Added
- CC-SK-021: Hardcoded User Directory Path (closes #832). New MEDIUM/SHOULD
claude-skillsrule flagging hardcoded user-home paths (/Users/<name>/,/home/<name>/,C:\Users\<name>\) in bundled skill content - they leak the author's identity and are non-portable. TheSkillValidatorwalks the skill directory and scans theSKILL.mdbody, sibling.mdbodies (frontmatter skipped), and bundled scripts (.sh/.bash/.zsh/.fish/.py/.rb/.pl/.lua/.js/.ts/.mjs, or any extensionless file with a#!shebang - scanned whole, including the shebang). Placeholder names (user,example,foo, ...) and<name>/${...}/{{...}}/$HOMEforms are not flagged. Manual fix only (~/,$HOME/, a project-relative path, or$PROJECT_ROOT). Covered by 12 unit/integration tests. Rule count 420 -> 421.
Fixed
CC-HK-001no longer flags theMessageDisplayhook event (closes #989). Claude Code v2.1.152 added aMessageDisplayhook event (lets hooks transform or hide assistant message text as it is displayed). It was missing fromHooksSchema::VALID_EVENTS, so a validMessageDisplayhook insettings.jsontrippedCC-HK-001"Invalid hook event". Added to the valid-event set; left out ofMATCHER_EVENTS/PROMPT_EVENTSsince it is a command-type display hook (so matcher and prompt/agent misuse still flag). Regression-tested intest_cc_hk_001_message_display_event_valid.
Changed
- Tool baselines: triaged the auto-opened release-watch issues and bumped
claude-codev2.1.142->v2.1.152(closes #989),codexrust-v0.133.0->rust-v0.134.0(closes #990),opencodev1.15.10->v1.15.11(closes #992),clinecli-v3.0.3->cli-v3.0.13(closes #988), andcursor3.5.33->3.5.38(closes #991). Aside from the Claude CodeMessageDisplayfix above, the changes were agnix-irrelevant: Codexmcpoauth/env_varskeys andprofileconfig are already covered; OpenCodeheaderTimeout/modalitiessit underprovider.*(not the OC-004 top-level allow-list); Cline was TUI-only; Cursor exposes only a version marker. No further validator, rule,ToolVersions, orSpecRevisionschange required..github/tool-release-baselines.jsonandknowledge-base/RESEARCH-TRACKING.mdupdated.