Conversation
pproenca
added a commit
that referenced
this pull request
Mar 19, 2026
Analyzed every commit from Michael Bolin (666) and jif-oai (597). Found 24 recurring patterns not in our skills. Added the highest-impact ones: rust-implement (270 -> 286 lines): - Transformation 8: enum-as-disjoint-union (struct with options -> typed enum) - Transformation 9: struct-for-long-parameter-lists (4+ params -> args struct) - Thread-through plumbing (trace every intermediate layer) - Drop/teardown precision (lock guards before .await, kill_on_drop) - Defensive serialization (BEGIN IMMEDIATE for SQLite) - Orphan event handling (events for dead entities) - "Rewrite, don't rewire" principle rust-write-tests (190 -> 247 lines): - Test flake hunting protocol (Bolin's #1 pattern, 97+ refs) - Intent-based assertions (semantic matching, not exact strings) - Enhanced regression test naming (encode the guarded invariant) - Stress-test repro commands (cargo nextest --stress-count 50) rust-refactor (203 -> 240 lines): - Two refactoring philosophies (Bolin defensive vs jif offensive) - Diagnostic Q4: mutually exclusive optional fields -> enum - Crate extraction with compile-time measurement - Feature flag cleanup (full 8-step sequence) - "Rewrite, don't rewire" principle
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
scripts/update-versions.mjswhere unsanitized skill directory names were interpolated into a shell command forgit log, allowing command substitution from malicious directory names.Description
execSyncwithexecFileSyncand invokegitwith an explicit argv array (["log","--oneline","--reverse","--format=%s","--", rel]) so directory names are passed as literal arguments and cannot perform shell substitution.metadata.jsonversions.Testing
node scripts/update-versions.mjs --dry-runsuccessfully and observed the expected version update summary without modifying files.skills/.experimental/evil$(touch PWNED)with ametadata.json, ran the script in dry-run mode, and verified thatPWNEDwas not created, confirming the injection was mitigated.Codex Task