docs: Add comprehensive plugin documentation

- Add plugins section to main README with link to detailed docs
- Create plugins/README.md with overview of all available plugins
- Add detailed READMEs for agent-sdk-dev, commit-commands, and feature-dev plugins
- Document all commands, agents, usage patterns, and workflows

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

.claude-plugin/marketplace.json

@@ -35,6 +35,28 @@
       },
       "source": "./plugins/commit-commands",
       "category": "productivity"
+    },
+    {
+      "name": "feature-dev",
+      "description": "Comprehensive feature development workflow with specialized agents for codebase exploration, architecture design, and quality review",
+      "version": "1.0.0",
+      "author": {
+        "name": "Siddharth Bidasaria",
+        "email": "sbidasaria@anthropic.com"
+      },
+      "source": "./plugins/feature-dev",
+      "category": "development"
+    },
+    {
+      "name": "security-guidance",
+      "description": "Security reminder hook that warns about potential security issues when editing files, including command injection, XSS, and unsafe code patterns",
+      "version": "1.0.0",
+      "author": {
+        "name": "David Dworken",
+        "email": "dworken@anthropic.com"
+      },
+      "source": "./plugins/security-guidance",
+      "category": "security"
     }
   ]
 }

CHANGELOG.md

@@ -1,5 +1,69 @@
 # Changelog
 
+## 2.0.22
+
+- Edit the plan in your text editor using CTRL+G
+- Fixed content layout shift when scrolling through slash commands
+- IDE: Add toggle to enable/disable thinking.
+- Fix bug causing duplicate permission prompts with parallel tool calls
+- Add support for enterprise managed MCP allowlist and denylist
+- Support MCP `structuredContent` field in tool responses
+- Added an interactive question tool
+- Claude will now ask you questions more often in plan mode
+- Added Haiku 4.5 as a model option for Pro users
+- Fixed an issue where queued commands don't have access to previous messages' output
+
+## 2.0.20
+
+- Added support for Claude Skills
+
+## 2.0.19
+
+- Auto-background long-running bash commands instead of killing them. Customize with BASH_DEFAULT_TIMEOUT_MS
+- Fixed a bug where Haiku was unnecessarily called in print mode
+
+## 2.0.17
+
+- Added Haiku 4.5 to model selector!
+- Haiku 4.5 automatically uses Sonnet in plan mode, and Haiku for execution (i.e. SonnetPlan by default)
+- 3P (Bedrock and Vertex) are not automatically upgraded yet. Manual upgrading can be done through setting `ANTHROPIC_DEFAULT_HAIKU_MODEL`
+- Introducing the Explore subagent. Powered by Haiku it'll search through your codebase efficiently to save context!
+- OTEL: support HTTP_PROXY and HTTPS_PROXY
+- `CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC` now disables release notes fetching
+
+## 2.0.15
+
+- Fixed bug with resuming where previously created files needed to be read again before writing
+- Fixed bug with `-p` mode where @-mentioned files needed to be read again before writing
+
+## 2.0.14
+
+- Fix @-mentioning MCP servers to toggle them on/off
+- Improve permission checks for bash with inline env vars
+- Fix ultrathink + thinking toggle
+- Reduce unnecessary logins
+- Document --system-prompt
+- Several improvements to rendering
+- Plugins UI polish
+
+## 2.0.13
+
+- Fixed `/plugin` not working on native build
+
+## 2.0.12
+
+- **Plugin System Released**: Extend Claude Code with custom commands, agents, hooks, and MCP servers from marketplaces
+- `/plugin install`, `/plugin enable/disable`, `/plugin marketplace` commands for plugin management
+- Repository-level plugin configuration via `extraKnownMarketplaces` for team collaboration
+- `/plugin validate` command for validating plugin structure and configuration
+- Plugin announcement blog post at https://www.anthropic.com/news/claude-code-plugins
+- Plugin documentation available at https://docs.claude.com/en/docs/claude-code/plugins
+- Comprehensive error messages and diagnostics via `/doctor` command
+- Avoid flickering in `/model` selector
+- Improvements to `/help`
+- Avoid mentioning hooks in `/resume` summaries
+- Changes to the "verbose" setting in `/config` now persist across sessions
+
 ## 2.0.11
 
 - Reduced system prompt size by 1.4k tokens

README.md

@@ -20,6 +20,10 @@ npm install -g @anthropic-ai/claude-code
 
 2. Navigate to your project directory and run `claude`.
 
+## Plugins
+
+This repository includes several Claude Code plugins that extend functionality with custom commands and agents. See the [plugins directory](./plugins/README.md) for detailed documentation on available plugins.
+
 ## Reporting Bugs
 
 We welcome your feedback. Use the `/bug` command to report issues directly within Claude Code, or file a [GitHub issue](https://github.com/anthropics/claude-code/issues).

plugins/README.md

@@ -0,0 +1,93 @@
+# Claude Code Plugins
+
+This directory contains some official Claude Code plugins that extend functionality through custom commands, agents, and workflows. These are examples of what's possible with the Claude Code plugin system—many more plugins are available through community marketplaces.
+
+## What are Claude Code Plugins?
+
+Claude Code plugins are extensions that enhance Claude Code with custom slash commands, specialized agents, hooks, and MCP servers. Plugins can be shared across projects and teams, providing consistent tooling and workflows.
+
+Learn more in the [official plugins documentation](https://docs.claude.com/en/docs/claude-code/plugins).
+
+## Plugins in This Directory
+
+### [agent-sdk-dev](./agent-sdk-dev/)
+
+**Claude Agent SDK Development Plugin**
+
+Streamlines the development of Claude Agent SDK applications with scaffolding commands and verification agents.
+
+- **Command**: `/new-sdk-app` - Interactive setup for new Agent SDK projects
+- **Agents**: `agent-sdk-verifier-py` and `agent-sdk-verifier-ts` - Validate SDK applications against best practices
+- **Use case**: Creating and verifying Claude Agent SDK applications in Python or TypeScript
+
+### [commit-commands](./commit-commands/)
+
+**Git Workflow Automation Plugin**
+
+Simplifies common git operations with streamlined commands for committing, pushing, and creating pull requests.
+
+- **Commands**:
+  - `/commit` - Create a git commit with appropriate message
+  - `/commit-push-pr` - Commit, push, and create a PR in one command
+  - `/clean_gone` - Clean up stale local branches marked as [gone]
+- **Use case**: Faster git workflows with less context switching
+
+### [feature-dev](./feature-dev/)
+
+**Comprehensive Feature Development Workflow Plugin**
+
+Provides a structured 7-phase approach to feature development with specialized agents for exploration, architecture, and review.
+
+- **Command**: `/feature-dev` - Guided feature development workflow
+- **Agents**:
+  - `code-explorer` - Deeply analyzes existing codebase features
+  - `code-architect` - Designs feature architectures and implementation blueprints
+  - `code-reviewer` - Reviews code for bugs, quality issues, and project conventions
+- **Use case**: Building new features with systematic codebase understanding and quality assurance
+
+## Installation
+
+These plugins are included in the Claude Code repository. To use them in your own projects:
+
+1. Install Claude Code globally:
+```bash
+npm install -g @anthropic-ai/claude-code
+```
+
+2. Navigate to your project and run Claude Code:
+```bash
+claude
+```
+
+3. Use the `/plugin` command to install plugins from marketplaces, or configure them in your project's `.claude/settings.json`.
+
+For detailed plugin installation and configuration, see the [official documentation](https://docs.claude.com/en/docs/claude-code/plugins).
+
+## Plugin Structure
+
+Each plugin follows the standard Claude Code plugin structure:
+
+```
+plugin-name/
+├── .claude-plugin/
+│   └── plugin.json          # Plugin metadata
+├── commands/                 # Slash commands (optional)
+├── agents/                   # Specialized agents (optional)
+└── README.md                # Plugin documentation
+```
+
+## Contributing
+
+When adding new plugins to this directory:
+
+1. Follow the standard plugin structure
+2. Include a comprehensive README.md
+3. Add plugin metadata in `.claude-plugin/plugin.json`
+4. Document all commands and agents
+5. Provide usage examples
+
+## Learn More
+
+- [Claude Code Documentation](https://docs.claude.com/en/docs/claude-code/overview)
+- [Plugin System Documentation](https://docs.claude.com/en/docs/claude-code/plugins)
+- [Agent SDK Documentation](https://docs.claude.com/en/api/agent-sdk/overview)

plugins/agent-sdk-dev/.claude-plugin/plugin.json

@@ -0,0 +1,9 @@
+{
+  "name": "agent-sdk-dev",
+  "description": "Claude Agent SDK Development Plugin",
+  "version": "1.0.0",
+  "author": {
+    "name": "Ashwin Bhat",
+    "email": "ashwin@anthropic.com"
+  }
+}

plugins/agent-sdk-dev/README.md

@@ -0,0 +1,208 @@
+# Agent SDK Development Plugin
+
+A comprehensive plugin for creating and verifying Claude Agent SDK applications in Python and TypeScript.
+
+## Overview
+
+The Agent SDK Development Plugin streamlines the entire lifecycle of building Agent SDK applications, from initial scaffolding to verification against best practices. It helps you quickly start new projects with the latest SDK versions and ensures your applications follow official documentation patterns.
+
+## Features
+
+### Command: `/new-sdk-app`
+
+Interactive command that guides you through creating a new Claude Agent SDK application.
+
+**What it does:**
+- Asks clarifying questions about your project (language, name, agent type, starting point)
+- Checks for and installs the latest SDK version
+- Creates all necessary project files and configuration
+- Sets up proper environment files (.env.example, .gitignore)
+- Provides a working example tailored to your use case
+- Runs type checking (TypeScript) or syntax validation (Python)
+- Automatically verifies the setup using the appropriate verifier agent
+
+**Usage:**
+```bash
+/new-sdk-app my-project-name
+```
+
+Or simply:
+```bash
+/new-sdk-app
+```
+
+The command will interactively ask you:
+1. Language choice (TypeScript or Python)
+2. Project name (if not provided)
+3. Agent type (coding, business, custom)
+4. Starting point (minimal, basic, or specific example)
+5. Tooling preferences (npm/yarn/pnpm or pip/poetry)
+
+**Example:**
+```bash
+/new-sdk-app customer-support-agent
+# → Creates a new Agent SDK project for a customer support agent
+# → Sets up TypeScript or Python environment
+# → Installs latest SDK version
+# → Verifies the setup automatically
+```
+
+### Agent: `agent-sdk-verifier-py`
+
+Thoroughly verifies Python Agent SDK applications for correct setup and best practices.
+
+**Verification checks:**
+- SDK installation and version
+- Python environment setup (requirements.txt, pyproject.toml)
+- Correct SDK usage and patterns
+- Agent initialization and configuration
+- Environment and security (.env, API keys)
+- Error handling and functionality
+- Documentation completeness
+
+**When to use:**
+- After creating a new Python SDK project
+- After modifying an existing Python SDK application
+- Before deploying a Python SDK application
+
+**Usage:**
+The agent runs automatically after `/new-sdk-app` creates a Python project, or you can trigger it by asking:
+```
+"Verify my Python Agent SDK application"
+"Check if my SDK app follows best practices"
+```
+
+**Output:**
+Provides a comprehensive report with:
+- Overall status (PASS / PASS WITH WARNINGS / FAIL)
+- Critical issues that prevent functionality
+- Warnings about suboptimal patterns
+- List of passed checks
+- Specific recommendations with SDK documentation references
+
+### Agent: `agent-sdk-verifier-ts`
+
+Thoroughly verifies TypeScript Agent SDK applications for correct setup and best practices.
+
+**Verification checks:**
+- SDK installation and version
+- TypeScript configuration (tsconfig.json)
+- Correct SDK usage and patterns
+- Type safety and imports
+- Agent initialization and configuration
+- Environment and security (.env, API keys)
+- Error handling and functionality
+- Documentation completeness
+
+**When to use:**
+- After creating a new TypeScript SDK project
+- After modifying an existing TypeScript SDK application
+- Before deploying a TypeScript SDK application
+
+**Usage:**
+The agent runs automatically after `/new-sdk-app` creates a TypeScript project, or you can trigger it by asking:
+```
+"Verify my TypeScript Agent SDK application"
+"Check if my SDK app follows best practices"
+```
+
+**Output:**
+Provides a comprehensive report with:
+- Overall status (PASS / PASS WITH WARNINGS / FAIL)
+- Critical issues that prevent functionality
+- Warnings about suboptimal patterns
+- List of passed checks
+- Specific recommendations with SDK documentation references
+
+## Workflow Example
+
+Here's a typical workflow using this plugin:
+
+1. **Create a new project:**
+```bash
+/new-sdk-app code-reviewer-agent
+```
+
+2. **Answer the interactive questions:**
+```
+Language: TypeScript
+Agent type: Coding agent (code review)
+Starting point: Basic agent with common features
+```
+
+3. **Automatic verification:**
+The command automatically runs `agent-sdk-verifier-ts` to ensure everything is correctly set up.
+
+4. **Start developing:**
+```bash
+# Set your API key
+echo "ANTHROPIC_API_KEY=your_key_here" > .env
+
+# Run your agent
+npm start
+```
+
+5. **Verify after changes:**
+```
+"Verify my SDK application"
+```
+
+## Installation
+
+This plugin is included in the Claude Code repository. To use it:
+
+1. Ensure Claude Code is installed
+2. The plugin commands and agents are automatically available
+
+## Best Practices
+
+- **Always use the latest SDK version**: `/new-sdk-app` checks for and installs the latest version
+- **Verify before deploying**: Run the verifier agent before deploying to production
+- **Keep API keys secure**: Never commit `.env` files or hardcode API keys
+- **Follow SDK documentation**: The verifier agents check against official patterns
+- **Type check TypeScript projects**: Run `npx tsc --noEmit` regularly
+- **Test your agents**: Create test cases for your agent's functionality
+
+## Resources
+
+- [Agent SDK Overview](https://docs.claude.com/en/api/agent-sdk/overview)
+- [TypeScript SDK Reference](https://docs.claude.com/en/api/agent-sdk/typescript)
+- [Python SDK Reference](https://docs.claude.com/en/api/agent-sdk/python)
+- [Agent SDK Examples](https://docs.claude.com/en/api/agent-sdk/examples)
+
+## Troubleshooting
+
+### Type errors in TypeScript project
+
+**Issue**: TypeScript project has type errors after creation
+
+**Solution**:
+- The `/new-sdk-app` command runs type checking automatically
+- If errors persist, check that you're using the latest SDK version
+- Verify your `tsconfig.json` matches SDK requirements
+
+### Python import errors
+
+**Issue**: Cannot import from `claude_agent_sdk`
+
+**Solution**:
+- Ensure you've installed dependencies: `pip install -r requirements.txt`
+- Activate your virtual environment if using one
+- Check that the SDK is installed: `pip show claude-agent-sdk`
+
+### Verification fails with warnings
+
+**Issue**: Verifier agent reports warnings
+
+**Solution**:
+- Review the specific warnings in the report
+- Check the SDK documentation references provided
+- Warnings don't prevent functionality but indicate areas for improvement
+
+## Author
+
+Ashwin Bhat (ashwin@anthropic.com)
+
+## Version
+
+1.0.0

plugins/agent-sdk-dev/agents/agent-sdk-verifier-py.md

@@ -1,7 +1,7 @@
 ---
 name: agent-sdk-verifier-py
 description: Use this agent to verify that a Python Agent SDK application is properly configured, follows SDK best practices and documentation recommendations, and is ready for deployment or testing. This agent should be invoked after a Python Agent SDK app has been created or modified.
-model: sonnet-4.5
+model: sonnet
 ---
 
 You are a Python Agent SDK application verifier. Your role is to thoroughly inspect Python Agent SDK applications for correct SDK usage, adherence to official documentation recommendations, and readiness for deployment.

plugins/agent-sdk-dev/agents/agent-sdk-verifier-ts.md

@@ -1,7 +1,7 @@
 ---
 name: agent-sdk-verifier-ts
 description: Use this agent to verify that a TypeScript Agent SDK application is properly configured, follows SDK best practices and documentation recommendations, and is ready for deployment or testing. This agent should be invoked after a TypeScript Agent SDK app has been created or modified.
-model: sonnet-4.5
+model: sonnet
 ---
 
 You are a TypeScript Agent SDK application verifier. Your role is to thoroughly inspect TypeScript Agent SDK applications for correct SDK usage, adherence to official documentation recommendations, and readiness for deployment.

plugins/agent-sdk-dev/commands/new-sdk-app.md

@@ -1,7 +1,6 @@
 ---
 description: Create and setup a new Claude Agent SDK application
 argument-hint: [project-name]
-model: sonnet-4.5
 ---
 
 You are tasked with helping the user create a new Claude Agent SDK application. Follow these steps carefully:

plugins/agent-sdk-dev/plugin.json

@@ -1,5 +0,0 @@
-{
-  "name": "agent-sdk-dev",
-  "description": "Claude Agent SDK Development Plugin",
-  "version": "1.0.0"
-}

plugins/commit-commands/README.md

@@ -0,0 +1,225 @@
+# Commit Commands Plugin
+
+Streamline your git workflow with simple commands for committing, pushing, and creating pull requests.
+
+## Overview
+
+The Commit Commands Plugin automates common git operations, reducing context switching and manual command execution. Instead of running multiple git commands, use a single slash command to handle your entire workflow.
+
+## Commands
+
+### `/commit`
+
+Creates a git commit with an automatically generated commit message based on staged and unstaged changes.
+
+**What it does:**
+1. Analyzes current git status
+2. Reviews both staged and unstaged changes
+3. Examines recent commit messages to match your repository's style
+4. Drafts an appropriate commit message
+5. Stages relevant files
+6. Creates the commit
+
+**Usage:**
+```bash
+/commit
+```
+
+**Example workflow:**
+```bash
+# Make some changes to your code
+# Then simply run:
+/commit
+
+# Claude will:
+# - Review your changes
+# - Stage the files
+# - Create a commit with an appropriate message
+# - Show you the commit status
+```
+
+**Features:**
+- Automatically drafts commit messages that match your repo's style
+- Follows conventional commit practices
+- Avoids committing files with secrets (.env, credentials.json)
+- Includes Claude Code attribution in commit message
+
+### `/commit-push-pr`
+
+Complete workflow command that commits, pushes, and creates a pull request in one step.
+
+**What it does:**
+1. Creates a new branch (if currently on main)
+2. Stages and commits changes with an appropriate message
+3. Pushes the branch to origin
+4. Creates a pull request using `gh pr create`
+5. Provides the PR URL
+
+**Usage:**
+```bash
+/commit-push-pr
+```
+
+**Example workflow:**
+```bash
+# Make your changes
+# Then run:
+/commit-push-pr
+
+# Claude will:
+# - Create a feature branch (if needed)
+# - Commit your changes
+# - Push to remote
+# - Open a PR with summary and test plan
+# - Give you the PR URL to review
+```
+
+**Features:**
+- Analyzes all commits in the branch (not just the latest)
+- Creates comprehensive PR descriptions with:
+  - Summary of changes (1-3 bullet points)
+  - Test plan checklist
+  - Claude Code attribution
+- Handles branch creation automatically
+- Uses GitHub CLI (`gh`) for PR creation
+
+**Requirements:**
+- GitHub CLI (`gh`) must be installed and authenticated
+- Repository must have a remote named `origin`
+
+### `/clean_gone`
+
+Cleans up local branches that have been deleted from the remote repository.
+
+**What it does:**
+1. Lists all local branches to identify [gone] status
+2. Identifies and removes worktrees associated with [gone] branches
+3. Deletes all branches marked as [gone]
+4. Provides feedback on removed branches
+
+**Usage:**
+```bash
+/clean_gone
+```
+
+**Example workflow:**
+```bash
+# After PRs are merged and remote branches are deleted
+/clean_gone
+
+# Claude will:
+# - Find all branches marked as [gone]
+# - Remove any associated worktrees
+# - Delete the stale local branches
+# - Report what was cleaned up
+```
+
+**Features:**
+- Handles both regular branches and worktree branches
+- Safely removes worktrees before deleting branches
+- Shows clear feedback about what was removed
+- Reports if no cleanup was needed
+
+**When to use:**
+- After merging and deleting remote branches
+- When your local branch list is cluttered with stale branches
+- During regular repository maintenance
+
+## Installation
+
+This plugin is included in the Claude Code repository. The commands are automatically available when using Claude Code.
+
+## Best Practices
+
+### Using `/commit`
+- Review the staged changes before committing
+- Let Claude analyze your changes and match your repo's commit style
+- Trust the automated message, but verify it's accurate
+- Use for routine commits during development
+
+### Using `/commit-push-pr`
+- Use when you're ready to create a PR
+- Ensure all your changes are complete and tested
+- Claude will analyze the full branch history for the PR description
+- Review the PR description and edit if needed
+- Use when you want to minimize context switching
+
+### Using `/clean_gone`
+- Run periodically to keep your branch list clean
+- Especially useful after merging multiple PRs
+- Safe to run - only removes branches already deleted remotely
+- Helps maintain a tidy local repository
+
+## Workflow Integration
+
+### Quick commit workflow:
+```bash
+# Write code
+/commit
+# Continue development
+```
+
+### Feature branch workflow:
+```bash
+# Develop feature across multiple commits
+/commit  # First commit
+# More changes
+/commit  # Second commit
+# Ready to create PR
+/commit-push-pr
+```
+
+### Maintenance workflow:
+```bash
+# After several PRs are merged
+/clean_gone
+# Clean workspace ready for next feature
+```
+
+## Requirements
+
+- Git must be installed and configured
+- For `/commit-push-pr`: GitHub CLI (`gh`) must be installed and authenticated
+- Repository must be a git repository with a remote
+
+## Troubleshooting
+
+### `/commit` creates empty commit
+
+**Issue**: No changes to commit
+
+**Solution**:
+- Ensure you have unstaged or staged changes
+- Run `git status` to verify changes exist
+
+### `/commit-push-pr` fails to create PR
+
+**Issue**: `gh pr create` command fails
+
+**Solution**:
+- Install GitHub CLI: `brew install gh` (macOS) or see [GitHub CLI installation](https://cli.github.com/)
+- Authenticate: `gh auth login`
+- Ensure repository has a GitHub remote
+
+### `/clean_gone` doesn't find branches
+
+**Issue**: No branches marked as [gone]
+
+**Solution**:
+- Run `git fetch --prune` to update remote tracking
+- Branches must be deleted from the remote to show as [gone]
+
+## Tips
+
+- **Combine with other tools**: Use `/commit` during development, then `/commit-push-pr` when ready
+- **Let Claude draft messages**: The commit message analysis learns from your repo's style
+- **Regular cleanup**: Run `/clean_gone` weekly to maintain a clean branch list
+- **Review before pushing**: Always review the commit message and changes before pushing
+
+## Author
+
+Anthropic (support@anthropic.com)
+
+## Version
+
+1.0.0

plugins/feature-dev/.claude-plugin/plugin.json

@@ -0,0 +1,9 @@
+{
+  "name": "feature-dev",
+  "version": "1.0.0",
+  "description": "Comprehensive feature development workflow with specialized agents for codebase exploration, architecture design, and quality review",
+  "author": {
+    "name": "Sid Bidasaria",
+    "email": "sbidasaria@anthropic.com"
+  }
+}

plugins/feature-dev/README.md

@@ -0,0 +1,412 @@
+# Feature Development Plugin
+
+A comprehensive, structured workflow for feature development with specialized agents for codebase exploration, architecture design, and quality review.
+
+## Overview
+
+The Feature Development Plugin provides a systematic 7-phase approach to building new features. Instead of jumping straight into code, it guides you through understanding the codebase, asking clarifying questions, designing architecture, and ensuring quality—resulting in better-designed features that integrate seamlessly with your existing code.
+
+## Philosophy
+
+Building features requires more than just writing code. You need to:
+- **Understand the codebase** before making changes
+- **Ask questions** to clarify ambiguous requirements
+- **Design thoughtfully** before implementing
+- **Review for quality** after building
+
+This plugin embeds these practices into a structured workflow that runs automatically when you use the `/feature-dev` command.
+
+## Command: `/feature-dev`
+
+Launches a guided feature development workflow with 7 distinct phases.
+
+**Usage:**
+```bash
+/feature-dev Add user authentication with OAuth
+```
+
+Or simply:
+```bash
+/feature-dev
+```
+
+The command will guide you through the entire process interactively.
+
+## The 7-Phase Workflow
+
+### Phase 1: Discovery
+
+**Goal**: Understand what needs to be built
+
+**What happens:**
+- Clarifies the feature request if it's unclear
+- Asks what problem you're solving
+- Identifies constraints and requirements
+- Summarizes understanding and confirms with you
+
+**Example:**
+```
+You: /feature-dev Add caching
+Claude: Let me understand what you need...
+        - What should be cached? (API responses, computed values, etc.)
+        - What are your performance requirements?
+        - Do you have a preferred caching solution?
+```
+
+### Phase 2: Codebase Exploration
+
+**Goal**: Understand relevant existing code and patterns
+
+**What happens:**
+- Launches 2-3 `code-explorer` agents in parallel
+- Each agent explores different aspects (similar features, architecture, UI patterns)
+- Agents return comprehensive analyses with key files to read
+- Claude reads all identified files to build deep understanding
+- Presents comprehensive summary of findings
+
+**Agents launched:**
+- "Find features similar to [feature] and trace implementation"
+- "Map the architecture and abstractions for [area]"
+- "Analyze current implementation of [related feature]"
+
+**Example output:**
+```
+Found similar features:
+- User authentication (src/auth/): Uses JWT tokens, middleware pattern
+- Session management (src/session/): Redis-backed, 24hr expiry
+- API security (src/api/middleware/): Rate limiting, CORS
+
+Key files to understand:
+- src/auth/AuthService.ts:45 - Core authentication logic
+- src/middleware/authMiddleware.ts:12 - Request authentication
+- src/config/security.ts:8 - Security configuration
+```
+
+### Phase 3: Clarifying Questions
+
+**Goal**: Fill in gaps and resolve all ambiguities
+
+**What happens:**
+- Reviews codebase findings and feature request
+- Identifies underspecified aspects:
+  - Edge cases
+  - Error handling
+  - Integration points
+  - Backward compatibility
+  - Performance needs
+- Presents all questions in an organized list
+- **Waits for your answers before proceeding**
+
+**Example:**
+```
+Before designing the architecture, I need to clarify:
+
+1. OAuth provider: Which OAuth providers? (Google, GitHub, custom?)
+2. User data: Store OAuth tokens or just user profile?
+3. Existing auth: Replace current auth or add alongside?
+4. Sessions: Integrate with existing session management?
+5. Error handling: How to handle OAuth failures?
+```
+
+**Critical**: This phase ensures nothing is ambiguous before design begins.
+
+### Phase 4: Architecture Design
+
+**Goal**: Design multiple implementation approaches
+
+**What happens:**
+- Launches 2-3 `code-architect` agents with different focuses:
+  - **Minimal changes**: Smallest change, maximum reuse
+  - **Clean architecture**: Maintainability, elegant abstractions
+  - **Pragmatic balance**: Speed + quality
+- Reviews all approaches
+- Forms opinion on which fits best for this task
+- Presents comparison with trade-offs and recommendation
+- **Asks which approach you prefer**
+
+**Example output:**
+```
+I've designed 3 approaches:
+
+Approach 1: Minimal Changes
+- Extend existing AuthService with OAuth methods
+- Add new OAuth routes to existing auth router
+- Minimal refactoring required
+Pros: Fast, low risk
+Cons: Couples OAuth to existing auth, harder to test
+
+Approach 2: Clean Architecture
+- New OAuthService with dedicated interface
+- Separate OAuth router and middleware
+- Refactor AuthService to use common interface
+Pros: Clean separation, testable, maintainable
+Cons: More files, more refactoring
+
+Approach 3: Pragmatic Balance
+- New OAuthProvider abstraction
+- Integrate into existing AuthService
+- Minimal refactoring, good boundaries
+Pros: Balanced complexity and cleanliness
+Cons: Some coupling remains
+
+Recommendation: Approach 3 - gives you clean boundaries without
+excessive refactoring, and fits your existing architecture well.
+
+Which approach would you like to use?
+```
+
+### Phase 5: Implementation
+
+**Goal**: Build the feature
+
+**What happens:**
+- **Waits for explicit approval** before starting
+- Reads all relevant files identified in previous phases
+- Implements following chosen architecture
+- Follows codebase conventions strictly
+- Writes clean, well-documented code
+- Updates todos as progress is made
+
+**Notes:**
+- Implementation only starts after you approve
+- Follows patterns discovered in Phase 2
+- Uses architecture designed in Phase 4
+- Continuously tracks progress
+
+### Phase 6: Quality Review
+
+**Goal**: Ensure code is simple, DRY, elegant, and functionally correct
+
+**What happens:**
+- Launches 3 `code-reviewer` agents in parallel with different focuses:
+  - **Simplicity/DRY/Elegance**: Code quality and maintainability
+  - **Bugs/Correctness**: Functional correctness and logic errors
+  - **Conventions/Abstractions**: Project standards and patterns
+- Consolidates findings
+- Identifies highest severity issues
+- **Presents findings and asks what you want to do**:
+  - Fix now
+  - Fix later
+  - Proceed as-is
+- Addresses issues based on your decision
+
+**Example output:**
+```
+Code Review Results:
+
+High Priority Issues:
+1. Missing error handling in OAuth callback (src/auth/oauth.ts:67)
+2. Memory leak: OAuth state not cleaned up (src/auth/oauth.ts:89)
+
+Medium Priority:
+1. Could simplify token refresh logic (src/auth/oauth.ts:120)
+2. Consider extracting OAuth config validation
+
+All tests pass. Code follows project conventions.
+
+What would you like to do?
+```
+
+### Phase 7: Summary
+
+**Goal**: Document what was accomplished
+
+**What happens:**
+- Marks all todos complete
+- Summarizes:
+  - What was built
+  - Key decisions made
+  - Files modified
+  - Suggested next steps
+
+**Example:**
+```
+Feature Complete: OAuth Authentication
+
+What was built:
+- OAuth provider abstraction supporting Google and GitHub
+- OAuth routes and middleware integrated with existing auth
+- Token refresh and session integration
+- Error handling for all OAuth flows
+
+Key decisions:
+- Used pragmatic approach with OAuthProvider abstraction
+- Integrated with existing session management
+- Added OAuth state to prevent CSRF
+
+Files modified:
+- src/auth/OAuthProvider.ts (new)
+- src/auth/AuthService.ts
+- src/routes/auth.ts
+- src/middleware/authMiddleware.ts
+
+Suggested next steps:
+- Add tests for OAuth flows
+- Add more OAuth providers (Microsoft, Apple)
+- Update documentation
+```
+
+## Agents
+
+### `code-explorer`
+
+**Purpose**: Deeply analyzes existing codebase features by tracing execution paths
+
+**Focus areas:**
+- Entry points and call chains
+- Data flow and transformations
+- Architecture layers and patterns
+- Dependencies and integrations
+- Implementation details
+
+**When triggered:**
+- Automatically in Phase 2
+- Can be invoked manually when exploring code
+
+**Output:**
+- Entry points with file:line references
+- Step-by-step execution flow
+- Key components and responsibilities
+- Architecture insights
+- List of essential files to read
+
+### `code-architect`
+
+**Purpose**: Designs feature architectures and implementation blueprints
+
+**Focus areas:**
+- Codebase pattern analysis
+- Architecture decisions
+- Component design
+- Implementation roadmap
+- Data flow and build sequence
+
+**When triggered:**
+- Automatically in Phase 4
+- Can be invoked manually for architecture design
+
+**Output:**
+- Patterns and conventions found
+- Architecture decision with rationale
+- Complete component design
+- Implementation map with specific files
+- Build sequence with phases
+
+### `code-reviewer`
+
+**Purpose**: Reviews code for bugs, quality issues, and project conventions
+
+**Focus areas:**
+- Project guideline compliance (CLAUDE.md)
+- Bug detection
+- Code quality issues
+- Confidence-based filtering (only reports high-confidence issues ≥80)
+
+**When triggered:**
+- Automatically in Phase 6
+- Can be invoked manually after writing code
+
+**Output:**
+- Critical issues (confidence 75-100)
+- Important issues (confidence 50-74)
+- Specific fixes with file:line references
+- Project guideline references
+
+## Usage Patterns
+
+### Full workflow (recommended for new features):
+```bash
+/feature-dev Add rate limiting to API endpoints
+```
+
+Let the workflow guide you through all 7 phases.
+
+### Manual agent invocation:
+
+**Explore a feature:**
+```
+"Launch code-explorer to trace how authentication works"
+```
+
+**Design architecture:**
+```
+"Launch code-architect to design the caching layer"
+```
+
+**Review code:**
+```
+"Launch code-reviewer to check my recent changes"
+```
+
+## Best Practices
+
+1. **Use the full workflow for complex features**: The 7 phases ensure thorough planning
+2. **Answer clarifying questions thoughtfully**: Phase 3 prevents future confusion
+3. **Choose architecture deliberately**: Phase 4 gives you options for a reason
+4. **Don't skip code review**: Phase 6 catches issues before they reach production
+5. **Read the suggested files**: Phase 2 identifies key files—read them to understand context
+
+## When to Use This Plugin
+
+**Use for:**
+- New features that touch multiple files
+- Features requiring architectural decisions
+- Complex integrations with existing code
+- Features where requirements are somewhat unclear
+
+**Don't use for:**
+- Single-line bug fixes
+- Trivial changes
+- Well-defined, simple tasks
+- Urgent hotfixes
+
+## Requirements
+
+- Claude Code installed
+- Git repository (for code review)
+- Project with existing codebase (workflow assumes existing code to learn from)
+
+## Troubleshooting
+
+### Agents take too long
+
+**Issue**: Code exploration or architecture agents are slow
+
+**Solution**:
+- This is normal for large codebases
+- Agents run in parallel when possible
+- The thoroughness pays off in better understanding
+
+### Too many clarifying questions
+
+**Issue**: Phase 3 asks too many questions
+
+**Solution**:
+- Be more specific in your initial feature request
+- Provide context about constraints upfront
+- Say "whatever you think is best" if truly no preference
+
+### Architecture options overwhelming
+
+**Issue**: Too many architecture options in Phase 4
+
+**Solution**:
+- Trust the recommendation—it's based on codebase analysis
+- If still unsure, ask for more explanation
+- Pick the pragmatic option when in doubt
+
+## Tips
+
+- **Be specific in your feature request**: More detail = fewer clarifying questions
+- **Trust the process**: Each phase builds on the previous one
+- **Review agent outputs**: Agents provide valuable insights about your codebase
+- **Don't skip phases**: Each phase serves a purpose
+- **Use for learning**: The exploration phase teaches you about your own codebase
+
+## Author
+
+Sid Bidasaria (sbidasaria@anthropic.com)
+
+## Version
+
+1.0.0

plugins/feature-dev/agents/code-architect.md

@@ -0,0 +1,34 @@
+---
+name: code-architect
+description: Designs feature architectures by analyzing existing codebase patterns and conventions, then providing comprehensive implementation blueprints with specific files to create/modify, component designs, data flows, and build sequences
+tools: Glob, Grep, LS, Read, NotebookRead, WebFetch, TodoWrite, WebSearch, KillShell, BashOutput
+model: sonnet
+color: green
+---
+
+You are a senior software architect who delivers comprehensive, actionable architecture blueprints by deeply understanding codebases and making confident architectural decisions.
+
+## Core Process
+
+**1. Codebase Pattern Analysis**
+Extract existing patterns, conventions, and architectural decisions. Identify the technology stack, module boundaries, abstraction layers, and CLAUDE.md guidelines. Find similar features to understand established approaches.
+
+**2. Architecture Design**
+Based on patterns found, design the complete feature architecture. Make decisive choices - pick one approach and commit. Ensure seamless integration with existing code. Design for testability, performance, and maintainability.
+
+**3. Complete Implementation Blueprint**
+Specify every file to create or modify, component responsibilities, integration points, and data flow. Break implementation into clear phases with specific tasks.
+
+## Output Guidance
+
+Deliver a decisive, complete architecture blueprint that provides everything needed for implementation. Include:
+
+- **Patterns & Conventions Found**: Existing patterns with file:line references, similar features, key abstractions
+- **Architecture Decision**: Your chosen approach with rationale and trade-offs
+- **Component Design**: Each component with file path, responsibilities, dependencies, and interfaces
+- **Implementation Map**: Specific files to create/modify with detailed change descriptions
+- **Data Flow**: Complete flow from entry points through transformations to outputs
+- **Build Sequence**: Phased implementation steps as a checklist
+- **Critical Details**: Error handling, state management, testing, performance, and security considerations
+
+Make confident architectural choices rather than presenting multiple options. Be specific and actionable - provide file paths, function names, and concrete steps.

plugins/feature-dev/agents/code-explorer.md

@@ -0,0 +1,51 @@
+---
+name: code-explorer
+description: Deeply analyzes existing codebase features by tracing execution paths, mapping architecture layers, understanding patterns and abstractions, and documenting dependencies to inform new development
+tools: Glob, Grep, LS, Read, NotebookRead, WebFetch, TodoWrite, WebSearch, KillShell, BashOutput
+model: sonnet
+color: yellow
+---
+
+You are an expert code analyst specializing in tracing and understanding feature implementations across codebases.
+
+## Core Mission
+Provide a complete understanding of how a specific feature works by tracing its implementation from entry points to data storage, through all abstraction layers.
+
+## Analysis Approach
+
+**1. Feature Discovery**
+- Find entry points (APIs, UI components, CLI commands)
+- Locate core implementation files
+- Map feature boundaries and configuration
+
+**2. Code Flow Tracing**
+- Follow call chains from entry to output
+- Trace data transformations at each step
+- Identify all dependencies and integrations
+- Document state changes and side effects
+
+**3. Architecture Analysis**
+- Map abstraction layers (presentation → business logic → data)
+- Identify design patterns and architectural decisions
+- Document interfaces between components
+- Note cross-cutting concerns (auth, logging, caching)
+
+**4. Implementation Details**
+- Key algorithms and data structures
+- Error handling and edge cases
+- Performance considerations
+- Technical debt or improvement areas
+
+## Output Guidance
+
+Provide a comprehensive analysis that helps developers understand the feature deeply enough to modify or extend it. Include:
+
+- Entry points with file:line references
+- Step-by-step execution flow with data transformations
+- Key components and their responsibilities
+- Architecture insights: patterns, layers, design decisions
+- Dependencies (external and internal)
+- Observations about strengths, issues, or opportunities
+- List of files that you think are absolutely essential to get an understanding of the topic in question
+
+Structure your response for maximum clarity and usefulness. Always include specific file paths and line numbers.

plugins/feature-dev/agents/code-reviewer.md

@@ -0,0 +1,46 @@
+---
+name: code-reviewer
+description: Reviews code for bugs, logic errors, security vulnerabilities, code quality issues, and adherence to project conventions, using confidence-based filtering to report only high-priority issues that truly matter
+tools: Glob, Grep, LS, Read, NotebookRead, WebFetch, TodoWrite, WebSearch, KillShell, BashOutput
+model: sonnet
+color: red
+---
+
+You are an expert code reviewer specializing in modern software development across multiple languages and frameworks. Your primary responsibility is to review code against project guidelines in CLAUDE.md with high precision to minimize false positives.
+
+## Review Scope
+
+By default, review unstaged changes from `git diff`. The user may specify different files or scope to review.
+
+## Core Review Responsibilities
+
+**Project Guidelines Compliance**: Verify adherence to explicit project rules (typically in CLAUDE.md or equivalent) including import patterns, framework conventions, language-specific style, function declarations, error handling, logging, testing practices, platform compatibility, and naming conventions.
+
+**Bug Detection**: Identify actual bugs that will impact functionality - logic errors, null/undefined handling, race conditions, memory leaks, security vulnerabilities, and performance problems.
+
+**Code Quality**: Evaluate significant issues like code duplication, missing critical error handling, accessibility problems, and inadequate test coverage.
+
+## Confidence Scoring
+
+Rate each potential issue on a scale from 0-100:
+
+- **0**: Not confident at all. This is a false positive that doesn't stand up to scrutiny, or is a pre-existing issue.
+- **25**: Somewhat confident. This might be a real issue, but may also be a false positive. If stylistic, it wasn't explicitly called out in project guidelines.
+- **50**: Moderately confident. This is a real issue, but might be a nitpick or not happen often in practice. Not very important relative to the rest of the changes.
+- **75**: Highly confident. Double-checked and verified this is very likely a real issue that will be hit in practice. The existing approach is insufficient. Important and will directly impact functionality, or is directly mentioned in project guidelines.
+- **100**: Absolutely certain. Confirmed this is definitely a real issue that will happen frequently in practice. The evidence directly confirms this.
+
+**Only report issues with confidence ≥ 80.** Focus on issues that truly matter - quality over quantity.
+
+## Output Guidance
+
+Start by clearly stating what you're reviewing. For each high-confidence issue, provide:
+
+- Clear description with confidence score
+- File path and line number
+- Specific project guideline reference or bug explanation
+- Concrete fix suggestion
+
+Group issues by severity (Critical vs Important). If no high-confidence issues exist, confirm the code meets standards with a brief summary.
+
+Structure your response for maximum actionability - developers should know exactly what to fix and why.

plugins/feature-dev/commands/feature-dev.md

@@ -0,0 +1,125 @@
+---
+description: Guided feature development with codebase understanding and architecture focus
+argument-hint: Optional feature description
+---
+
+# Feature Development
+
+You are helping a developer implement a new feature. Follow a systematic approach: understand the codebase deeply, identify and ask about all underspecified details, design elegant architectures, then implement.
+
+## Core Principles
+
+- **Ask clarifying questions**: Identify all ambiguities, edge cases, and underspecified behaviors. Ask specific, concrete questions rather than making assumptions. Wait for user answers before proceeding with implementation. Ask questions early (after understanding the codebase, before designing architecture).
+- **Understand before acting**: Read and comprehend existing code patterns first
+- **Read files identified by agents**: When launching agents, ask them to return lists of the most important files to read. After agents complete, read those files to build detailed context before proceeding.
+- **Simple and elegant**: Prioritize readable, maintainable, architecturally sound code
+- **Use TodoWrite**: Track all progress throughout
+
+---
+
+## Phase 1: Discovery
+
+**Goal**: Understand what needs to be built
+
+Initial request: $ARGUMENTS
+
+**Actions**:
+1. Create todo list with all phases
+2. If feature unclear, ask user for:
+   - What problem are they solving?
+   - What should the feature do?
+   - Any constraints or requirements?
+3. Summarize understanding and confirm with user
+
+---
+
+## Phase 2: Codebase Exploration
+
+**Goal**: Understand relevant existing code and patterns at both high and low levels
+
+**Actions**:
+1. Launch 2-3 code-explorer agents in parallel. Each agent should:
+   - Trace through the code comprehensively and focus on getting a comprehensive understanding of abstractions, architecture and flow of control
+   - Target a different aspect of the codebase (eg. similar features, high level understanding, architectural understanding, user experience, etc)
+   - Include a list of 5-10 key files to read
+
+   **Example agent prompts**:
+   - "Find features similar to [feature] and trace through their implementation comprehensively"
+   - "Map the architecture and abstractions for [feature area], tracing through the code comprehensively"
+   - "Analyze the current implementation of [existing feature/area], tracing through the code comprehensively"
+   - "Identify UI patterns, testing approaches, or extension points relevant to [feature]"
+
+2. Once the agents return, please read all files identified by agents to build deep understanding
+3. Present comprehensive summary of findings and patterns discovered
+
+---
+
+## Phase 3: Clarifying Questions
+
+**Goal**: Fill in gaps and resolve all ambiguities before designing
+
+**CRITICAL**: This is one of the most important phases. DO NOT SKIP.
+
+**Actions**:
+1. Review the codebase findings and original feature request
+2. Identify underspecified aspects: edge cases, error handling, integration points, scope boundaries, design preferences, backward compatibility, performance needs
+3. **Present all questions to the user in a clear, organized list**
+4. **Wait for answers before proceeding to architecture design**
+
+If the user says "whatever you think is best", provide your recommendation and get explicit confirmation.
+
+---
+
+## Phase 4: Architecture Design
+
+**Goal**: Design multiple implementation approaches with different trade-offs
+
+**Actions**:
+1. Launch 2-3 code-architect agents in parallel with different focuses: minimal changes (smallest change, maximum reuse), clean architecture (maintainability, elegant abstractions), or pragmatic balance (speed + quality)
+2. Review all approaches and form your opinion on which fits best for this specific task (consider: small fix vs large feature, urgency, complexity, team context)
+3. Present to user: brief summary of each approach, trade-offs comparison, **your recommendation with reasoning**, concrete implementation differences
+4. **Ask user which approach they prefer**
+
+---
+
+## Phase 5: Implementation
+
+**Goal**: Build the feature
+
+**DO NOT START WITHOUT USER APPROVAL**
+
+**Actions**:
+1. Wait for explicit user approval
+2. Read all relevant files identified in previous phases
+3. Implement following chosen architecture
+4. Follow codebase conventions strictly
+5. Write clean, well-documented code
+6. Update todos as you progress
+
+---
+
+## Phase 6: Quality Review
+
+**Goal**: Ensure code is simple, DRY, elegant, easy to read, and functionally correct
+
+**Actions**:
+1. Launch 3 code-reviewer agents in parallel with different focuses: simplicity/DRY/elegance, bugs/functional correctness, project conventions/abstractions
+2. Consolidate findings and identify highest severity issues that you recommend fixing
+3. **Present findings to user and ask what they want to do** (fix now, fix later, or proceed as-is)
+4. Address issues based on user decision
+
+---
+
+## Phase 7: Summary
+
+**Goal**: Document what was accomplished
+
+**Actions**:
+1. Mark all todos complete
+2. Summarize:
+   - What was built
+   - Key decisions made
+   - Files modified
+   - Suggested next steps
+
+---

plugins/security-guidance/.claude-plugin/plugin.json

@@ -0,0 +1,9 @@
+{
+  "name": "security-guidance",
+  "version": "1.0.0",
+  "description": "Security reminder hook that warns about potential security issues when editing files, including command injection, XSS, and unsafe code patterns",
+  "author": {
+    "name": "David Dworken",
+    "email": "dworken@anthropic.com"
+  }
+}

plugins/security-guidance/hooks/hooks.json

@@ -0,0 +1,16 @@
+{
+  "description": "Security reminder hook that warns about potential security issues when editing files",
+  "hooks": {
+    "PreToolUse": [
+      {
+        "hooks": [
+          {
+            "type": "command",
+            "command": "python3 ${CLAUDE_PLUGIN_ROOT}/hooks/security_reminder_hook.py"
+          }
+        ],
+        "matcher": "Edit|Write|MultiEdit"
+      }
+    ]
+  }
+}

plugins/security-guidance/hooks/security_reminder_hook.py

@@ -0,0 +1,280 @@
+#!/usr/bin/env python3
+"""
+Security Reminder Hook for Claude Code
+This hook checks for security patterns in file edits and warns about potential vulnerabilities.
+"""
+
+import json
+import os
+import random
+import sys
+from datetime import datetime
+
+# Debug log file
+DEBUG_LOG_FILE = "/tmp/security-warnings-log.txt"
+
+
+def debug_log(message):
+    """Append debug message to log file with timestamp."""
+    try:
+        timestamp = datetime.now().strftime("%Y-%m-%d %H:%M:%S.%f")[:-3]
+        with open(DEBUG_LOG_FILE, "a") as f:
+            f.write(f"[{timestamp}] {message}\n")
+    except Exception as e:
+        # Silently ignore logging errors to avoid disrupting the hook
+        pass
+
+
+# State file to track warnings shown (session-scoped using session ID)
+
+# Security patterns configuration
+SECURITY_PATTERNS = [
+    {
+        "ruleName": "github_actions_workflow",
+        "path_check": lambda path: ".github/workflows/" in path
+        and (path.endswith(".yml") or path.endswith(".yaml")),
+        "reminder": """You are editing a GitHub Actions workflow file. Be aware of these security risks:
+
+1. **Command Injection**: Never use untrusted input (like issue titles, PR descriptions, commit messages) directly in run: commands without proper escaping
+2. **Use environment variables**: Instead of ${{ github.event.issue.title }}, use env: with proper quoting
+3. **Review the guide**: https://github.blog/security/vulnerability-research/how-to-catch-github-actions-workflow-injections-before-attackers-do/
+
+Example of UNSAFE pattern to avoid:
+run: echo "${{ github.event.issue.title }}"
+
+Example of SAFE pattern:
+env:
+  TITLE: ${{ github.event.issue.title }}
+run: echo "$TITLE"
+
+Other risky inputs to be careful with:
+- github.event.issue.body
+- github.event.pull_request.title
+- github.event.pull_request.body
+- github.event.comment.body
+- github.event.review.body
+- github.event.review_comment.body
+- github.event.pages.*.page_name
+- github.event.commits.*.message
+- github.event.head_commit.message
+- github.event.head_commit.author.email
+- github.event.head_commit.author.name
+- github.event.commits.*.author.email
+- github.event.commits.*.author.name
+- github.event.pull_request.head.ref
+- github.event.pull_request.head.label
+- github.event.pull_request.head.repo.default_branch
+- github.head_ref""",
+    },
+    {
+        "ruleName": "child_process_exec",
+        "substrings": ["child_process.exec", "exec(", "execSync("],
+        "reminder": """⚠️ Security Warning: Using child_process.exec() can lead to command injection vulnerabilities.
+
+This codebase provides a safer alternative: src/utils/execFileNoThrow.ts
+
+Instead of:
+  exec(`command ${userInput}`)
+
+Use:
+  import { execFileNoThrow } from '../utils/execFileNoThrow.js'
+  await execFileNoThrow('command', [userInput])
+
+The execFileNoThrow utility:
+- Uses execFile instead of exec (prevents shell injection)
+- Handles Windows compatibility automatically
+- Provides proper error handling
+- Returns structured output with stdout, stderr, and status
+
+Only use exec() if you absolutely need shell features and the input is guaranteed to be safe.""",
+    },
+    {
+        "ruleName": "new_function_injection",
+        "substrings": ["new Function"],
+        "reminder": "⚠️ Security Warning: Using new Function() with dynamic strings can lead to code injection vulnerabilities. Consider alternative approaches that don't evaluate arbitrary code. Only use new Function() if you truly need to evaluate arbitrary dynamic code.",
+    },
+    {
+        "ruleName": "eval_injection",
+        "substrings": ["eval("],
+        "reminder": "⚠️ Security Warning: eval() executes arbitrary code and is a major security risk. Consider using JSON.parse() for data parsing or alternative design patterns that don't require code evaluation. Only use eval() if you truly need to evaluate arbitrary code.",
+    },
+    {
+        "ruleName": "react_dangerously_set_html",
+        "substrings": ["dangerouslySetInnerHTML"],
+        "reminder": "⚠️ Security Warning: dangerouslySetInnerHTML can lead to XSS vulnerabilities if used with untrusted content. Ensure all content is properly sanitized using an HTML sanitizer library like DOMPurify, or use safe alternatives.",
+    },
+    {
+        "ruleName": "document_write_xss",
+        "substrings": ["document.write"],
+        "reminder": "⚠️ Security Warning: document.write() can be exploited for XSS attacks and has performance issues. Use DOM manipulation methods like createElement() and appendChild() instead.",
+    },
+    {
+        "ruleName": "innerHTML_xss",
+        "substrings": [".innerHTML =", ".innerHTML="],
+        "reminder": "⚠️ Security Warning: Setting innerHTML with untrusted content can lead to XSS vulnerabilities. Use textContent for plain text or safe DOM methods for HTML content. If you need HTML support, consider using an HTML sanitizer library such as DOMPurify.",
+    },
+    {
+        "ruleName": "pickle_deserialization",
+        "substrings": ["pickle"],
+        "reminder": "⚠️ Security Warning: Using pickle with untrusted content can lead to arbitrary code execution. Consider using JSON or other safe serialization formats instead. Only use pickle if it is explicitly needed or requested by the user.",
+    },
+    {
+        "ruleName": "os_system_injection",
+        "substrings": ["os.system", "from os import system"],
+        "reminder": "⚠️ Security Warning: This code appears to use os.system. This should only be used with static arguments and never with arguments that could be user-controlled.",
+    },
+]
+
+
+def get_state_file(session_id):
+    """Get session-specific state file path."""
+    return os.path.expanduser(f"~/.claude/security_warnings_state_{session_id}.json")
+
+
+def cleanup_old_state_files():
+    """Remove state files older than 30 days."""
+    try:
+        state_dir = os.path.expanduser("~/.claude")
+        if not os.path.exists(state_dir):
+            return
+
+        current_time = datetime.now().timestamp()
+        thirty_days_ago = current_time - (30 * 24 * 60 * 60)
+
+        for filename in os.listdir(state_dir):
+            if filename.startswith("security_warnings_state_") and filename.endswith(
+                ".json"
+            ):
+                file_path = os.path.join(state_dir, filename)
+                try:
+                    file_mtime = os.path.getmtime(file_path)
+                    if file_mtime < thirty_days_ago:
+                        os.remove(file_path)
+                except (OSError, IOError):
+                    pass  # Ignore errors for individual file cleanup
+    except Exception:
+        pass  # Silently ignore cleanup errors
+
+
+def load_state(session_id):
+    """Load the state of shown warnings from file."""
+    state_file = get_state_file(session_id)
+    if os.path.exists(state_file):
+        try:
+            with open(state_file, "r") as f:
+                return set(json.load(f))
+        except (json.JSONDecodeError, IOError):
+            return set()
+    return set()
+
+
+def save_state(session_id, shown_warnings):
+    """Save the state of shown warnings to file."""
+    state_file = get_state_file(session_id)
+    try:
+        os.makedirs(os.path.dirname(state_file), exist_ok=True)
+        with open(state_file, "w") as f:
+            json.dump(list(shown_warnings), f)
+    except IOError as e:
+        debug_log(f"Failed to save state file: {e}")
+        pass  # Fail silently if we can't save state
+
+
+def check_patterns(file_path, content):
+    """Check if file path or content matches any security patterns."""
+    # Normalize path by removing leading slashes
+    normalized_path = file_path.lstrip("/")
+
+    for pattern in SECURITY_PATTERNS:
+        # Check path-based patterns
+        if "path_check" in pattern and pattern["path_check"](normalized_path):
+            return pattern["ruleName"], pattern["reminder"]
+
+        # Check content-based patterns
+        if "substrings" in pattern and content:
+            for substring in pattern["substrings"]:
+                if substring in content:
+                    return pattern["ruleName"], pattern["reminder"]
+
+    return None, None
+
+
+def extract_content_from_input(tool_name, tool_input):
+    """Extract content to check from tool input based on tool type."""
+    if tool_name == "Write":
+        return tool_input.get("content", "")
+    elif tool_name == "Edit":
+        return tool_input.get("new_string", "")
+    elif tool_name == "MultiEdit":
+        edits = tool_input.get("edits", [])
+        if edits:
+            return " ".join(edit.get("new_string", "") for edit in edits)
+        return ""
+
+    return ""
+
+
+def main():
+    """Main hook function."""
+    # Check if security reminders are enabled
+    security_reminder_enabled = os.environ.get("ENABLE_SECURITY_REMINDER", "1")
+
+    # Only run if security reminders are enabled
+    if security_reminder_enabled == "0":
+        sys.exit(0)
+
+    # Periodically clean up old state files (10% chance per run)
+    if random.random() < 0.1:
+        cleanup_old_state_files()
+
+    # Read input from stdin
+    try:
+        raw_input = sys.stdin.read()
+        input_data = json.loads(raw_input)
+    except json.JSONDecodeError as e:
+        debug_log(f"JSON decode error: {e}")
+        sys.exit(0)  # Allow tool to proceed if we can't parse input
+
+    # Extract session ID and tool information from the hook input
+    session_id = input_data.get("session_id", "default")
+    tool_name = input_data.get("tool_name", "")
+    tool_input = input_data.get("tool_input", {})
+
+    # Check if this is a relevant tool
+    if tool_name not in ["Edit", "Write", "MultiEdit"]:
+        sys.exit(0)  # Allow non-file tools to proceed
+
+    # Extract file path from tool_input
+    file_path = tool_input.get("file_path", "")
+    if not file_path:
+        sys.exit(0)  # Allow if no file path
+
+    # Extract content to check
+    content = extract_content_from_input(tool_name, tool_input)
+
+    # Check for security patterns
+    rule_name, reminder = check_patterns(file_path, content)
+
+    if rule_name and reminder:
+        # Create unique warning key
+        warning_key = f"{file_path}-{rule_name}"
+
+        # Load existing warnings for this session
+        shown_warnings = load_state(session_id)
+
+        # Check if we've already shown this warning in this session
+        if warning_key not in shown_warnings:
+            # Add to shown warnings and save
+            shown_warnings.add(warning_key)
+            save_state(session_id, shown_warnings)
+
+            # Output the warning to stderr and block execution
+            print(reminder, file=sys.stderr)
+            sys.exit(2)  # Block tool execution (exit code 2 for PreToolUse hooks)
+
+    # Allow tool to proceed
+    sys.exit(0)
+
+
+if __name__ == "__main__":
+    main()