Merge pull request #84 from project-codeguard/agent-skills

chore: rebase dev onto main, convert claude code to agent skills

Author: ramraaj25

.claude-plugin/marketplace.json

@@ -13,7 +13,7 @@
       "name": "codeguard-security",
       "source": "./",
       "description": "Comprehensive security rules for AI coding agents",
-      "version": "1.0.0",
+      "version": "1.0.1",
       "repository": "https://github.com/project-codeguard/rules.git",
       "tags": [
         "security",

.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "codeguard-security",
   "description": "Security code review skill based on Project CodeGuard's comprehensive security rules. Helps AI coding agents write secure code and prevent common vulnerabilities.",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "author": {
     "name": "Project CodeGuard",
     "url": "https://project-codeguard.org"

.github/ISSUE_TEMPLATE/new-rule.yml

@@ -6,7 +6,7 @@ body:
   - type: markdown
     attributes:
       value: |
-        Thank you for your new rule request! Please provide as much detail as possible. Use any of the existing rules as a reference. You only have to provide the rule contents (markdown), not the rule metadata. We will handle the rest. In other words, convert your rule into all the formats (Cursor, Windsurf, Copilot).
+        Thank you for your new rule request! Please provide as much detail as possible. Use any of the existing rules as a reference. You only have to provide the rule contents (markdown), not the rule metadata. We will handle the rest. In other words, convert your rule into all the formats (Cursor, Windsurf, Copilot, Antigravity).
 
   - type: textarea
     id: description

.github/ISSUE_TEMPLATE/rule-feedback.yml

@@ -26,6 +26,7 @@ body:
         - Cursor
         - GitHub Copilot
         - Windsurf
+        - Antigravity
         - Codex
         - Augment Code
         - Sourcegraph

.github/workflows/build-ide-bundles.yml

@@ -54,6 +54,7 @@ jobs:
           zip -r ../ide-rules-cursor.zip .cursor/
           zip -r ../ide-rules-windsurf.zip .windsurf/
           zip -r ../ide-rules-copilot.zip .github/
+          zip -r ../ide-rules-antigravity.zip .agent/
           cd ..
           zip -r ide-rules-all.zip dist/
           ls -lh ide-rules-*.zip
@@ -67,5 +68,6 @@ jobs:
             ide-rules-cursor.zip \
             ide-rules-windsurf.zip \
             ide-rules-copilot.zip \
+            ide-rules-antigravity.zip \
             --clobber
 

.github/workflows/validate-rules.yml

@@ -51,7 +51,6 @@ jobs:
             "sources/core/codeguard-1-hardcoded-credentials.md"
             "sources/core/codeguard-1-crypto-algorithms.md"
             "sources/core/codeguard-1-digital-certificates.md"
-            "sources/core/codeguard-1-safe-c-functions.md"
             "sources/core/codeguard-SKILLS.md.template"
           )
           
@@ -90,6 +89,11 @@ jobs:
             exit 1
           fi
           
+          if [ ! -d "test-output/.agent" ]; then
+            echo "❌ Antigravity rules not generated"
+            exit 1
+          fi
+          
           echo "✅ All IDE formats generated successfully"
 
       - name: Check skills/ directory is up-to-date

CONTRIBUTING.md

@@ -160,7 +160,7 @@ git push origin main
 
 **Note**: The conversion script automatically syncs the version from `pyproject.toml` to:
 - `.claude-plugin/plugin.json` and `marketplace.json` (Claude Code plugin metadata)
-- All generated IDE rule files (Cursor `.mdc`, Windsurf `.md`, Copilot `.instructions.md`, Claude Code `.md`)
+- All generated IDE rule files (Cursor `.mdc`, Windsurf `.md`, Copilot `.instructions.md`, Claude Code `.md`, Antigravity `.md`)
 
 This ensures version consistency across all artifacts.
 
@@ -174,7 +174,7 @@ This ensures version consistency across all artifacts.
 
 GitHub Actions will automatically:
 - ✅ Validate versions match the tag
-- ✅ Build IDE bundles (Cursor, Windsurf, Copilot)
+- ✅ Build IDE bundles (Cursor, Windsurf, Copilot, Antigravity)
 - ✅ Upload ZIP artifacts to the release
 
 ## Testing Your Changes

README.md

@@ -10,12 +10,12 @@ This project is an AI model-agnostic security framework and ruleset (internally
 
 AI coding agents are transforming software engineering, but this speed can introduce security vulnerabilities. Is your AI coding agent implementation introducing security vulnerabilities?
 
-- ❌ Skipping input validation
-- ❌ Hardcoding secrets and credentials
-- ❌ Using weak cryptographic algorithms
-- ❌ Relying on unsafe functions
-- ❌ Missing authentication/authorization checks
-- ❌ Missing any other security best practice
+- Skipping input validation
+- Hardcoding secrets and credentials
+- Using weak cryptographic algorithms
+- Relying on unsafe functions
+- Missing authentication/authorization checks
+- Missing any other security best practice
 
 Project CodeGuard solves this by embedding security best practices directly into AI coding agent workflows. 
 
@@ -31,14 +31,14 @@ Project CodeGuard is designed to integrate seamlessly across the entire AI codin
 
 Our rules cover essential security domains:
 
-- **🔐 Cryptography**: Safe algorithms (including post-quantum cryptography), secure key management, certificate validation
-- **🛡️ Input Validation**: SQL injection prevention, XSS protection, command injection defense
-- **🔑 Authentication**: MFA best practices, OAuth/OIDC, secure session management
-- **⚡ Authorization**: RBAC/ABAC, access control, IDOR prevention
-- **📦 Supply Chain**: Dependency security, SBOM generation, vulnerability management
-- **☁️ Cloud Security**: IaC hardening, container security, Kubernetes best practices
-- **📱 Platform Security**: Mobile apps, web services, API security
-- **🔍 Data Protection**: Privacy, encryption at rest/transit, secure storage
+- **Cryptography**: Safe algorithms (including post-quantum cryptography), secure key management, certificate validation
+- **Input Validation**: SQL injection prevention, XSS protection, command injection defense
+- **Authentication**: MFA best practices, OAuth/OIDC, secure session management
+- **Authorization**: RBAC/ABAC, access control, IDOR prevention
+- **Supply Chain**: Dependency security, SBOM generation, vulnerability management
+- **Cloud Security**: IaC hardening, container security, Kubernetes best practices
+- **Platform Security**: Mobile apps, web services, API security
+- **Data Protection**: Privacy, encryption at rest/transit, secure storage
 
 ## Quick Start
 
@@ -54,7 +54,7 @@ Get started in minutes:
 ## How It Works
 
 1. **Security rules** are written in unified markdown format (`sources/` directory)
-2. **Conversion tools** translate rules to IDE-specific formats (Cursor, Windsurf, Copilot, Claude Code)
+2. **Conversion tools** translate rules to IDE-specific formats (Cursor, Windsurf, Copilot, Agent Skills, Antigravity)
 3. **Release automation** packages rules into downloadable ZIP files
 4. **AI assistants** reference these rules when generating or reviewing code
 5. **Secure code** is produced automatically without developer intervention
@@ -63,7 +63,7 @@ Get started in minutes:
 
 ```
 sources/           # Source rules
-skills/            # Claude Code plugin (generated, committed)
+skills/            # Agent Skills format (generated, committed)
 src/               # Conversion and validation tools
 dist/              # Other IDE bundles (generated, not committed)
 ```
@@ -97,4 +97,4 @@ This project uses dual licensing:
 This licensing approach ensures the security rules remain freely accessible and reusable while providing appropriate terms for software components.
 
 
-Copyright © 2025 Cisco Systems, Inc.
+Copyright © 2025 Cisco Systems, Inc.

docs/claude-code-skill-plugin.md

@@ -70,14 +70,13 @@ When generating or reviewing code, Claude follows this 3-step workflow:
 
 ### Rule Categories
 
-**Always-Apply Rules** (4 critical rules checked on every code operation):
+**Always-Apply Rules** (3 critical rules checked on every code operation):
 - `codeguard-1-hardcoded-credentials` - Never hardcode secrets or credentials
 - `codeguard-1-crypto-algorithms` - Use modern cryptographic algorithms
 - `codeguard-1-digital-certificates` - Validate certificate security
-- `codeguard-1-safe-c-functions` - Replace unsafe C/C++ functions
 
-**Context-Specific Rules** (18 rules applied based on technology and features):
-- Input validation, authentication, authorization, APIs, data storage, privacy, logging, cryptography, file handling, serialization, supply chain, DevOps, cloud, Kubernetes, IaC, frameworks, and mobile security
+**Context-Specific Rules** (19 rules applied based on technology and features):
+- Input validation, authentication, authorization, APIs, data storage, privacy, logging, cryptography, file handling, serialization, supply chain, DevOps, cloud, Kubernetes, IaC, frameworks, mobile security, and memory safety (C/C++)
 
 ## Usage Examples
 
@@ -155,7 +154,7 @@ For organizations, deploy CodeGuard to all developers automatically:
 
 The plugin includes 22 comprehensive security rules organized into two categories:
 
-### Always-Apply Rules (4 rules)
+### Always-Apply Rules (3 rules)
 
 These critical rules are checked on **every** code operation:
 
@@ -164,9 +163,8 @@ These critical rules are checked on **every** code operation:
 | `codeguard-1-hardcoded-credentials` | Prevent secrets, passwords, API keys, tokens in source code |
 | `codeguard-1-crypto-algorithms` | Ban weak algorithms (MD5, SHA-1, DES); use modern alternatives |
 | `codeguard-1-digital-certificates` | Validate certificate expiration, key strength, signature algorithms |
-| `codeguard-1-safe-c-functions` | Replace unsafe C/C++ functions (gets, strcpy, strcat, sprintf) |
 
-### Context-Specific Rules (18 rules)
+### Context-Specific Rules (19 rules)
 
 These rules apply based on the programming language, framework, or feature being implemented. Claude automatically selects relevant rules based on context:
 
@@ -182,6 +180,7 @@ These rules apply based on the programming language, framework, or feature being
 | **Files & Serialization** | `codeguard-0-file-handling-and-uploads`, `codeguard-0-xml-and-serialization` |
 | **Infrastructure** | `codeguard-0-supply-chain-security`, `codeguard-0-devops-ci-cd-containers`, `codeguard-0-cloud-orchestration-kubernetes`, `codeguard-0-iac-security` |
 | **Platforms** | `codeguard-0-framework-and-languages`, `codeguard-0-mobile-apps` |
+| **Memory Safety (C/C++)** | `codeguard-0-safe-c-functions` |
 
 > **Note:** Each rule file contains detailed guidance, checklists, and examples. Claude references these automatically based on the code context.
 
@@ -291,7 +290,7 @@ uv run python src/convert_to_ide_formats.py
 This command:
 - Converts unified rules from `sources/` to IDE-specific formats
 - Generates `skills/` directory with the 22 core security rules (Claude Code plugin)
-- Creates `dist/` with IDE-specific formats (Cursor, Windsurf, Copilot)
+- Creates `dist/` with IDE-specific formats (Cursor, Windsurf, Copilot, Antigravity)
 
 **Note:** The Claude Code plugin (`skills/`) always contains only the 22 curated core rules. To build bundles with OWASP supplementary rules for other IDEs, use `--source core owasp`, but this only affects `dist/`, not `skills/`.
 
@@ -385,6 +384,11 @@ Found an issue with the plugin or want to improve it?
 
 ## Version History
 
+### Version 1.0.1
+- Changed `codeguard-1-safe-c-functions` from always-apply to `codeguard-0-safe-c-functions` context-specific rule (C/C++ only)
+- Updated rule counts: 3 always-apply rules, 19 context-specific rules
+- Fixed GitHub Copilot instructions to use `description` field instead of `title`
+
 ### Version 1.0.0
 - Initial release
 - 22 comprehensive security rules

docs/faq.md

@@ -26,7 +26,20 @@ This FAQ document provides clear, concise answers to help developers seamlessly
 ---
 ## Q: Will these rules consume a lot of the AI agent's **context window**?
 
-**A:** No. The always-on rules are designed to be lightweight and efficient, and should not consume a lot of the AI agent's context window. The "glob" rules are designed to be applied only to the related file types specified in the rule.
+**A:** The always‑on rules are lightweight and have minimal impact on the AI agent’s context window. Glob‑scoped rules only apply to their matching file types. Below are Cursor examples: left, no rules; right, three always‑on rules enabled.
+
+<p align="center">
+  <img src="../images/context-window-no-rules.png" alt="Cursor AI agent context window usage without Project CodeGuard rules" width="40%" style="display:inline-block; margin-right:2%;" />
+  <img src="../images/context-window-with-rules.png" alt="Cursor AI agent context window usage with Project CodeGuard rules enabled" width="40%" style="display:inline-block;" />
+</p>
+
+<center>
+  <sub>
+    <b>Left:</b> Context window usage without any rules in place.<br>
+    <b>Right:</b> Context window usage with three always-on rules enabled.
+  </sub>
+</center>
+
 
 ---
 ## Q: What are the OWASP supplementary rules?
@@ -37,19 +50,19 @@ This FAQ document provides clear, concise answers to help developers seamlessly
 
 ## Q: How can I use the rules in my own AI agent?
 
-**A:** You can use the rules in your own AI agent by creating a custom ruleset. You can create a custom ruleset by creating a new file in the `.cursor/rules`, `.windsurf/rules`, or `.github/instructions` directories and adding the rules you want to apply. You can also use the `project-codeguard/rules` repository as a template to create your own ruleset.
+**A:** You can use the rules in your own AI agent by creating a custom ruleset. You can create a custom ruleset by creating a new file in the `.cursor/rules`, `.windsurf/rules`, `.github/instructions`, or `.agent/rules` directories and adding the rules you want to apply. You can also use the `project-codeguard/rules` repository as a template to create your own ruleset.
 
 ---
 
 ## Q: Why does the downloaded release folder appear empty?
 
-**A:** After downloading and extracting the release, the folders may appear empty because the rule directories (`.cursor/`, `.windsurf/`, `.github/`) start with a dot (`.`) and are hidden by default on most operating systems.
+**A:** After downloading and extracting the release, the folders may appear empty because the rule directories (`.cursor/`, `.windsurf/`, `.github/`, `.agent/`) start with a dot (`.`) and are hidden by default on most operating systems.
 
 **To show hidden files:**
 
 === "macOS"
 
-    In Finder, navigate to the extracted folder and press ++cmd+shift+period++ to toggle the visibility of hidden files. You should now see the `.cursor/`, `.windsurf/`, and `.github/` directories.
+    In Finder, navigate to the extracted folder and press ++cmd+shift+period++ to toggle the visibility of hidden files. You should now see the `.cursor/`, `.windsurf/`, `.github/`, and `.agent/` directories.
 
 === "Windows"
 
@@ -63,15 +76,20 @@ This FAQ document provides clear, concise answers to help developers seamlessly
 
     In your file manager, press ++ctrl+h++ to toggle hidden files, or use `ls -la` in the terminal to view all files including hidden ones.
 
-Once hidden files are visible, you can copy the appropriate directory (`.cursor/`, `.windsurf/`, or `.github/`) to your project root.
+Once hidden files are visible, you can copy the appropriate directory (`.cursor/`, `.windsurf/`, `.github/`, or `.agent/`) to your project root.
 
 ---
 
 ## Q: Can I use this with Claude Code?
 
-**A:** Yes! Claude Code automatically reads and follows instructions from a `CLAUDE.md` file in your project root. To use Project CodeGuard rules with Claude Code you can point to the Project CodeGuard rules in your `CLAUDE.md` file.
+**A:** Yes! Install the Project CodeGuard Claude Code plugin (Agent Skill) and Claude will apply the security rules automatically while you code.
+
+```bash
+/plugin marketplace add project-codeguard/rules
+/plugin install codeguard-security@project-codeguard
+```
 
-When Claude Code operates in your project, it treats the Project CodeGuard security rules in `CLAUDE.md` as authoritative system instructions.
+For team/repo defaults, add the plugin in `.claude/settings.json` so it’s enabled for all contributors. See the [Claude Code Plugin documentation](claude-code-skill-plugin.md) for details and troubleshooting.
 
 
 ## Q: How can I report a problem or enhancement to any of the rules?
@@ -86,17 +104,6 @@ We welcome all feedback - whether it's a bug report, success story, or enhanceme
 
 ---
 
-## Q: Why do I get the following error message in GitHub for some of the rules?
-
-```
-Error in user YAML: (<unknown>): did not find expected alphabetic 
-or numeric character while scanning an alias at line x column x
-```
-
-**A:** You can safely ignore this error. GitHub attempts to parse YAML headers combined with markdown content, which can cause this warning. It does not affect rule functionality - the rules will work correctly in your IDE regardless of this GitHub display issue.
-
----
-
 ## Q: How can I contribute to these rules and this project?
 
 **A:** You can contribute at any time by:
@@ -110,6 +117,12 @@ See [CONTRIBUTING.md](https://github.com/project-codeguard/rules/blob/main/CONTR
 
 ---
 
+## Q: Does Project CodeGuard replace my security scanners?
+
+**A:** No, Project CodeGuard rules do not replace your security scanners. The primary purpose of CodeGuard is to help you avoid introducing new security vulnerabilities as you write code, by providing agentic rules and guidance directly in your IDE. If you perform a code review using these rules, Project CodeGuard will most likely identify many of the same vulnerabilities that security scanning tools would find. However, CodeGuard is not a comprehensive substitute for security scanners—automated security tools are designed to thoroughly analyze your entire codebase and catch a broader range of issues. For best results, use CodeGuard rules in combination with your existing security scanners to maximize your code’s security.
+
+---
+
 ## Still have questions?
 
 **Can't find your answer?**