `steering/`, `hooks/`; or flatten with `plugin:sync:kiro` |
+| [`claude-code-plugin/`](claude-code-plugin/README.md) | [Claude Code](https://docs.claude.com/en/docs/claude-code/overview) | `CLAUDE.md` memory, project `.mcp.json`, 2 subagents, 8 slash commands, 5 skills, 3 hook scripts |
+
+### Cursor Plugin
 
 The **q-ring Cursor Plugin** brings quantum secret management directly into your IDE with rules, skills, agents, commands, hooks, and a built-in MCP connector.
 
 | Component | What it does |
 |-----------|-------------|
 | **3 Rules** | Always-on guidance: never hardcode secrets, use q-ring for all ops, warn about `.env` files |
-| **4 Skills** | Auto-triggered by context: secret management, scanning, rotation, project onboarding |
+| **5 Skills** | Auto-triggered by context: secret management, scanning, rotation, project onboarding, exec-with-secrets |
 | **2 Agents** | `security-auditor` (proactive monitoring) and `secret-ops` (day-to-day assistant) |
-| **5 Commands** | `/qring:scan-secrets`, `/qring:health-check`, `/qring:rotate-expired`, `/qring:setup-project`, `/qring:teleport-secrets` |
-| **2 Hooks** | `afterFileEdit` (lint scan), `sessionStart` (project context) |
+| **8 Commands** | `/qring:scan-secrets`, `/qring:health-check`, `/qring:rotate-expired`, `/qring:setup-project`, `/qring:teleport-secrets`, `/qring:dashboard`, `/qring:exec-safe`, `/qring:analyze` |
+| **3 Hooks** | `afterFileEdit` (lint scan), `sessionStart` (project context), `beforeShellExecution` (`.env` guard) |
 | **MCP Connector** | Auto-connects to `qring-mcp` via stdio — all 44 tools available |
 
 Install from the Cursor marketplace or see [`cursor-plugin/README.md`](cursor-plugin/README.md) for manual setup.
 
+### Kiro Plugin (Power)
+
+The [`kiro-plugin/`](kiro-plugin/) directory is a Kiro **Power** per [Create powers](https://kiro.dev/docs/powers/create/): `POWER.md` (metadata, onboarding, steering map), root [`mcp.json`](kiro-plugin/mcp.json) (MCP server must match the server name referenced in the power), and [`steering/`](kiro-plugin/steering/) for workflows. Install from Kiro → **Powers** → **Add power from Local Path** and select `kiro-plugin`, or publish the folder on GitHub and use **Add power from GitHub**.
+
+Always-on steering blocks hardcoded secrets and routes everything through q-ring; `manual` steering files act as agent personas (`#qring-secret-ops`, `#qring-security-auditor`), skill packs, and slash-style commands (`#qring-cmd-scan-secrets`, etc.). Optional hooks live in `hooks/` for copy into `.kiro/hooks/`.
+
+```bash
+# Alternative: flatten into ~/.kiro (settings + steering + hooks)
+pnpm run plugin:sync:kiro
+
+# Or scope to a single project
+pnpm run plugin:sync:kiro -- /path/to/your/project/.kiro
+```
+
+See [`kiro-plugin/README.md`](kiro-plugin/README.md) for the full breakdown.
+
+### Claude Code Plugin
+
+For [Claude Code](https://docs.claude.com/en/docs/claude-code/overview), q-ring ships a `CLAUDE.md` memory file, a project-scoped `.mcp.json`, two [subagents](https://docs.claude.com/en/docs/claude-code/sub-agents) (`secret-ops`, `security-auditor`), eight [slash commands](https://docs.claude.com/en/docs/claude-code/slash-commands) (`/qring-scan-secrets`, `/qring-health-check`, …), five [skills](https://docs.claude.com/en/docs/claude-code/skills), and three [hooks](https://docs.claude.com/en/docs/claude-code/hooks) (post-edit lint reminder, pre-Bash `.env` guard, session-start context primer).
+
+```bash
+# Install into the current project ($PWD)
+pnpm run plugin:sync:claude
+
+# Install agents/commands/skills/hooks at user scope (~/.claude)
+pnpm run plugin:sync:claude -- --user
+
+# Or target a specific project
+pnpm run plugin:sync:claude -- /path/to/your/project
+```
+
+Existing `CLAUDE.md`, `.mcp.json`, or `.claude/settings.json` files are never silently overwritten — the script writes a `<filename>.qring-template` next to them so you can merge by hand. Pass `--force` to overwrite.
+
+See [`claude-code-plugin/README.md`](claude-code-plugin/README.md) for the full breakdown.
+
 ## Architecture
 
 ```
@@ -900,7 +945,11 @@ Optional per-project configuration:
 - Run **`pnpm run lint`**, **`pnpm run typecheck`**, and **`pnpm run test:ci`** before opening a PR.
 - Tests or sandboxes can point the audit log elsewhere with **`QRING_AUDIT_DIR`** (directory is created if missing); default is `~/.config/q-ring/audit.jsonl`.
 - Optional local pre-commit: **`qring hook:install`** (uses this package’s `precommit` hook when `qring` is on your `PATH`).
-- After changing the Cursor plugin under **`cursor-plugin/`**, run **`pnpm run plugin:sync`** to copy it to `~/.cursor/plugins/local/my-plugin` (or pass a custom path). See also [docs/cli-mcp-parity.md](docs/cli-mcp-parity.md).
+- After changing one of the editor plugins:
+  - **Cursor:** `pnpm run plugin:sync` copies `cursor-plugin/` to `~/.cursor/plugins/local/my-plugin` (or pass a custom path).
+  - **Kiro:** `pnpm run plugin:sync:kiro` copies `kiro-plugin/mcp.json` → `~/.kiro/settings/mcp.json`, plus `steering/` and `hooks/` (or pass a project `.kiro` path). Prefer adding `kiro-plugin/` as a [Power](https://kiro.dev/docs/powers/create/) from the Powers panel instead.
+  - **Claude Code:** `pnpm run plugin:sync:claude` copies `claude-code-plugin/` into the current directory (or pass a project path; add `--user` to install at `~/.claude/`).
+- See also [docs/cli-mcp-parity.md](docs/cli-mcp-parity.md).
 
 ## 📜 License
 

@@ -4,8 +4,8 @@
 
 | Version | Supported |
 |---------|-----------|
-| 0.10.x   | Yes       |
-| < 0.10   | No        |
+| 0.11.x   | Yes       |
+| < 0.11   | No        |
 
 ## Reporting a Vulnerability
 

@@ -0,0 +1,51 @@
+---
+name: secret-ops
+description: Day-to-day secret operations assistant. Use proactively when the user wants to store, retrieve, generate, share, organize, or transfer secrets — API keys, tokens, credentials, .env values. Handles superposition (multi-environment), entanglement (linked rotation), tunnels (ephemeral), and teleport (encrypted bundles).
+tools: mcp__q-ring__get_secret, mcp__q-ring__set_secret, mcp__q-ring__delete_secret, mcp__q-ring__has_secret, mcp__q-ring__list_secrets, mcp__q-ring__inspect_secret, mcp__q-ring__generate_secret, mcp__q-ring__entangle_secrets, mcp__q-ring__disentangle_secrets, mcp__q-ring__tunnel_create, mcp__q-ring__tunnel_read, mcp__q-ring__tunnel_list, mcp__q-ring__tunnel_destroy, mcp__q-ring__teleport_pack, mcp__q-ring__teleport_unpack, mcp__q-ring__detect_environment, mcp__q-ring__get_project_context, mcp__q-ring__agent_remember, mcp__q-ring__agent_recall, mcp__q-ring__agent_forget, mcp__q-ring__import_dotenv, mcp__q-ring__export_secrets
+---
+
+# Secret Ops
+
+You are a hands-on secret operations assistant for q-ring. You help users manage their secrets through natural conversation.
+
+## Capabilities
+
+You have access to all q-ring MCP tools, with emphasis on:
+
+**Core CRUD**
+- `get_secret`, `set_secret`, `delete_secret`, `has_secret`, `list_secrets`
+- `inspect_secret` — view metadata without exposing values
+- `generate_secret` — create high-entropy secrets in any format (hex, base64, uuid, api-key, token, password)
+
+**Ephemeral sharing**
+- `tunnel_create` — create memory-only secrets with TTL and max-reads
+- `tunnel_read`, `tunnel_list`, `tunnel_destroy`
+
+**Cross-machine transfer**
+- `teleport_pack` — encrypt secrets into a portable bundle
+- `teleport_unpack` — decrypt and import a bundle
+
+**Organization**
+- `entangle_secrets` / `disentangle_secrets` — link secrets for coordinated rotation
+- `agent_remember` / `agent_recall` / `agent_forget` — persist decisions across sessions
+
+**Environment**
+- `detect_environment` — detect dev/staging/prod context
+- `get_project_context` — understand the project's secret landscape
+
+## Behavior
+
+1. **Be conversational.** Help users think through what they need. Ask clarifying questions about scope (global vs project), environment, and TTL.
+2. **Remember context.** Use `agent_remember` to store decisions like "this project uses OpenAI and Stripe" or "DB credentials rotate monthly". Use `agent_recall` to check past context before asking redundant questions.
+3. **Suggest best practices:**
+   - Generate secrets with `generate_secret` instead of letting users invent them
+   - Add descriptions and tags for organization
+   - Set TTL for credentials that expire
+   - Use tunnels for one-time sharing instead of pasting values
+   - Use teleport for moving secrets between machines
+4. **Be scope-aware.** When storing or retrieving secrets, consider whether the user needs global scope (shared across projects) or project scope (specific to the current workspace).
+5. **Explain what happened.** After operations, confirm what was done: "Stored API_KEY in global scope with tag 'openai' and 90-day TTL."
+
+## Tone
+
+Be helpful and efficient. Explain q-ring concepts (superposition, entanglement, tunneling) in plain terms when users encounter them for the first time.
@@ -0,0 +1,42 @@
+---
+name: security-auditor
+description: Proactive security monitoring agent for q-ring. Use proactively when the user mentions security audit, anomaly detection, audit log integrity, governance policy, or wants a periodic check on the project's secret posture. Verifies the tamper-evident audit chain, surfaces stale or expired credentials, scans for hardcoded leaks, and reports policy violations.
+tools: mcp__q-ring__health_check, mcp__q-ring__audit_log, mcp__q-ring__verify_audit_chain, mcp__q-ring__detect_anomalies, mcp__q-ring__scan_codebase_for_secrets, mcp__q-ring__check_policy, mcp__q-ring__get_policy_summary, mcp__q-ring__export_audit, mcp__q-ring__list_secrets, mcp__q-ring__inspect_secret, mcp__q-ring__get_project_context, mcp__q-ring__analyze_secrets
+---
+
+# Security Auditor
+
+You are a security-focused agent for q-ring. Your job is to proactively monitor the health and integrity of the project's secret management.
+
+## Capabilities
+
+You have access to these q-ring MCP tools:
+
+- `health_check` — assess decay, staleness, and anomalies across all secrets
+- `audit_log` — query the tamper-evident audit trail (filter by key, action, source, time)
+- `verify_audit_chain` — verify the SHA-256 hash chain has not been tampered with
+- `detect_anomalies` — flag burst reads, unusual-hour access, new sources, and tampering
+- `scan_codebase_for_secrets` — scan the project for hardcoded credentials
+- `check_policy` — verify an action is allowed by governance policy
+- `get_policy_summary` — show the full policy configuration
+- `export_audit` — export audit events as JSONL, JSON, or CSV
+
+## Behavior
+
+1. **Start with a health check.** Call `health_check` to get the overall status. Report expired, stale, and healthy counts.
+2. **Verify audit integrity.** Call `verify_audit_chain` to confirm the hash chain is intact. If broken, report the break point and affected event.
+3. **Detect anomalies.** Call `detect_anomalies` to find suspicious patterns:
+   - **Burst reads** — many reads of the same key in a short window
+   - **Unusual-hour access** — reads outside normal working hours
+   - **New source** — access from a previously unseen source
+   - **Tampering** — audit entries with invalid hashes
+4. **Scan for leaks.** Call `scan_codebase_for_secrets` on the project directory and report any hardcoded credentials found.
+5. **Check governance.** If a `.q-ring.json` policy exists, call `get_policy_summary` and verify that denied tools, keys, and tags are properly configured.
+6. **Generate a report.** Summarize findings with counts and severity levels:
+   - **Critical:** tampered audit chain, hardcoded secrets, expired credentials
+   - **Warning:** stale secrets, anomalous access patterns
+   - **Info:** healthy secret counts, policy status
+
+## Tone
+
+Be direct and factual. Present findings as a structured report. Recommend specific remediation actions for each issue found.
@@ -0,0 +1,13 @@
+---
+description: Run q-ring usage / optimization analysis — heavy keys, unused entries, decay risks.
+allowed-tools: mcp__q-ring__analyze_secrets, mcp__q-ring__list_secrets
+---
+
+# /qring-analyze
+
+Run q-ring's secret usage and optimization analysis. Use when the user asks how secrets are used, which keys are stale, or for cleanup suggestions.
+
+## Workflow
+
+1. Call MCP tool `analyze_secrets` with the relevant `projectPath` / scope options.
+2. Summarize the JSON output: heavy keys, unused entries, decay risks, scope-optimization hints, and concrete next steps the user can take (e.g. delete unused keys, set TTL on keys without decay tracking, rotate stale credentials).