Skip to content

feat(plugin): add extract/write domain skills and refactor report template#181

Merged
onlycastle merged 11 commits intomainfrom
feat/plugin-extract-write-skills-20260322
Mar 22, 2026
Merged

feat(plugin): add extract/write domain skills and refactor report template#181
onlycastle merged 11 commits intomainfrom
feat/plugin-extract-write-skills-20260322

Conversation

@onlycastle
Copy link
Owner

@onlycastle onlycastle commented Mar 22, 2026

Summary

  • Add 12 new domain skills (6 extract + 6 write) for ai-collaboration, ai-control, burnout-risk, context-engineering, skill-resilience, and tool-mastery
  • Refactor report template to extract 6 shared helpers, eliminating duplication between report generators and removing fragile regex-based CSS extraction
  • Extend stage output schemas and unify stage name enum as single source of truth

Changes

  1. feat(plugin): add new stage output schemas and unify stage name enum
  2. feat(plugin): add shared skill research insights
  3. feat(plugin): add six extract domain skills
  4. feat(plugin): add six write domain skills
  5. refactor(plugin): update analysis skills for extract/write pipeline
  6. refactor(plugin): extract shared helpers from report template
  7. fix(plugin): update scanner source for new skill paths
  8. chore(plugin): rebuild dist artifacts
  9. docs: update README uninstall guide and add report screenshots

Test Plan

  • Code compiles without errors
  • Existing tests pass
  • New extract/write skills produce valid stage outputs
  • Report HTML generation produces identical output
  • Manual verification of report screenshots

Generated with Claude Code using /ship-it

onlycastle and others added 9 commits March 22, 2026 14:06
@onlycastle @claude
feat(plugin): add new stage output schemas and unify stage name enum
db3068d 
Extend stage-outputs schema with six new extract/write domain schemas
(ai-collaboration, ai-control, burnout-risk, context-engineering,
skill-resilience, tool-mastery). Consolidate stage name enum usage in
save-stage-output MCP tool to use shared STAGE_NAMES as single source
of truth.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@onlycastle @claude
feat(plugin): add shared skill research insights
4bdce4b 
Add shared research-insights.md with cross-domain research findings
used by extract and write skills for consistent analysis guidance.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@onlycastle @claude
feat(plugin): add six extract domain skills
760ec7a 
Add extraction skills for ai-collaboration, ai-control, burnout-risk,
context-engineering, skill-resilience, and tool-mastery. These skills
extract raw metrics and evidence from session data for downstream
analysis and report generation.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@onlycastle @claude
feat(plugin): add six write domain skills
da41305 
Add write skills for ai-collaboration, ai-control, burnout-risk,
context-engineering, skill-resilience, and tool-mastery. These skills
transform extracted domain data into structured report sections with
narrative insights and actionable recommendations.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@onlycastle @claude
refactor(plugin): update analysis skills for extract/write pipeline
e50da14 
Update five analyze-* skills and bp-analyze orchestrator to integrate
with the new extract/write skill pipeline. Analysis skills now
coordinate with extract skills for data gathering and write skills
for report section generation.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@onlycastle @claude
refactor(plugin): extract shared helpers from report template
b5b7ceb 
Extract generateBaseCss, renderNavDotsHtml, renderIdentitySection,
renderMetricsBar, renderScrollSpyScript, and buildRadarScores into
reusable functions. Eliminates duplication between generateReportHtml
and generateCanonicalReportHtml, replacing the fragile regex-based
CSS extraction pattern.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@onlycastle @claude
fix(plugin): update scanner source for new skill paths
1b8e678 
Add scanner recognition for the new extract/write skill directories
to ensure proper session scanning coverage.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@onlycastle @claude
chore(plugin): rebuild dist artifacts
7be687e 
Rebuild dist bundles reflecting updated MCP server, hooks, and
report template changes. Old chunk-2RN5XMRL replaced by chunk-V7ACYTOR.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@onlycastle @claude
docs: update README uninstall guide and add report screenshots
357f2ab 
Expand README uninstall section with full cleanup checklist for
plugin registry entries. Add 13 report screenshot assets showing
hero, heatmap, personality radar, diagnosis, strengths, and mobile
views.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@onlycastle
Copy link
Owner Author

onlycastle commented Mar 22, 2026

Code Review

Found 4 issues (scored ≥ 80/100):

1. content stage will permanently block report generation (Score: 90)

content is listed in REQUIRED_STAGE_NAMES (stage-db.ts line 28) but is absent from STAGE_NAMES and STAGE_SCHEMAS in the shared schema package. This means:

  • getStageGateIssues() will permanently report content as missing
  • save_stage_output validates against z.enum(STAGE_NAMES) and would reject any attempt to save a content stage
  • The stage can never be satisfied, blocking pipeline completion

content appears to be a domain-level result (stored via save_domain_results), not a stage output — it may need to be removed from REQUIRED_STAGE_NAMES or added to STAGE_NAMES.

BetterPrompt/packages/plugin/lib/stage-db.ts

Line 28 in 357f2ab

'content',

2. Script injection via JSON.stringify in <script> tag (Score: 80)

JSON.stringify(sessionDataByDate) is injected directly into a <script> block. JSON.stringify does not escape </script>, so a project name or session summary containing that string would terminate the script tag and allow arbitrary HTML injection.

Fix: Use JSON.stringify(...).replace(/</g, '\\u003c') to escape angle brackets.

https://github.com/onlycastle/BetterPrompt/blob/357f2ab3fdcfd4d0703a1c4b38b766ab69ad4360/packages/plugin/lib/report-template.ts

3. XSS via unescaped innerHTML in heatmap detail panel (Score: 80)

In showHeatmapDetail(), project names and session summaries are concatenated directly into HTML strings assigned to panel.innerHTML without escaping. A project name containing <img src=x onerror=alert(1)> would execute.

https://github.com/onlycastle/BetterPrompt/blob/357f2ab3fdcfd4d0703a1c4b38b766ab69ad4360/packages/plugin/lib/report-template.ts

4. REQUIRED_STAGE_NAMES diverges from STAGE_NAMES — contradicts unification intent (Score: 85)

The PR's commit message states the goal as "unify stage name enum as single source of truth" and achieves this for save-stage-output.ts. However, stage-db.ts maintains its own REQUIRED_STAGE_NAMES list that is structurally out of sync with the shared STAGE_NAMES. The two lists contain different entries, meaning the "single source of truth" goal is only partially achieved.

BetterPrompt/packages/plugin/lib/stage-db.ts

Lines 15 to 34 in 357f2ab

export const REQUIRED_STAGE_NAMES = [
'sessionSummaries',
'extractAiCollaboration',
'extractContextEngineering',
'extractToolMastery',
'extractBurnoutRisk',
'extractAiControl',
'extractSkillResilience',
'thinkingQuality',
'contextEfficiency',
'communicationPatterns',
'learningBehavior',
'sessionOutcome',
'content',
'projectSummaries',
'weeklyInsights',
'typeClassification',
'evidenceVerification',
'contentWriter',
] as const;

Generated with Claude Code

If useful, react with a thumbs-up. Otherwise, thumbs-down.

@onlycastle @claude
fix(plugin): prevent XSS in heatmap detail and fix stale comment
8204495 
Add escHtml() helper to sanitize project names and session summaries
before innerHTML injection. Escape angle brackets in JSON.stringify
output embedded in <script> tags. Update stage-outputs module comment
to reflect that dimension extractors now exist in the plugin.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@onlycastle
Copy link
Owner Author

onlycastle commented Mar 22, 2026

Code Review Update

Issues 1 and 4 are false positives — upon deeper investigation, REQUIRED_STAGE_NAMES and STAGE_NAMES are intentionally separate lists serving different purposes:

  • STAGE_NAMES validates inputs to save_stage_output (pipeline stages with schemas)
  • REQUIRED_STAGE_NAMES gates report generation (includes domain stages saved via save_domain_results)

Both save_stage_output and save_domain_results call recordStageStatus(), so domain stages like content, thinkingQuality, etc. correctly appear in REQUIRED_STAGE_NAMES but not in STAGE_NAMES. The gate check works because status tracking is shared across both save paths.

Issues 2 and 3 (XSS) are fixed in commit 8204495:

  • Added escHtml() helper using DOM text node escaping for project names and session summaries in innerHTML
  • Added .replace(/</g, '\\u003c') to JSON.stringify output in <script> tag
  • Updated stale module comment in stage-outputs.ts

Generated with Claude Code

@onlycastle @claude
chore(plugin): rebuild dist with XSS fix
bcebc99 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@onlycastle onlycastle merged commit 093d448 into main Mar 22, 2026
1 check failed
@onlycastle onlycastle deleted the feat/plugin-extract-write-skills-20260322 branch March 22, 2026 22:36
onlycastle added a commit that referenced this pull request Mar 23, 2026
@onlycastle @claude
test(plugin): add extract domain and content stage fixtures
0d5d6c2 
Add missing stage output fixtures for extractAiCollaboration,
extractContextEngineering, extractToolMastery, extractBurnoutRisk,
extractAiControl, extractSkillResilience, and content stage data
to match the new domain skill pipeline from #181.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@onlycastle onlycastle mentioned this pull request Mar 23, 2026
Merged
3 tasks
onlycastle added a commit that referenced this pull request Mar 23, 2026
@onlycastle @claude
test(plugin): update report gating fixtures for new template sections (
c0039eb 
…#183)

* test(plugin): add extract domain and content stage fixtures

Add missing stage output fixtures for extractAiCollaboration,
extractContextEngineering, extractToolMastery, extractBurnoutRisk,
extractAiControl, extractSkillResilience, and content stage data
to match the new domain skill pipeline from #181.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* test(plugin): update report gating assertions for new template sections

Update HTML content assertions to match refactored report template:
- Planning Analysis → Top Focus Areas
- Critical Thinking → Personality Summary
- Anti-Patterns → Weekly Insights

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@onlycastle