Skip to content

What's New

Latest changes to the VisiTrans Claude Toolkit.

v3.31.0 (2026-04-20)

Security baseline hardening (SPEC-114) — The security baseline grew from 5 categories / ~20 deny rules to 11 categories / ~128 deny rules. Six new categories close governance gaps that prior CLAUDE.md instructions failed to enforce: git safety (force push / hard reset / clean -f), inline code execution (python -c / node -e), database destructives (DROP / ORM reset), infrastructure teardown (terraform destroy / namespace delete), self-modification protection (global ~/.claude/ files and .git/), and agent governance (--dangerously-skip-permissions, crontab, audit-log removal).

Notable additions: - Category 2 bypass closedGrep and Glob mirrors now block the credential-read bypass that existed when only Read(**/.env) was denied. .env variants enumerated so .env.example remains readable (EC-01). - .claudeignore now actually enforced — Claude Code does not natively honor .claudeignore; the new claudeignore-guard.sh PreToolUse hook closes that gap. - Pre-commit fail-closed — the pre-commit hook now blocks staged .env files and invokes secret-scanner.sh on every staged file, failing the commit (with install instructions) if the scanner is missing rather than silently skipping. - Scaffold and bootstrap now generate .claudeignore for all project types and .gitleaks.toml for coding/mixed projects. The gitignore-base template gained .env entries that were previously missing for knowledge and design projects.

See SECURITY-CONFIG.md for the full threat model per category.

v3.16.0 (2026-03-18)

Advanced diagram generation (SPEC-077) — Two new capabilities for diagram workflows:

  • Format auto-selection: vt-c-mermaid-diagrams-branded now counts diagram elements and warns when Mermaid's Dagre layout may struggle. Under 10 elements: proceed; 10–15: ask user; over 15: recommend PlantUML.
  • C4 from YAML (/vt-c-c4-diagram): Generate branded C4 context and container diagrams directly from c4: YAML frontmatter in system notes — no manual Mermaid authoring. Supports actors, containers, external systems, and typed relationships. VisiTrans brand colors applied automatically.

v3.15.0 (2026-03-18)

Strategic mentor review agent (SPEC-075) — Added strategic-mentor agent that provides VIABLE / NEEDS REVISION / FLAWED verdicts on plans and specs before build begins. Dispatched in parallel with plan-checker in /vt-c-2-plan Step 4.5 (informational, non-gating).

v3.9.0 (2026-03-08)

Hook security audit (SPEC-053) — Repo audit had no way to detect tampered, unauthorized, or rogue hook scripts. Added checksum verification, unknown hook detection, network call scanning, and permission checks against a trusted hooks manifest (configs/security/trusted-hooks.yaml) with SHA-256 checksums for all 23 hook scripts.

Also in this release

  • Wave-based dependency execution (SPEC-054) — parallel wave scheduling in /vt-c-activate and /vt-c-3-build
  • Visual reference enforcement (SPEC-056) — design implementation verification
  • Security review pipeline (SPEC-028) — structured security review workflow
  • /vt-c-complete skill split from /vt-c-activate --complete for dedicated spec completion
  • Deploy→finalize rename across all active files

v3.8.0 (2026-03-06)

Namespace convention (SPEC-050) — Skills, commands, agents, and hooks from the toolkit collided with identically-named artifacts from external plugins (compound-engineering). Applied vt-{p}-{name} namespace to all 102 skills, 37 commands, 54 agents, and 7 hooks. Created agent symlink manifest and manifest-based deployment in setup.sh.

Documentation refresh (SPEC-048) — Documentation had drifted from actual toolkit state across five gap categories. Updated component counts, completed all symlink manifests, added missing guides (security governance, composable skills, contributing), created plugin READMEs, and integrated architecture docs into the MkDocs site.

Also in this release

  • Worktree-aware phase transitions (SPEC-040) — workflow skills detect and switch to correct worktrees
  • Plan-checker validation loop (SPEC-042) — automated plan validation up to 3 iterations in /vt-c-2-plan
  • Adopted 3 orphaned hooks into governed plugin manifests
  • Cleaned up 8 orphaned agent files and 6 orphaned skill artifacts from ~/.claude/

v3.7.0 (2026-03-04)

GSD wave execution (SPEC-036) — Added wave-grouped dashboard to /vt-c-activate, parallel opportunity detection in /vt-c-3-build, and pre-plan /vt-c-shape skill for dependency-aware execution.

Agent architecture patterns (SPEC-044) — Created reference documentation for CC 2.1 patterns (skill hooks, policy islands, fork semantics, orchestrators) with examples and pitfall guidance.

Configuration drift audit (SPEC-046) — Extended /vt-c-repo-health to detect security configuration drift from baseline snapshots, flagging weakened deny rules and MCP server sprawl.

Also in this release

  • Document placement strategy (SPEC-038) — docs-only changes stay on current branch, eliminating visibility gaps
  • Beads activation (SPEC-034) — distributed issue tracker replaces file-todos for persistent work-item tracking

v3.6.0 (2026-03-03)

Security hardening (SPEC-035) — Established security baseline configs for Claude Code settings with deny rules and MCP whitelisting audit integration into /vt-c-repo-health.

CWP pre-PR checks (SPEC-037) — Automated pre-PR validation for CWP lifecycle with must-pass checks (MkDocs build, YAML frontmatter, no broken wikilinks) integrated into /vt-v-cwp.

Also in this release

  • UFI country enrichment pipeline (SPEC-039) — added country enrichment to /vt-u-sync for contacts and companies with confidence scoring

v3.5.0 (2026-03-02)

Skill permission governance (SPEC-029) — Addressed approval fatigue in long sessions by adding skill-to-agent permission binding, autonomy hooks for continuation decisions, and pre-authorized agent templates.

Skill quality assurance (SPEC-031) — Added pressure-test validation to skill-creator and spec-compliance review as a prerequisite to code quality checks, preventing untested and spec-drifted implementations.

v3.4.0 (2026-03-01)

Intelligent skill activation (SPEC-030) — Skills were forgotten after context compaction, hook matchers couldn't filter by file path, and there was no intent-based skill suggestion. Added three-layer skill amnesia mitigation (CLAUDE.md inventory, PreCompact hook, post-compaction recovery), a reusable path-match.sh utility for file-path filtering in hook scripts, and a UserPromptSubmit intent matcher that suggests relevant skills based on user input keywords.

Agent worktree isolation (SPEC-032) — Write-capable agents running concurrently could cause branch contamination. Audited all 58 agents and added isolation: worktree to 9 qualified agents. Updated agent creation guidelines with a 4-question isolation decision checklist.

Also in this release

  • Fixed vault-write-guard.sh to read from stdin JSON (was using unimplemented $CLAUDE_TOOL_INPUT)
  • Deployed path-match.sh symlink to ~/.claude/hooks/ for hook script reuse
  • Skill inventory (67 skills) added to user-global CLAUDE.md (Part 5)
  • Skill amnesia mitigation pattern documented at docs/solutions/patterns/

v3.3.0 (2026-02-27)

Finalize gate version enforcement (SPEC-023) — Releases could proceed without version bumps or changelog entries, causing silent drift between what was finalized and what documentation reflected. Added check-finalize-versions.sh that blocks /vt-c-5-finalize when version bump or changelog entry is missing for changed plugins.

Session start notifications (SPEC-022) — Users had no visibility into plugin version changes between sessions. Added a startup hook that compares registry versions against last-seen state and shows version diffs with top changelog entries for context.

Review auto-fix loop (SPEC-024) — Code reviews often returned findings that were mechanically fixable, adding friction. Added auto-fix loop to /vt-c-4-review that classifies findings as [AUTO-FIXABLE] or [HUMAN-REQUIRED] and applies mechanical fixes up to 2 iterations before surfacing remaining issues.

Documentation sync skill — Created /vt-c-doc-sync to audit documentation against actual toolkit state. Checks component counts, terminology, version references, and macros. Maintains a change ledger capturing the "why" behind each change.

Also in this release

  • Plugin versioning guide at docs/guides/plugin-versioning.md
  • CHANGELOG.md requirement in creating-plugins guide
  • Change ledger (docs/change-ledger.md) with entries for SPEC-020 through SPEC-024

v3.1.0 (2026-02-25)

IMS plugin extraction (SPEC-021) — The core-standards plugin had grown to include IMS agents and skills only relevant to compliance workflows. Extracted 6 agents and 6 skills into an independent ims plugin with its own metadata and changelog.

v3.0.0 (2026-02-14)

Multi-plugin architecture — The monolithic plugin structure couldn't support department-specific tooling. Introduced per-plugin .claude-plugin/ directories, plugins/registry.json as version authority, and setup.sh --plugins flag for selective installation.

Two-workflow architecture — Harmonized from three-workflow to two-workflow per constitution v1.0.0: Unified Product Development and Knowledge Work.

Also in this release

  • Finance department plugin as separate optional plugin
  • --list-plugins command for plugin discovery
  • /vt-c-content-evaluate skill for deep knowledge gap analysis
  • 13 legacy docs files removed (superseded by MkDocs site)

v2.1.0 (2026-02-12)

  • Product Design workflow (/vt-c-pd-0-start through /vt-c-pd-6-handoff)
  • Knowledge Work workflow (/vt-c-kw-0-start through /vt-c-kw-4-publish)
  • Research ingestion system (/vt-c-research-ingest, /vt-c-research-implement)

v2.0.0 (2026-02-10)

  • Numbered workflow sequence /vt-c-0-start through /vt-c-6-operate
  • Session journal and session consolidator for continuous knowledge capture
  • Production-ready components: incident response, continuous learning, quality infrastructure

Full changelog | Change ledger