Strategy: Heavy analysis runs on contributor's GitHub Actions allowance
Microsoft/GitHub subsidizes the compute through free tiers
Workflows:
- contributor-ci.yml: Full CI runs on fork (contributor pays)
- fork-ai-triage.yml: AI analysis, labeling, security scan (fork pays)
- fork-pr-analysis.yml: Upstream just verifies fork CI passed
Benefits:
- Unlimited scale via contributor free tiers
- AI/Copilot features use their allowance
- We only pay for lightweight verification
- Forks inherit these workflows automatically
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When creating a new repo from this template:
- template-bootstrap.yml runs on first push
- Creates standard labels (agent:*, priority:*, type:*)
- Enables security features (Dependabot, vuln alerts)
- Creates setup checklist issue
- TEMPLATE_SETUP.md guides customization
Files to customize: repos.yaml, CLAUDE.md, README.md
Delete TEMPLATE_SETUP.md when done.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- VitePress config with canonical URLs to core.help
- Developer preview banner linking to main docs
- Documentation pages: quick-start, commands, core-folder, repos-yaml
- GitHub Actions workflow for Pages deployment
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add read:project,project scopes to gh auth in install scripts
- Update troubleshooting docs for missing scopes
- Enable GitHub Projects access for workspace management
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add GitHub Actions workflow to test install scripts on Linux, macOS, Windows
- Runs weekly to catch upstream package changes
- Update install-deps.sh to configure gh with workflow scope
- Document workflow scope in README.md and CLAUDE.md troubleshooting
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Introduces a .core/ folder structure that provides:
- workspace.yaml for active package configuration
- Claude Code plugin with skills for multi-repo navigation
- Hook script suggesting core CLI over raw commands
- Full .core/ folder specification for other packages
Also restructures README.md and CLAUDE.md for better fresh
developer experience with clear "what happens" and "what's next"
sections.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Separate local declaration from assignment to avoid masking errors (SC2155)
- Add exit code check after Homebrew installer execution
- Add exit code check after NodeSource setup script execution
- Add LASTEXITCODE check after Chocolatey installer execution
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add SHA256 checksum verification to install-core.sh binary download
- Add version pinning (v0.1.0) to install-core.sh matching PowerShell version
- Use mktemp for secure temp files instead of predictable /tmp/core
- Add symlink detection to prevent directory traversal attacks
- Add GPG signature verification for git tags when available
- Add checksum verification for Go binary in install-deps.sh
- Add SHA384 signature verification for Composer installer
- Replace Invoke-Expression with download-verify-execute in install-deps.ps1
- Download Homebrew/NodeSource scripts to temp files before execution
- Add security documentation and warnings for external scripts
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add PowerShell 4.0+ version check at startup
- Add disk space check (100MB minimum) before install
- Add try/finally cleanup for download temp files (handles Ctrl+C)
- Fix PATH duplicate semicolons by trimming before append
- Update header with requirements documentation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add backtick and percent sign to blocked characters
- Use fsutil reparsepoint query for reliable symlink/junction detection
- Keep attribute check as fallback defense layer
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
install-core.ps1:
- Add Test-SecureDirectory and New-SecureDirectory to mitigate TOCTOU races
- Add Test-GitTagSignature for GPG verification of git tags
- Make ACL failures fatal for temp directories with retry logic
- Use precise PATH matching instead of substring contains
- Add unique GUID suffix to temp file names
- Document security controls and known limitations in header
setup.bat:
- Validate LOCALAPPDATA is within USERPROFILE
- Reject paths with invalid shell characters
- Add symlink detection for install directory
- Use delayed expansion variables for path safety
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add SHA256 hash verification for downloaded binaries
- Pin to specific version (v0.1.0) instead of dev tag
- Validate LOCALAPPDATA is within user profile
- Detect symlink attacks on install directory
- Set restrictive ACL (owner-only) on temp build directories
- Validate PATH entries before modification
- Improve error handling with specific exception types
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Ensures Pop-Location is always called, even if Write-Err exits early.
Makes the cleanup pattern consistent and easier to maintain.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add git prerequisite check before cloning
- Check $LASTEXITCODE after git clone and go build
- Wrap build logic in try/finally for guaranteed temp cleanup
- Add error check after core setup command in batch file
- Show warning if core doctor reports issues
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use Join-Path for reliable path handling in PowerShell
- Replace fragile New-TemporaryFile with GetTempPath + GUID
- Enable delayed expansion in batch for reliable errorlevel checks
- Add call statements for proper subprocess error propagation
- Verify core.exe exists before running commands
- Update repo reference and build path
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Makefile for make-based workflow
- Add setup.sh / setup.bat for one-command bootstrap
- Add scripts/install-deps.sh for macOS/Linux dependencies
- Add scripts/install-deps.ps1 for Windows (Chocolatey)
- Add scripts/install-core.sh to build/download core CLI
- Add scripts/install-core.ps1 for Windows
- Update README with installation instructions
Developers can now run:
macOS/Linux: ./setup.sh (or make setup)
Windows: .\setup.bat (as Admin)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add repos.yaml registry for all host-uk packages
- Add packages/ directory with .gitkeep (contents git-ignored)
- Add README with quickstart and prerequisites
- Add CLAUDE.md for AI-assisted development
Use `core setup` to clone all repos into packages/
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
