The Semgrep plugin currently does not work correctly when used through
Claude because it is located within a subdirectory of the Semgrep
Marketplace repository. This issue was reported in:
https://github.com/anthropics/claude-plugins-official/issues/450
Previously, this could not be fixed due to a limitation in Claude Code's
handling of plugins located in subdirectories. Support for this was added
with the git-subdir feature, released in v2.1.69:
https://github.com/anthropics/claude-code/issues/30593
A fix for the Semgrep plugin was proposed once this version became the
latest release. Now that v2.1.69+ is available as latest, this PR
implements that fix.
https://claude.ai/code/cse_01RtW9KS12VZNFfWmWY6z9Pu
Co-authored-by: Claude <noreply@anthropic.com>
- Split pipeline into two steps (extract lines, then parse) mirroring the
original structure.
- set +e around the jq call so failures reach the $? check instead of
aborting under set -e.
- The "no text content" branch remains removed (that was the original bug —
all-tool-use turns now correctly yield empty text and the loop continues).
The state file lives at .claude/ralph-loop.local.md — project-scoped,
not session-scoped. The plugin's Stop hook fires in every Claude Code
session open in that project directory. So if session A starts a loop,
session B's Stop events also find the state file and block, feeding A's
prompt into B and consuming A's iteration budget.
This was masked by the transcript-parsing bug fixed in the previous
commit: that bug deleted the state file on the first Stop in any
session, so neither session looped. Fixing it exposed the leak.
Fix: setup writes CLAUDE_CODE_SESSION_ID into the frontmatter; the hook
compares against .session_id from its stdin JSON and exits silently on
mismatch. State files without session_id (written by old setup scripts)
fall through to preserve existing behavior.
Claude Code writes each assistant content block (text/tool_use/thinking)
as its own JSONL line. The hook's `grep role:assistant | tail -1` would
grab whichever block happened to be last — often tool_use — then jq's
text filter returned empty string, triggering the 'no text content' path
which deletes the state file and exits without blocking.
Net effect: the loop silently never fires. In one observed session, 62%
of assistant lines were tool_use-only; the hook deleted state on the
very first Stop event every time.
Fix: slurp all assistant lines with jq -rs, flatten to text blocks only,
take the last. Empty result is now non-fatal — no text means no <promise>
tag, so the loop continues. Also absorbs jq parse errors (control chars
in text) via || fallback instead of aborting under set -e.
The detectFileType function matched any .md file under an agents/ or
commands/ directory, including those nested inside skill content (e.g.
plugins/foo/skills/bar/agents/). These are reference docs, not plugin
agent definitions. Only validate agents/ and commands/ at the plugin
root level.
Skills and commands are now merged, so SKILL.md name fields surface
in the UI as slash commands. Upper Space names like 'Hook Development'
become '/Hook Development', which doesn't work since user-invoked
commands don't support spaces.
Rename all affected SKILL.md name fields to lower-kebab-case:
- hookify: Writing Hookify Rules -> writing-hookify-rules
- plugin-dev: Agent Development -> agent-development
- plugin-dev: Command Development -> command-development
- plugin-dev: Hook Development -> hook-development
- plugin-dev: MCP Integration -> mcp-integration
- plugin-dev: Plugin Settings -> plugin-settings
- plugin-dev: Plugin Structure -> plugin-structure
- plugin-dev: Skill Development -> skill-development
Also update references in plugin-dev/README.md.
Adds a GitHub Actions workflow that validates frontmatter in agent,
skill, and command .md files changed by a PR. Checks:
- Agents: name and description are present and parseable
- Skills: description is present (required for Skill tool discovery)
- Commands: description is present and parseable
The workflow only runs when PRs touch files in agents/, skills/, or
commands/ directories, and only validates the changed files.
Use YAML block scalars (|) for multi-line description fields that contain
<example> blocks with colons and special characters. Without block scalars,
the YAML parser fails because it interprets lines like 'user:' and
'assistant:' as new key-value pairs.
Affected files:
- plugins/plugin-dev/agents/agent-creator.md
- plugins/plugin-dev/agents/skill-reviewer.md
- plugins/plugin-dev/agents/plugin-validator.md
- plugins/pr-review-toolkit/agents/code-simplifier.md
CodeRabbit is a code review partner that provides external validation
using specialized AI architecture and 40+ integrated static analyzers.
It offers context-aware analysis and automatically incorporates project
guidelines into reviews.
Co-authored-by: Claude <noreply@anthropic.com>
