183 Commits

Author SHA1 Message Date
saranp1
9ceab49a1c docs: fix Premium tier domain typo in README (uipm.cc -> uupm.cc) (#405)
Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
2026-07-03 00:24:32 +07:00
Clark Cant
bf5c3cfb61 Merge pull request #402 from Abraham040203/feat/motion-domain-design-dials
Add motion domain and design dials (variance/motion/density)
2026-07-02 23:26:22 +07:00
文敏華
6a6167691a Rename motion domain to gsap to avoid collision with PR #296
PR #296 (feat/emil-motion-principles) independently registers a "motion"
domain key in CSV_CONFIG/detect_domain for motion-principles.csv (37
design-principle rows). Both PRs adding the same dict key would cause
one to silently overwrite the other's domain registration if merged
independently, per the automated review on this PR.

The two domains are complementary, not duplicate (design principles vs.
ready-to-use GSAP code snippets), so this renames this PR's domain from
"motion" to "gsap" - a more precise name given every row is GSAP-specific
implementation code. The --motion CLI dial and its "Subtle/Standard/
Complex" tiers are unaffected (unrelated to the domain key; only the
`--domain gsap` search endpoint and its internal lookup changed). No
regressions: --design-system output with no dials set remains
byte-identical to before this feature.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
2026-07-02 23:36:44 +08:00
Isi-blip
247bf48d02 docs: sync CLAUDE.md stack list with core.py STACK_CONFIG (#404)
STACK_CONFIG in src/ui-ux-pro-max/scripts/core.py defines 22 stacks,
but the Available stacks list in CLAUDE.md only listed 16, silently
omitting threejs, wpf, winui, avalonia, uno, and uwp.
2026-07-02 21:25:21 +07:00
fivv
d7e37dd359 docs: sync Chinese README with English version (#403)
Update README.zh.md to match the current English README.md:
- Reasoning rules 100 -> 161 (badges, headings, flow diagram, features)
- Color palettes 96 -> 161 (aligned 1:1 with product types)
- Tech stacks 13 -> 22 (list all 22 stacks; expand supported-stacks table with Angular/Laravel/Three.js/JavaFX)
- npm package uipro-cli -> ui-ux-pro-max-cli (badges, install, contributor steps)
- Add install entries for kilocode, warp, augment; add uninstall/global commands
- Expand reasoning-rules table (fill examples, add Lifestyle category)
- Add design-system javafx examples
- Replace manual cp -r with npm run sync:assets / check:assets
- Add sections: Basic vs. Premium, Automated Releases, Troubleshooting, Compatible Agents
- Fix inconsistent pronoun (您 -> 你) for consistency

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-02 08:55:43 +07:00
文敏華
4f341e2af1 Sync cli/assets with src (catch up pre-existing drift)
cli/assets had fallen out of sync with src/ui-ux-pro-max ahead of this
change (unrelated to the motion-domain feature) - colors.csv, products.csv,
google-fonts.csv, draft.csv, several platform templates, and sub-skill
scripts/tests had all drifted. Ran the project's own `sync-assets.mjs`
to bring cli/assets back in line with the source of truth per the
documented Sync Rules; `--check` now reports assets as in sync.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
2026-07-01 22:54:13 +08:00
文敏華
bd9329c9cb Add motion domain and design dials to design-system generator
Adds a new searchable `motion` domain (motion.csv, 16 GSAP animation
skeletons across hover/scroll-reveal/stagger/page-transition/parallax/
loading, each tagged Subtle/Standard/Complex) plus three optional 1-10
dials on `--design-system` — --variance, --motion, --density — inspired
by taste-skill's DESIGN_VARIANCE/MOTION_INTENSITY/VISUAL_DENSITY sliders.

- --variance biases style search/selection toward centered-minimal (low)
  or bold-asymmetric (high) categories
- --motion attaches a matching GSAP snippet (code + framework notes +
  do/don't) from motion.csv
- --density overrides the --space-* token scale in ASCII/markdown/MASTER.md
  output (spacious <-> dense/dashboard)

All three dials are optional and additive; output with no dials set is
byte-identical to before (verified via regression diff). Synced into
.claude/skills/ui-ux-pro-max and cli/assets alongside src/ui-ux-pro-max
(source of truth) so all three installed copies stay consistent.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
2026-07-01 22:54:02 +08:00
Li Yin
8e43c9d98f docs: Add compatible agents section with AdaL (#142) 2026-07-01 19:56:24 +07:00
Tarana
3effe971c0 Add Basic vs. Premium Version Comparison to README (#232)
Added the comparison between Basic and Premium versions to the README. Users were asking about this difference in Issue #156, so I added it here to improve the documentation.
2026-06-30 04:25:11 +07:00
fivv
782d4e79c5 docs: add Chinese README with bilingual support (#173)
Add README.zh.md with complete Chinese translation
Add language switcher links in both README files
Support for 简体中文 / English bilingual access

Features:
- Full translation of all UI/UX style names and terminology
- Consistent industry-standard Chinese terms (玻璃拟态、粗野主义等)
- Language switcher with flag icons at the top of both files
2026-06-30 02:55:27 +07:00
nhatvy142
3327f9dcb3 feat: add three UI project examples (#174)
- SaaS landing page with social proof, pricing, testimonials
- Healthcare analytics dashboard with charts and KPIs
- Portfolio website with dark mode and project grid

All built using ui-ux-pro-max design system recommendations.

https://claude.ai/code/session_01E4rdBvf1LWqQ1XMTic7NrU

Co-authored-by: Claude <noreply@anthropic.com>
v2.10.0
2026-06-29 23:59:34 +07:00
Munir Abbasi
8a81ed6027 Merge PR #223: Expand products database with 31 new product types and improved keywords
* Add revised products.csv

* add 31 new color profiles
2026-06-28 09:27:07 +07:00
Clark Cant
65e2319949 Merge pull request #242 from jizc/feature/desktop-apps
feat(stacks): add 5 .NET desktop stacks — WPF, WinUI 3, UWP, Avalonia, Uno Platform
v2.9.0
2026-06-27 06:55:34 +07:00
Pirate252
9fd25fe07e Fix codegen/validator bugs and a standalone-install break across four skills (#346)
* Fix invalid Tailwind config output (missing comma before plugins)

`tailwind_config_gen.py` serialized the config by json.dumps()-ing
everything except `plugins`, stripping the outer braces, then appending
`plugins: [...]` in the template. The JSON block's last property (`theme`)
has no trailing comma, so the emitted config was:

    "theme": { ... }
    plugins: [],

which is a syntax error (`Unexpected identifier 'plugins'`) — every
generated tailwind.config.ts / tailwind.config.js failed to parse.

Add the missing comma after the serialized block in both
`_generate_typescript` and `_generate_javascript`.

The existing 54 tests passed because they only assert on the data
structure, never parsing the emitted string as JS. Add a
`TestGeneratedConfigIsValidJs` regression class that (1) asserts the
property before `plugins` is comma-terminated (pure Python) and (2)
parses the generated config with `node --check` when node is available.
Both new cases fail on the pre-fix code.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Fix validate-tokens.cjs missing violations on lines that use a token

The scanner skipped any line containing `var(--` outright, so a hardcoded
value sharing a line with a token reference was never reported:

    .btn { background: #FF6B6B; color: var(--color-primary); }  // missed

This is a broad false-negative: real CSS routinely puts several properties
on one line, and minified CSS is a single line — one `var()` anywhere
suppressed every violation in the file. (The Python slide validator already
handles this correctly, so the two validators disagreed.)

Remove the line-level skip. Token-definition files are already excluded by
`skipPatterns` at the file level, and none of the detection regexes can
match inside a `var(--...)` reference, so this adds no false positives.

Add a pytest regression test (drives the CLI via node) asserting a hex
sharing a line with a token is flagged, and that a token-only line stays
clean. The first case fails on the pre-fix code.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Fix sync-brand-to-tokens.cjs crashing on the bundled starter template

The color parser required a parenthesized name in the Quick Reference row
(`#2563EB (name)`) and a bolded label in the color tables
(`**Primary Blue** | #hex`). The bundled `brand-guidelines-starter.md` uses
neither — its rows are `| Primary Color | #2563EB |` and
`| Primary Blue | #2563EB |`. So no base hex was extracted, and
`generateColorScale(undefined)` → `adjustBrightness(undefined)` threw:

    TypeError: Cannot read properties of undefined (reading 'replace')

i.e. the documented "edit guidelines → sync" flow crashed on the skill's
own starter template.

- Rewrite the parser: Quick Reference matches hex without a parenthesized
  name; color-table rows match with optional bold; an accent swatch living
  in another table (the starter's "Accent Green" under Secondary Colors) is
  picked up by a fallback scan.
- Skip any role with no base hex (with a warning) instead of crashing, guard
  adjustBrightness against non-string input, and initialize tokens.primitive
  so a tokens file without it doesn't throw.

Add a pytest regression test (drives the CLI via node) that syncs the bundled
starter template and asserts the expected base colors are written. It fails
on the pre-fix code.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Vendor ui-ux-pro-max scripts/data so a standalone skill install works

`.claude/skills/ui-ux-pro-max/scripts` and `.../data` were symlinks into the
repo's top-level `src/ui-ux-pro-max/`:

    scripts -> ../../../src/ui-ux-pro-max/scripts
    data    -> ../../../src/ui-ux-pro-max/data

That resolves in a full checkout, but installing a single skill by copying
`.claude/skills/<name>/` into `~/.claude/skills/` leaves the links pointing at
`~/src/ui-ux-pro-max/`, which does not exist. The links dangle and `search.py`
— the entire searchable engine behind --design-system / --domain / --persist —
fails with `No such file or directory`. (The embedded rule tables in SKILL.md
still work, masking the breakage.)

Replace the two symlinks with the real `scripts/` and `data/` files so the
skill is self-contained, matching how the sibling skills (design,
design-system, ui-styling, brand) already ship real files under their own
`scripts/`. Maintainers who prefer to keep the `src/` + symlink architecture
may instead document that this skill requires a full-repo checkout.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: abukardini7 <abukardini7@gmail.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-26 20:25:35 +07:00
Crocodile Forest
e3a7f270ff docs: make SKILL.md stack-neutral instead of React Native-only (#372)
The skill body claimed "React Native (this project's only tech stack)"
and listed only `react-native` under Available Stacks. That contradicts:

- the SKILL.md frontmatter description ("web and mobile", multi-stack)
- plugin.json, which advertises 15 stacks
- the shipped data/stacks/ engine data (16 stack CSVs)

So `--stack nextjs`/`react`/`shadcn`/`vue`/etc. have always worked; the
docs just never said so, steering every project toward React Native.

Make the guidance framework-agnostic:
- Step 1 "Stack" bullet: match the project's framework, not RN
- Step 4 heading/command: generic `--stack <your-stack>`
- Available Stacks table: list all shipped stacks
- Example workflow (a homepage) uses a web stack
- Tips line generalized
2026-06-26 14:17:56 +07:00
Duy /zuey/
cc3d1be743 fix(cli): publish under fallback npm package (#393) v2.8.8 2026-06-26 11:02:09 +07:00
Jan Ivar Z. Carlsen
090a405cc0 feat(stacks): add 5 .NET desktop stacks — WPF, WinUI 3, UWP, Avalonia, Uno Platform
Adds WPF, WinUI 3, UWP, Avalonia, and Uno Platform stacks (17 -> 22 total),
each with its own guidelines CSV, registered in core.py and synced to cli/assets.

- New stack CSVs in src/ and cli/assets/data/stacks/
- search.py / core.py registry updated
- smoke-stacks.sh: EXPECTED_STACK_COUNT 21 -> 22 with a smoke-test workflow
- platform template descriptions and README bumped to 22 technology stacks
2026-06-25 21:51:59 +02:00
Alexander
318e0b2e40 fix(cli): use npm-canonical bin path so the uipro command survives publish (#392)
The bin mapping was "./dist/index.js". On publish, npm normalizes bin
values and the leading ./ triggers a warning -- on the npm version in the
release runner it reports `bin[uipro] script name dist/index.js was
invalid and removed`, i.e. the published package ships with no `uipro`
command, so `npx uipro-cli init` would not work even once publishing
succeeds (see #353).

Change the value to the canonical `dist/index.js` (exactly what
`npm pkg fix` produces). src/index.ts already has the
`#!/usr/bin/env node` shebang, which bun build preserves, so the bin is
executable.

Verified: `npm publish --dry-run` no longer emits the bin warning, and
dist/index.js is included in the tarball; typecheck passes.

Addresses the package-metadata half of #353. Actually landing on npm
still requires a release run with a token that has publish rights for
uipro-cli.
v2.8.7
2026-06-25 20:17:09 +07:00
Alexander
d86f44368d fix(scripts): force UTF-8 stdout/stderr in design_system.py on Windows (#390)
design_system.py prints box-drawing characters and swatches (--, OK marks,
block swatches), but unlike search.py it never reconfigured stdout. On a
non-UTF-8 Windows console (cp1252/gbk) running the CLI crashes with
UnicodeEncodeError, the same failure reported in #112 for search.py.

Mirror the wrapper search.py already uses: re-wrap stdout/stderr in a
UTF-8 TextIOWrapper when the console encoding is not UTF-8. Applied to
the source of truth and the synced cli/assets copy.

Verified: the CLI runs clean under PYTHONIOENCODING=cp1252 (exit 0, no
UnicodeEncodeError) while still emitting the box/swatch output;
check:assets passes.

Related to #112 (search.py is already fixed on main; this covers the
remaining design_system.py instance).
v2.8.6
2026-06-25 18:30:49 +07:00
Alexander
7d62cd093b fix(manifests): correct style/font-pairing/stack counts (#289) (#391)
The marketplace-facing manifests understated the catalog. Actual data:
84 styles (styles.csv), 73 font pairings (typography.csv), and 17 stacks
(data/stacks/*.csv), but plugin.json, marketplace.json, and skill.json
all claimed 67 styles / 57 font pairings / 15 stacks.

Update the three manifests to 84 / 73 / 17, and extend the stack
enumeration to the full 17 (adding Angular, Laravel, JavaFX, Three.js,
and Nuxt UI). Palettes (161) and charts (25) were already correct.

Resolves the count-drift finding in #289 (supersedes the stuck #282 and
#329, which only partially corrected the numbers).
2026-06-25 18:16:15 +07:00
Alexander
ef5f5ba0e6 fix(cli): install all 7 skills via uipro init, not just the orchestrator (#362) (#387)
* fix(cli): install all 7 skills via uipro init, not just the orchestrator

`uipro init` rendered only the orchestrator (ui-ux-pro-max) and never
delivered the 6 sibling skills (banner-design, brand, design,
design-system, slides, ui-styling), so users got 1 of 7 skills (#362).

- sync-assets.mjs: bundle the 6 sub-skills into cli/assets/skills/ as
  static copies (source of truth: .claude/skills/), with sync + check
  coverage. Excludes ui-styling/canvas-fonts (~5.8MB of TTF) and
  __pycache__/.pyc cruft — a skill registers from its SKILL.md, not its
  fonts — so the bundle adds ~0.9MB, not ~6.6MB.
- template.ts: after rendering the orchestrator, install each bundled
  sub-skill as a sibling. The skills parent is derived from the
  platform's skillPath (skills/ for most, prompts/ for copilot,
  steering/ for kiro) rather than hardcoded.
- uninstall.ts: remove the sub-skills too.

Verified: check:assets in sync, tsc passes, and a per-platform install
harness delivers all 7 skills to the correct parent dir with no fonts.

Closes #362

* fix(cli): filter excluded files from target side of check:assets

check:assets filtered sourceFiles with isExcludedAssetFile but not
targetFiles, so a stray cli/assets/scripts/__pycache__/*.pyc (generated
by a local Python run) was reported as an "extra asset file" and failed
the gate. Apply the same predicate to targetFiles in both the
dirsToSync and sub-skill loops.

Verified: check:assets now passes with __pycache__/*.pyc present in the
target tree; typecheck passes.

* fix(cli): uninstall from each platform's real skills dir, not hardcoded skills/

removeSkillDir() hardcoded <folder>/skills/<name>, but the installer
places skills under each platform config's skillPath parent — copilot in
.github/prompts/, kiro in .kiro/steering/. So uninstall left those
platforms' skills (orchestrator + sub-skills) behind.

Derive the install parent from loadPlatformConfig(aiType).folderStructure
(same source the installer uses), and keep the legacy <folder>/skills/
cleanup (incl. .shared/) for older installs. Deduped via a Set.

Verified: typecheck passes; an install+uninstall harness removes all 7
skills with zero leftovers for claude (.claude/skills), copilot
(.github/prompts) and kiro (.kiro/steering).

* fix(cli): re-sync bundled sub-skills after #385 stripped ckm- names

#385 merged to main and removed the ckm- prefix from the six
.claude/skills/*/SKILL.md name fields. This branch's bundled copies
under cli/assets/skills/ still carried the old ckm- names, so after the
PR merges with main the source no longer matched the bundle and the
check-asset-sync CI gate failed (stale asset file: skills/*/SKILL.md).

Merge main and regenerate the bundle so cli/assets/skills matches the
current .claude/skills source of truth. check:assets and typecheck pass.
v2.8.5
2026-06-25 17:33:23 +07:00
Alexander
232f201dfa fix(plugin): register all 7 skills in the Claude Code plugin (#385)
Two issues caused Claude Code plugin users to see only 1 (or 0) of the
7 bundled skills:

- .claude-plugin/plugin.json declared `"skills": ["./.claude/skills/ui-ux-pro-max"]`
  — an array pointing at a single subfolder. With a marketplace-root
  source this replaces the default scan, so the other 6 skills never
  load. Point it at the parent directory ("./.claude/skills/") so the
  loader scans all 7 <name>/SKILL.md subfolders. (#360)

- The 6 sub-skill SKILL.md `name:` fields kept a `ckm-` prefix
  (e.g. `ckm-brand` in dir `brand`) that no longer matched their
  directory names, tripping loaders that require name == directory.
  Strip the prefix so each name equals its folder. (#266)

Closes #360
Closes #266
v2.8.4
2026-06-25 16:43:46 +07:00
Alexander
4ab70389b2 fix(cli): make uipro update upgrade CLI via npm
Approved by github-maintain cron-safe review. Supersedes #326.
v2.8.3
2026-06-25 16:18:09 +07:00
Alexander
3a12b63bd8 fix(scripts): guard persist_design_system against None project_name (#388)
persist_design_system crashed with AttributeError: 'NoneType' object has
no attribute 'lower' when the design_system dict carries an explicit
project_name of None (the default of generate(query, project_name=None)).
dict.get("project_name", "default") only substitutes the default for a
MISSING key, not a present-but-None value, so project_name.lower() blew
up.

Coalesce falsy values (None/""/missing) to "default" before slugifying.
Applied to both the source of truth and the bundled cli/assets copy.

The "search blindness" half of #159 (core.py tokenize length filter) is
already resolved on main (`len(w) >= 2`), so this targets the remaining
crash only.

Closes #159

Co-authored-by: YangKuoshih <155388493+YangKuoshih@users.noreply.github.com>
v2.8.2
2026-06-25 15:43:33 +07:00
Alexander
57d9ba7989 fix(cli): replace stale data/scripts pointer files on install (#386)
On Windows, an older install (or a git checkout that materialized the
repo's symlinked data/scripts as plain "pointer" files) leaves a regular
file at <skill>/data or <skill>/scripts. copyDataAndScripts then calls
mkdir on that path, which throws EEXIST; under `uipro init --ai all` the
per-platform error is swallowed, leaving e.g. codex with the stale
pointer files and no real directories.

Add ensureCleanDir(): before mkdir, lstat the target and remove it if it
is not already a directory. Existing real directories are preserved
(re-install is unaffected). Verified with a repro harness.

Closes #237
v2.8.1
2026-06-25 15:15:04 +07:00
Alexander
3ebb9c8fd5 feat(release): publish uipro-cli to npm on release (#384)
Adds semantic-release npm publishing for the cli package with pkgRoot=cli and NPM_TOKEN wiring, completing the npm-publish slice of #353.
v2.8.0
2026-06-25 13:10:54 +07:00
Alexander
b4d33beada fix CLI asset sync (#355)
* fix CLI asset sync

* fix(cli): normalize line endings in asset sync/check

check:assets hashed raw bytes, so identical CSV/JSON/py content with
CRLF vs LF (git autocrlf on checkout) was reported as stale drift,
blocking the release guard on Windows/mixed checkouts.

- fileHash now normalizes CRLF->LF before hashing, so check:assets
  compares content, not line endings.
- sync:assets writes LF-normalized copies instead of a raw byte copy,
  so re-syncing is deterministic across platforms.

All synced assets are text (csv/json/md/py); no binaries affected.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* ci: enforce CLI asset sync on PRs

Adds a Check asset sync workflow that runs `npm run check:assets` on any
PR touching src/ui-ux-pro-max/** or cli/assets/**, so the bundled CLI
assets can't silently drift from the source of truth.

The check uses only node builtins (no install step) and normalizes
line endings before hashing, so it hard-fails on real content drift
without the CRLF/LF soft-fail hack other approaches needed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-25 12:54:58 +07:00
OrbisAI Security
efa51376ad feat(cli): add optional GitHub token support for higher API rate limits (#294)
* fix: V-001 security vulnerability

Automated security fix generated by Orbis Security AI

* feat(cli): add optional GitHub token support with proper UX and docs

- Rename env var from GITHUB_TOKEN to UI_PRO_MAX_GITHUB_TOKEN (primary),
  with GITHUB_TOKEN as fallback — avoids silently attaching CI workflow
  credentials that GitHub Actions injects automatically
- Add whitespace trim guard to prevent malformed Authorization headers
- Add getGitHubTokenGuidance() helper exported from github.ts so rate-limit
  errors and spinner warnings tell users exactly how to fix the problem
- Thread optional token param through fetchReleases, getLatestRelease,
  downloadRelease signatures
- Add --token flag to init, versions, update commands (Commander.js wiring)
- Update rate-limit catch in tryGitHubInstall to show token guidance
- Document token options (flag, env var, fallback) in cli/README.md with
  CI warning about GITHUB_TOKEN scope

Supersedes the narrower env-only approach in PR #294 and incorporates the
safeguards requested during review of closed PR #186.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
v2.7.0
2026-06-25 08:39:27 +07:00
Thomas
bdf1179bcf fix: replace colon with hyphen in skill names (#383)
The Agent Skills spec requires names to match [a-z0-9-] only.
The colon in 'ckm:' prefix causes daily validation errors:

  name contains invalid characters (must be lowercase a-z, 0-9, hyphens only)

This affects all six ckm-prefixed skills. Replace ':' with '-'.

Co-authored-by: Thomas Schneider <tho.schneider@sap.com>
v2.6.5
2026-06-24 19:38:31 +07:00
xiaolai
381f01d9e5 fix: pin shadcn version instead of @latest
Merge PR #284: pin the shadcn CLI helper to a deterministic version fallback while still allowing project package.json overrides.
v2.6.4
2026-06-24 19:08:07 +07:00
PengQi Shi
a13b2a02fd fix: bump skill.json version to 2.6.2 (#382)
* fix: bump skill.json version to 2.6.2

* fix: bump marketplace.json and plugin.json version to 2.6.2

---------

Co-authored-by: shipengqi <pooky.shi@gamil.com>
v2.6.3
2026-06-24 08:04:10 +07:00
bhasan26
1518fec29d docs: add CONTRIBUTING.md guide for new contributors (#264)
Co-authored-by: Bilal Hasan <bhaasan26@my.whitworth.edu>
2026-06-23 13:00:53 +07:00
Artemii Fridriksen
d457006301 fix: HTML-escape all user data in slide generator to prevent XSS (#274)
Add html.escape() to all 46 user-controlled data.get() calls across
all 7 slide generator functions (title, problem, solution, metrics,
chart, testimonial, cta) and the deck title.

Add URL scheme validation for cta_url href to block javascript: URI
injection.

Closes #247
v2.6.2
2026-06-23 01:17:29 +07:00
Artemii Fridriksen
9bb646b336 fix: validate plugin names in tailwind config generator to prevent code injection (#275)
The _format_plugins() method interpolated plugin names directly into
require() statements without sanitization. A plugin name containing
a single quote could break out of require() and inject arbitrary
JavaScript that executes when Node.js loads the generated config.

Add a strict regex allowlist matching valid npm package name patterns
(optional @scope, alphanumeric/hyphen/underscore, optional subpath).
Reject any plugin name that doesn't match before generating output.

Closes #246
v2.6.1
2026-06-23 00:34:41 +07:00
Mỹ Ngân
9a863a5275 fix(release): avoid protected main writes v2.6.0 2026-06-22 13:40:58 +02:00
Mỹ Ngân
cf96c6a3d3 fix(release): run semantic-release command as multiline script 2026-06-22 13:37:08 +02:00
Duy /zuey/
c0fca2efdc feat(release): add semantic release automation (#375)
* feat(release): add semantic release automation

* fix(release): disable npm publishing

* ci: remove obsolete conda workflow

* ci: remove Claude review workflows

---------

Co-authored-by: Mỹ Ngân <bot@goclaw.dev>
Co-authored-by: Mỹ Ngân <my-ngan@goclaw.local>
2026-06-22 18:35:45 +07:00
youngledo
53d670cd30 feat: add JavaFX enterprise stack guidance (#316) 2026-06-22 12:00:21 +07:00
Ray Tien
fb1fc58bf9 feat(nuxt-ui): update stack data to v4 (#345)
Breaking changes fixed:
- Row 8/9: icon format corrected from 'lucide:home' (v3) to 'i-lucide-home' (v4 Iconify i-prefix)
- Row 18: useOverlay API updated from .open(Component, {props}) to .create(Component).open({props})

New v4 guidelines added (rows 51-70):
- Auto-registered modules: do not re-add @nuxt/icon @nuxt/fonts @nuxtjs/color-mode
- Official nuxi init templates for project bootstrapping
- Local Iconify JSON install for SSR reliability
- Global icon overrides via appConfig.ui.icons
- New form components: UFileUpload, UInputDate, UInputTags, UColorPicker
- New data components: UTree, UMarquee
- UContextMenu for right-click menus
- Awaiting overlay result Promise for confirmation dialogs
- UCommandPalette grouped items and extractShortcuts
- UHeader/UFooter/UPageAside layout components
- ClientOnly pattern for color mode hydration safety
- Generated theme file (.nuxt/ui/) for slot discovery
- defineShortcuts whenever condition guard
- UApp locale prop for i18n (50+ built-in locales)

Sync cli/assets to match src.
2026-06-22 03:58:29 +07:00
xiaolai
a3dea0d72f fix: replace execSync template string with execFileSync array form (#283)
execSync with a backtick template string creates a shell-expansion
surface. Although all three variables (generateScript, DESIGN_TOKENS_JSON,
DESIGN_TOKENS_CSS) are currently hardcoded constants, the pattern is
fragile — any future substitution of user-controlled data would create
shell injection.

Replace with execFileSync('node', [...args]) to eliminate the shell
entirely and make the boundary explicit.

Co-authored-by: claude[bot] <claude[bot]@users.noreply.github.com>
Co-authored-by: Claude Code <noreply@anthropic.com>
2026-06-22 00:54:21 +07:00
Antony Omeri
10d6ca3105 Fix 3 latent bugs in ui-ux-pro-max (css2 font URLs, 2-char search, persist path) (#321)
All three are in the canonical src/ tree, reproduced on Python 3.14.5:

1. data/typography.csv — all 73 'Google Fonts URL' values were unusable
   fonts.google.com/share *UI* links, not stylesheet hrefs. Replaced with the
   proper fonts.googleapis.com/css2 URLs (extracted verbatim from each row's
   correct 'CSS Import' column), so the URL column is actually loadable.

2. scripts/core.py — BM25 tokenizer kept only words >2 chars, so common design
   terms 'ux', 'ui', 'ai', '3d' tokenized to nothing and returned 0 results
   (e.g. `--domain style "3d"`). Changed >2 to >=2; '3d'/'ai' now match.

3. scripts/search.py — `--persist` without `-p` printed
   'design-system/default/' but actually wrote to the query slug
   (e.g. design-system/fintech-crypto/). Use the same default the writer uses
   so the printed path matches reality.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-21 22:40:01 +07:00
Runxin Yan
7538cfb360 docs: add Windows Python compatibility note (#280)
Add cross-platform Python command note to skills and docs:
- CLAUDE.md: Add Windows note in Prerequisites
- ui-ux-pro-max/SKILL.md: Add Windows note in Prerequisites
- design/SKILL.md: Add Prerequisites section with Windows note
- banner-design/SKILL.md: Add Prerequisites section with Windows note
- templates/base/skill-content.md: Add Windows note (source template)

Windows uses 'python' instead of 'python3' to run scripts.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-21 20:02:56 +07:00
xiaolai
9dea1bc76f fix: remove unsubstituted template variable from slides/SKILL.md (#287)
Line 14 contained a raw `<args>$ARGUMENTS</args>` tag that was never
replaced during skill generation. This literal XML-like string renders
as part of the skill body and can confuse LLM consumers.

Co-authored-by: claude[bot] <claude[bot]@users.noreply.github.com>
Co-authored-by: Claude Code <noreply@anthropic.com>
2026-06-21 19:05:21 +07:00
Wynn
f32d6a61cd Add openclaw to platforms list (#308)
OpenClaw (https://openclaw.ai) is an open-source agent gateway that
runs Claude as its primary backend. This skill works out-of-the-box
inside OpenClaw agents — same SKILL.md + python3 search.py invocation
pattern as the other supported platforms. Adding it to the list so
the install flow can target it.

Co-authored-by: yinhaoti <yinhaoti@macmini.home>
2026-06-21 15:58:45 +07:00
Alfredo Augusto Petri
c522197c72 fix(cli): implement --force flag to protect existing skill files (#324)
The --force option was accepted by Commander but ignored: writeFile()
always overwrote existing files silently. Users expecting protection
against accidental overwrites had no way to preserve existing configs.

- generatePlatformFiles: check file existence before writing; skip with
  a clear message when file exists and force=false
- generateAllPlatformFiles / templateInstall: propagate force parameter
- initCommand: pass options.force through to templateInstall

Behavior change:
  uipro init --ai claude         → skips if SKILL.md already exists
  uipro init --ai claude --force → overwrites regardless

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-21 15:46:42 +07:00
Alfredo Augusto Petri
71d02eccde fix(meta): align marketplace.json and package-lock.json to v2.5.0 (#327)
Both files were stuck at v2.2.1 while plugin.json, skill.json and
cli/package.json had moved to v2.5.0. Claude marketplace reads
marketplace.json for version and palette count — the stale entry
showed outdated data (96 palettes vs actual 161, 13 stacks vs 15).

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-21 14:28:44 +07:00
Roy Naquin
03e6afc908 ci: add paths-ignore to python-package-conda workflow (#312)
Skip docs-only changes (*.md, docs/**, .claude/**) from triggering the
Conda build/lint/test pipeline.

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-21 13:14:55 +07:00
Spinulosa1111
5e2c0a2b5e docs: add Troubleshooting section to README (closes #304 #318 #338) (#350) 2026-06-21 02:00:03 +07:00
icaruszxk
fdc0a45c55 fix: correct project name from 'Antigravity Kit' to 'UI UX Pro Max' in CLAUDE.md (#365)
Co-authored-by: Xavier Virrey <xavier@Xaviers-MacBook-Air.local>
2026-06-21 01:16:03 +07:00
Duy /zuey/
b7e3af80f6 Merge pull request #184 from Jenser77/feat/design-system-visual-improvements
Improve design system output visuals
2026-04-03 12:08:19 +07:00