From b9b7831ef5645652e4e28e1eb0187ab75b41c903 Mon Sep 17 00:00:00 2001
From: Affaan Mustafa <affaan@dcube.ai>
Date: Sun, 25 Jan 2026 15:43:48 -0800
Subject: [PATCH] fix: multiple community-reported issues

- feat(plugin.json): add agents declaration to make 9 agents visible
  in /agents command (fixes #66, closes PR #67)

- fix(backend-patterns): correct requirePermission HOF pattern to
  properly wrap handlers instead of expecting Request directly
  (fixes #54, closes PR #63)

- docs(user-CLAUDE): add privacy guideline about redacting secrets
  from logs before sharing (fixes #38, closes PR #39)

- fix(eval-harness): add mandatory frontmatter with name, description,
  and tools fields (closes PR #58)
---
 .claude-plugin/plugin.json       |  1 +
 examples/user-CLAUDE.md          |  4 ++++
 skills/backend-patterns/SKILL.md | 25 +++++++++++++++----------
 skills/eval-harness/SKILL.md     |  6 ++++++
 4 files changed, 26 insertions(+), 10 deletions(-)

diff --git a/.claude-plugin/plugin.json b/.claude-plugin/plugin.json
index 6abaa72..5ea0e4f 100644
--- a/.claude-plugin/plugin.json
+++ b/.claude-plugin/plugin.json
@@ -22,6 +22,7 @@
     "automation",
     "best-practices"
   ],
+  "agents": "./agents",
   "commands": "./commands",
   "skills": "./skills"
 }
diff --git a/examples/user-CLAUDE.md b/examples/user-CLAUDE.md
index 750cbbf..64608ab 100644
--- a/examples/user-CLAUDE.md
+++ b/examples/user-CLAUDE.md
@@ -58,6 +58,10 @@ Located in `~/.claude/agents/`:
 
 ## Personal Preferences
 
+### Privacy
+- Always redact logs; never paste secrets (API keys/tokens/passwords/JWTs)
+- Review output before sharing - remove any sensitive data
+
 ### Code Style
 - No emojis in code, comments, or documentation
 - Prefer immutability - never mutate objects or arrays
diff --git a/skills/backend-patterns/SKILL.md b/skills/backend-patterns/SKILL.md
index 3990dc5..a0705d9 100644
--- a/skills/backend-patterns/SKILL.md
+++ b/skills/backend-patterns/SKILL.md
@@ -395,21 +395,26 @@ export function hasPermission(user: User, permission: Permission): boolean {
 }
 
 export function requirePermission(permission: Permission) {
-  return async (request: Request) => {
-    const user = await requireAuth(request)
+  return (handler: (request: Request, user: User) => Promise<Response>) => {
+    return async (request: Request) => {
+      const user = await requireAuth(request)
 
-    if (!hasPermission(user, permission)) {
-      throw new ApiError(403, 'Insufficient permissions')
+      if (!hasPermission(user, permission)) {
+        throw new ApiError(403, 'Insufficient permissions')
+      }
+
+      return handler(request, user)
     }
-
-    return user
   }
 }
 
-// Usage
-export const DELETE = requirePermission('delete')(async (request: Request) => {
-  // Handler with permission check
-})
+// Usage - HOF wraps the handler
+export const DELETE = requirePermission('delete')(
+  async (request: Request, user: User) => {
+    // Handler receives authenticated user with verified permission
+    return new Response('Deleted', { status: 200 })
+  }
+)
 ```
 
 ## Rate Limiting
diff --git a/skills/eval-harness/SKILL.md b/skills/eval-harness/SKILL.md
index 522937d..ca61962 100644
--- a/skills/eval-harness/SKILL.md
+++ b/skills/eval-harness/SKILL.md
@@ -1,3 +1,9 @@
+---
+name: eval-harness
+description: Formal evaluation framework for Claude Code sessions implementing eval-driven development (EDD) principles
+tools: Read, Write, Edit, Bash, Grep, Glob
+---
+
 # Eval Harness Skill
 
 A formal evaluation framework for Claude Code sessions, implementing eval-driven development (EDD) principles.