jchenry/claude-plugins
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fixed some install inconsistencies

Browse Source
This commit is contained in:
Colin Henry
2026-02-13 10:08:55 -08:00
parent 1ce85f55fc
commit 7eb90c4d89
5 changed files with 248 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.claude-plugin/marketplace.json
View File

@@ -1,5 +1,5 @@
{
"name": "ai-dotfiles",
"name": "cc-plugins",
"owner": {
"name": "jchenry"
},
@@ -7,7 +7,7 @@
"description": "A curated collection of Claude Code plugins — skills, hooks, and MCP configs",
"version": "0.1.0",
"pluginRoot": "./plugins",
"repository": "https://git.sdf.org/jchenry/ai-dotfiles"
"repository": "https://git.sdf.org/jchenry/claude-plugins"
},
"plugins": [
{

86
CLAUDE.md Normal file
View File

@@ -0,0 +1,86 @@
# claude-plugins
A curated marketplace of Claude Code plugins — skills, agents, hooks, and MCP configs.
when working in this repository on information on how skills and marketplaces should be created edited can be referenced in the following urls:
* https://code.claude.com/docs/en/plugin-marketplaces.md
* https://platform.claude.com/docs/en/agents-and-tools/agent-skills/overview.md
When in doubt about yourself refer to the claude documentation
* https://code.claude.com/docs/en/claude_code_docs_map.md
## Repository structure
```
.claude-plugin/
marketplace.json # Marketplace manifest listing all available plugins
plugins/
go/ # Go development plugin
.claude-plugin/
plugin.json # Plugin manifest
.lsp.json # gopls LSP server config
agents/
go-dev.md # Senior Go developer agent
skills/
go-idioms/ # Idiomatic Go style (Effective Go, Code Review Comments, proverbs, spec)
go-review/ # Code review checklist
go-test/ # Table-driven tests, subtests, no assertion libs
go-bench/ # Benchmarking patterns (ResetTimer, ReportAllocs, sink var)
go-errors/ # Error wrapping (fmt.Errorf %w), sentinel errors
go-concurrency/ # Goroutine patterns, channels, race detector
go-secure/ # Security audits, gosec
```
## Marketplace (`marketplace.json`)
- **name**: `cc-plugins`
- **owner**: jchenry
- **pluginRoot**: `./plugins`
- **repository**: `https://git.sdf.org/jchenry/claude-plugins`
### Listed plugins
| Name | Source | Description |
|------|--------|-------------|
| `go` | `./plugins/go` | Go dev skills + gopls LSP |
| `gopls-lsp` | `github:anthropics/claude-plugins-official` | Official gopls LSP plugin |
## Go plugin (`plugins/go`)
### `plugin.json` fields
Per official docs, documented fields are `name`, `description`, `version`, `author`, `license`, `homepage`, `repository`, `keywords`. All plugin directories (`skills/`, `agents/`, `hooks/`, `.lsp.json`, `.mcp.json`) are **auto-discovered by convention** — no explicit declaration needed.
```json
{
"name": "go",
"version": "0.1.0",
"description": "...",
"author": { "name": "jchenry" },
"license": "MIT",
"keywords": [...]
}
```
> **Note**: `agents` confirmed invalid (removed). `skills` and `lspServers` are undocumented — may cause future validation errors. The `skills/` and `agents/` directories and `.lsp.json` are auto-discovered.
### Agent: `go-dev`
- **Model**: opus
- **Tools**: Read, Write, Edit, Glob, Grep, Bash
- **Skills loaded**: go-idioms, go-review, go-test, go-bench, go-errors, go-concurrency, go-secure
- Senior Go engineer persona; enforces idiomatic Go, gofmt, error handling, race detection
### LSP: `gopls`
Configured via `.lsp.json` at plugin root (auto-discovered):
- `nilness`, `shadow`, `unusedparams`, `unusedwrite` analyses enabled
- `staticcheck: true`
- `semanticTokens: true`
- Extensions: `.go → go`
## Known issues
- `agents` field in `plugin.json` is not a valid schema field — confirmed causes "agents: Invalid input"; removed
- `agents/` directory is auto-discovered per docs
- `skills` and `lspServers` fields in `plugin.json` are undocumented; may cause validation issues

1
plugins/go/.claude-plugin/plugin.json
View File

@@ -8,6 +8,5 @@
"license": "MIT",
"keywords": ["go", "golang", "testing", "code-review", "idioms"],
"skills": ["./skills/"],
"agents": "./agents/",
"lspServers": "./.lsp.json"
}

2
plugins/go/agents/go-dev.md
View File

@@ -10,6 +10,7 @@ skills:
- go-bench
- go-errors
- go-concurrency
- go-secure
---
You are a senior Go engineer with deep expertise in idiomatic Go. You write production-quality Go code and hold yourself and your work to the same standards as the Go standard library.
@@ -24,6 +25,7 @@ Apply the relevant skills for each task:
- **Benchmarking or profiling** — use `go-bench` patterns: `b.ResetTimer()`, `b.ReportAllocs()`, sink variable, sub-benchmarks by input size.
- **Error handling** — apply `go-errors` patterns everywhere. Wrap with `fmt.Errorf("...: %w", err)`, define sentinel errors at package level, never swallow errors.
- **Concurrency** — use `go-concurrency` as your mental model. Goroutines always have an exit path; prefer channels over shared memory; always run `go test -race ./...`.
- **Security audits or any code touching user input, auth, crypto, networking, files, or subprocesses** — apply `go-secure`. Run `gosec ./...` and work through its findings.
## Principles you hold firmly

158
plugins/go/skills/go-secure/SKILL.md Normal file
View File

@@ -0,0 +1,158 @@
---
name: go-secure
description: "Audit Go code for security vulnerabilities using gosec rules and Go security best practices. Use automatically when asked to audit, harden, or review Go code for security, or when writing code that handles user input, authentication, cryptography, network connections, file I/O, or subprocess execution."
---
Audit the Go code in context for security vulnerabilities. Apply gosec rules and Go-specific security best practices below.
## gosec
Run static analysis with:
```sh
gosec ./...
# or target a specific rule set:
gosec -include=G101,G201,G301 ./...
```
### Key gosec rules to check
| Rule | Category | What it catches |
|------|----------|-----------------|
| G101 | Secrets | Hardcoded credentials (passwords, tokens, keys in source) |
| G102 | Network | Binding to all interfaces (`0.0.0.0`) — confirm intentional |
| G103 | Safety | `unsafe` package use |
| G104 | Errors | Unhandled errors (also caught by `go-errors`) |
| G106 | SSH | `ssh.InsecureIgnoreHostKey()` |
| G107 | SSRF | URL construction from user input passed to `http.Get` etc. |
| G108 | Info disclosure | `/debug/pprof` endpoint exposed in production |
| G110 | DoS | Decompression bomb — unbounded `io.Copy` from zip/gzip |
| G111 | Path traversal | `http.Dir` or file open with unsanitized user path |
| G112 | Slowloris | `ReadHeaderTimeout` not set on `http.Server` |
| G114 | Deprecated TLS | Use of `http.ListenAndServe` (no TLS) for non-internal endpoints |
| G201/G202 | SQLi | String formatting or concatenation in SQL queries |
| G203 | XSS | `template/html` unescaped dynamic content |
| G204 | Cmd injection | `exec.Command` with unsanitized user input |
| G301G307 | File perms | Overly permissive file/directory creation modes |
| G401G405 | Weak crypto | MD5, SHA1, DES, RC4 — use SHA-256+ or AES-GCM |
| G501G502 | Weak hash | `crypto/md5`, `crypto/sha1` imports |
| G601 | Memory | Implicit memory aliasing of loop variable (Go < 1.22) |
---
## Injection
**SQL — always use parameterized queries:**
```go
// Bad
db.Query("SELECT * FROM users WHERE id = " + userID)
// Good
db.QueryContext(ctx, "SELECT * FROM users WHERE id = $1", userID)
```
**Command execution — avoid shell interpretation:**
```go
// Bad — shell expands $userInput
exec.Command("sh", "-c", "grep " + userInput)
// Good — args passed directly, no shell involved
exec.CommandContext(ctx, "grep", "--", userInput)
```
**Path traversal — clean and jail paths:**
```go
// Bad
path := filepath.Join(baseDir, userInput)
// Good
clean := filepath.Clean(filepath.Join(baseDir, userInput))
if !strings.HasPrefix(clean, baseDir) {
return errors.New("path traversal detected")
}
```
---
## Cryptography
Use only strong, modern primitives:
| Use case | Recommended | Avoid |
|----------|-------------|-------|
| Symmetric encryption | AES-GCM (`crypto/cipher`) | DES, 3DES, RC4, AES-CBC without MAC |
| Hashing (integrity) | SHA-256 / SHA-3 (`crypto/sha256`) | MD5, SHA-1 |
| Password storage | `golang.org/x/crypto/bcrypt` or `argon2id` | Plain hash, SHA-* |
| Random values | `crypto/rand` | `math/rand` |
| Key exchange / signatures | ECDSA / Ed25519 | RSA < 2048 |
```go
// Secure random token
buf := make([]byte, 32)
if _, err := rand.Read(buf); err != nil {
return fmt.Errorf("generate token: %w", err)
}
token := hex.EncodeToString(buf)
```
---
## TLS
```go
// Minimum secure server config
srv := &http.Server{
Addr: ":443",
ReadHeaderTimeout: 10 * time.Second,
ReadTimeout: 30 * time.Second,
WriteTimeout: 30 * time.Second,
IdleTimeout: 120 * time.Second,
TLSConfig: &tls.Config{
MinVersion: tls.VersionTLS12,
PreferServerCipherSuites: true,
CurvePreferences: []tls.CurveID{tls.X25519, tls.CurveP256},
},
}
```
Never set `InsecureSkipVerify: true` in production clients.
---
## Input validation
- Validate at system boundaries (HTTP handlers, gRPC methods, CLI args) — not deep in business logic
- Use `strconv` over `fmt.Sscanf` for numeric parsing
- Limit `io.Reader` consumption: `io.LimitReader(r, maxBytes)`
- Reject inputs that fail validation with 400 — don't silently truncate or coerce
---
## Secrets
- Never hardcode secrets; read from environment or a secrets manager
- Avoid logging request bodies, headers with `Authorization`, or struct fields containing keys/tokens
- Zero sensitive buffers when done:
```go
defer func() { clear(password) }() // Go 1.21+
```
- Use `expvar` or structured logging carefully — ensure no secret fields are exported
---
## Goroutines and shared state
- Race conditions can become security issues (TOCTOU); run `go test -race ./...`
- Avoid storing mutable auth/session state in package-level variables
---
## Output format
For each finding:
1. gosec rule ID (if applicable)
2. Severity: **Critical** / **High** / **Medium** / **Low**
3. The vulnerable code snippet
4. The fixed version
5. One-line explanation
End with a prioritized remediation list.