Skip to content

v1.3.5

Choose a tag to compare

@github-actions github-actions released this 27 Apr 04:02

What's Changed in v1.3.5

feat: port block-no-verify hook + workflow-security CI validator (#47) by @Jamkris

Summary

Adopts two security additions from everything-claude-code (upstream as of 4e66b28) that are protocol-portable to Gemini CLI without rewriting:

  1. scripts/hooks/block-no-verify.js — registered as a BeforeTool hook on run_shell_command. Blocks --no-verify (and -n shorthand on commit) plus -c core.hooksPath= overrides for git commit / push / merge / cherry-pick / rebase / am. Detects subcommand even in chained shells (git log -n 5 && git commit ...) without false-positiving on -n that belongs to git log. Returns exit 2 with stderr explanation when blocking; exit 0 otherwise.

  2. scripts/ci/validate-workflow-security.js — rejects unsafe github.event.{workflow_run,pull_request}.head.* refs inside actions/checkout steps when triggered from privileged events (workflow_run / pull_request_target). Wired into reusable-validate.yml as a 5th validation step.

The tool_input.command JSON shape that block-no-verify reads is the same shape Gemini CLI's BeforeTool already produces, so no protocol translation was needed for the hook code itself.

Hook registration (per session direction: same blast radius as the Claude side)

{
  "matcher": "tool == \"run_shell_command\"",
  "hooks": [
    { "type": "command", "command": "node \"$HOME/.gemini/extensions/everything-gemini-code/scripts/hooks/block-no-verify.js\"" }
  ]
}

Always-on: matches every shell command, with the hook returning exit 0 fast for non-git commands.

Skipped from upstream (with reasons)

  • gateguard-fact-force.js + skills/gateguard — hardcoded Claude tool names (Edit / Write / MultiEdit / Bash), Claude permissionDecision JSON output protocol, CLAUDE_* env vars. Porting would be a near-rewrite to fit Gemini's stderr+exit hook contract.
  • bash-hook-dispatcher.js + pre/post-bash-dispatcher.js — dispatcher pattern works around Claude's single-hook-per-event limit; Gemini hooks.json already supports multiple entries per event natively.

Test plan

  • node scripts/hooks/block-no-verify.js — direct stdin invocation works (12 cases pass)
  • node scripts/ci/validate-workflow-security.js — passes against this repo's 5 workflow files (and against the 4 fixture cases in the test)
  • node scripts/ci/validate-hooks.js — 16 hook matchers (was 15)
  • npm run lint — clean
  • npm test181/181 pass (was 165: +12 hook tests, +4 CI validator tests)
  • Reviewer spot-check: manually verify a git commit --no-verify attempt is blocked once the extension is reinstalled

feat: port a11y-architect agent + accessibility skill from upstream (#46) by @Jamkris

Summary

Ports two clean additions from everything-claude-code (upstream as of 4e66b28) that fit the Gemini CLI extension scope without rewriting:

  • agents/a11y-architect.md — WCAG 2.2 accessibility architect (Web/iOS/Android). Frontmatter migrated to the Gemini CLI shape per the strict validator added in #45.
  • skills/accessibility/SKILL.md — WCAG 2.2 implementation patterns. Copied as-is (no Claude-specific content).

Larger upstream items (gateguard hook + skill, bash dispatcher, Python LLM provider layer, Rust core, plugin manifests) are intentionally not included — they are deeply Claude-Code-protocol-coupled or out of scope for a Gemini CLI extension. PR 2 in this sync wave will cover block-no-verify.js and validate-workflow-security.js.

Frontmatter migration (a11y-architect)

Before (upstream) After (this PR)
model: sonnet + model: opus (duplicate, schema-forbidden) removed (Gemini CLI agent schema does not accept model)
tools: [Read, Write, Edit, Bash, Grep, Glob] tools: [read_file, write_file, replace, run_shell_command, search_file_content, glob]
Body content unchanged — no Claude-specific references

The migration is the exact mapping enforced by scripts/lib/gemini-tools.js (Phase 2 SoT).

Test plan

  • node scripts/ci/validate-agents.js — 48 agents validated (was 47)
  • node scripts/ci/validate-skills.js — 183 skill directories validated (was 182)
  • npm run lint — clean
  • npm test — 165/165 pass
  • Reviewer spot-check that the agent's tool list still makes sense for an accessibility audit workflow

Summary by CodeRabbit

  • Documentation
    • Added new accessibility agent guidance for designing WCAG 2.2 Level AA compliant interfaces
    • Included comprehensive skill documentation covering semantic mapping, focus management, and cross-platform labeling standards for Web, iOS, and Android
    • Provided best practices, anti-patterns, and implementation examples for accessible components

feat: strict agent/command validators to prevent Issue #34-class regr… (#45) by @Jamkris

Strengthens the existing CI validators to catch frontmatter and filename issues before the Gemini CLI agent loader rejects them.

scripts/lib/gemini-tools.js (new)

  • Single source of truth for the 11 valid Gemini CLI tool names
  • Claude-style → Gemini name mapping table for actionable error hints
  • Levenshtein-based "Did you mean?" suggestions for typos
  • Frontmatter validator: required keys, forbidden keys (color/model), malformed/empty tools array, MCP entries

scripts/ci/validate-agents.js

  • Now uses the lib instead of only checking that "tools" exists
  • Catches Read/Edit/Bash, search_files/replace_in_file, mcp__* tools, and color/model keys (all of which break the loader)

scripts/ci/validate-commands.js

  • Enforces egc- filename prefix (PR #38 regression guard)
  • Requires a non-empty description field
  • Logic exported as a module for integration tests

tests/lib/gemini-tools.test.js (new, 24 cases)

  • parseToolsField, suggestTool, validateToolList, validateAgentFrontmatter, allowlist sanity

tests/lint/validators.test.js (new, 13 cases)

  • Fixture-based: good + Claude-style + MCP + forbidden keys + legacy names + missing frontmatter; mirrored for commands
  • Plus a sweep that runs the live validators across every real agents/.md and commands/.toml in the repo

.gemini/styleguide.md

  • Notes that scripts/lib/gemini-tools.js is the authoritative allowlist and the styleguide is its human-facing mirror

Lint green / 161 tests pass (was 124).

Summary by CodeRabbit

  • New Features

    • Enhanced validation for agent and command configurations with detection of invalid tool names, forbidden keys, missing descriptions, and naming convention violations.
    • Added intelligent tool name suggestions for common misspellings.
  • Documentation

    • Updated style guide to clarify validation requirements and enforcement mechanisms.
  • Tests

    • Added comprehensive test suites and fixtures for validation verification.

chore: release v1.3.4 (#44) by @Jamkris

Bump version to 1.3.4