v2.1.0 — Currency + citability: Fable 5 refresh, doc-currency fixes, /submission-disclosures, CITATION.cff#131
Merged
Merged
Conversation
…ug fixes, /submission-disclosures, CITATION.cff
Driven by a 48-agent web-verified audit (40 findings, 7.5% noise). Architecture came back
clean ("ahead of the field"); every fix here is a FACT fix, not structure.
MODEL REFRESH (the false superlative): Fable 5 GA'd 2026-06-09; README + SSoT still said
"Opus 4.8 is the newest." SSoT table/marker/date updated per its own protocol; routing rule
gains "Where Fable 5 fits — and where it does not" (fleet stays Opus/Sonnet/Haiku: 2x price
on the judgment tier + observed 28/28 day-one structured-output protocol failures vs 0 on
Opus). check-model-versions.sh hardened: version regex generalized (bare "Fable 5" tracked),
Fable tier added, NEW superlative-drift check (the exact class the old gate missed) — which
immediately caught + we fixed a statusline comment false-positive by making it version-neutral.
DOC-CURRENCY BUGS (all verified against current docs before fixing):
- scheduled-routines.md: /schedule flag syntax was FABRICATED -> real natural-language form,
/schedule update for cron, 1h min interval, daily cap, committed-repos-only. MCP guardrail
was INVERTED: cloud Routines include ALL connectors w/ write access by default -> rewritten
to least-privilege ("the risk is a fully-armed connector, not a missing one").
- allowed-tools taught as a sandbox; docs verified (claude-code-guide agent, exact quote):
it is a PRE-APPROVAL list — "does not restrict which tools are available". disallowed-tools
(the actual restrictor) + paths/when_to_use/arguments now documented in template + guide,
with a read-only-skill pattern and a "does not sandbox" warning callout. Security note rewritten.
ADDED:
- /submission-disclosures (51->52, fully count-wired; guide re-rendered via quarto): AI-use
disclosure matched to the journal's VERIFIED-CURRENT policy + CRediT + COI + data-availability.
Two independent audits converged on this as the top 2026 norms gap. Not /disclosure-check.
- CITATION.cff (citable; Zenodo DOI in backlog), SECURITY.md, CODE_OF_CONDUCT.md.
- GitHub topics (10, was zero) + homepage URL set via gh.
Backlog: awesome-list PRs, Zenodo DOI steps, hook-touchpoints note (verify names first),
persona cost table, non-Claude-coauthor README box. Audience pinned: econ + closely related.
Gates: surface-sync (29+2 @ 52 skills), skill-integrity, model-versions (Fable-aware) — green.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: b690eada1c
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| ::: {.callout-warning} | ||
| ## `allowed-tools` does not sandbox | ||
|
|
||
| A common (and security-relevant) misreading: omitting `Bash` from `allowed-tools` does **not** make a skill read-only — `allowed-tools` only *pre-approves* the listed tools so they skip permission prompts; everything else stays callable under your normal permission settings. To genuinely remove tools while a skill runs, use `disallowed-tools` (e.g. `["Edit", "Write", "Bash"]` for a read-only audit skill, plus `AskUserQuestion` for anything that runs unattended). See `templates/skill-template.md` for the full pattern. |
There was a problem hiding this comment.
This new warning correctly says that allowed-tools is not a sandbox, but the same section still tells readers that allowed-tools “prevents skills from accidentally using destructive tools” and recommends only Read/Grep/Glob for read-only review skills. When someone creates a read-only skill from this guide, following that later bullet leaves write tools callable under normal permissions, directly contradicting the security fix added here; update the Key Design Choices bullet to require disallowed-tools as well.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Pull request overview
This PR is a documentation-and-metadata focused “currency + citability” release that refreshes model/version guidance (notably adding Fable 5 as top-tier), hardens the repo’s model-drift checking script, adds a new /submission-disclosures skill, and introduces standard community/citation files so the template is easier to cite and safer to adopt.
Changes:
- Refreshes “current models” SSoT and user-facing docs for Fable 5, and hardens
check-model-versions.shwith a generalized version matcher plus a semantic “superlative drift” check. - Adds
/submission-disclosuresskill and updates inventories/counts (51 → 52) across README/guide/docs. - Adds citability/community health files (CITATION.cff, SECURITY.md, CODE_OF_CONDUCT.md) and updates contributing guidance.
Reviewed changes
Copilot reviewed 19 out of 19 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
templates/skill-template.md |
Documents new skill frontmatter fields and clarifies allowed-tools vs disallowed-tools semantics. |
scripts/check-model-versions.sh |
Generalizes version parsing (supports bare majors) and adds superlative-drift detection. |
README.md |
Updates model lineup guidance (Fable 5) and skill-frontmatter notes; increments skill count and lists /submission-disclosures. |
guide/workflow-guide.qmd |
Updates skill count and frontmatter reference; adds “allowed-tools does not sandbox” warning. |
guide/workflow-guide.html |
Regenerated rendered guide reflecting qmd updates (counts/frontmatter warning/date). |
docs/workflow-guide.html |
Published HTML copy updated to match regenerated guide output. |
docs/index.html |
Updates OpenGraph/landing-page copy to reflect 52 skills. |
CLAUDE.md |
Adds /submission-disclosures to the “Papers / review” shortlist. |
CITATION.cff |
Adds citation metadata for GitHub “Cite this repository” support. |
CHANGELOG.md |
Adds v2.1.0 release notes documenting currency/citability changes and new skill. |
.github/SECURITY.md |
Adds a security policy for reporting template/hook/skill vulnerabilities. |
.github/CONTRIBUTING.md |
Makes the AI co-author example version-free to avoid model-name drift. |
.github/CODE_OF_CONDUCT.md |
Adds a Contributor Covenant-based code of conduct. |
.claude/skills/submission-disclosures/SKILL.md |
New skill for submission-time disclosure statements (AI-use, CRediT, COI, data availability) with web verification. |
.claude/scripts/statusline.sh |
Updates statusline comment example to be version-agnostic. |
.claude/rules/model-routing.md |
Adds explicit guidance on where Fable 5 fits (and why fleet routing stays on Opus/Sonnet/Haiku). |
.claude/references/v2.0-backlog.md |
Adds follow-up items from the currency audit (Zenodo DOI, awesome-list distribution, etc.). |
.claude/references/scheduled-routines.md |
Fixes /schedule syntax guidance and updates connector/least-privilege notes for unattended runs. |
.claude/references/model-versions.md |
Updates SSoT marker/table to include Fable 5 and updates the update protocol to include a superlative grep step. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| ## Reporting a vulnerability | ||
|
|
||
| - **Preferred:** open a [private security advisory](https://github.com/pedrohcgs/claude-code-my-workflow/security/advisories/new) on GitHub. |
Comment on lines
+78
to
+80
| echo "$text" | grep -qiE "$TOP_TIER" && continue # already credits the top tier | ||
| echo "$text" | grep -qiE "newest (Opus|Sonnet|Haiku)" && continue # tier-relative superlative → fine | ||
| echo "$text" | grep -qiE "(Opus|Sonnet|Haiku) $VER" || continue # only flag lines naming a versioned tier |
…efresh + superlative-check ALLOW bypass
Round-2 audit (4 findings, 0 refuted) caught:
- MAJOR: guide/workflow-guide.qmd:761-763 (the LIVE GitHub Pages model-lineup callout) still said
'Opus 4.8 is the newest model' / verified 2026-05-31 — the README's parallel surface was updated
but the guide sibling was missed. Now matches: Fable 5 top tier, Opus = default + routed tier,
dates 2026-06-10. Re-rendered both HTML twins via quarto.
- MINOR (the deeper one): the NEW superlative-drift check failed at its own cited example — the
general ALLOW short-circuit let 'prior generation' (describing 4.7 in the SAME sentence) suppress
the flag for the whole line. Superlative block no longer honors clause-level ALLOW markers; only
an explicit inline model-allow comment escapes. PROOF SEQUENCE: fixed the script first, ran the
gate against the still-stale qmd -> it flagged qmd:763; then fixed the content -> green.
- NITs: CONTRIBUTING count example made count-neutral ('NN skills'); model-routing 28/28 claim
rescoped to 'one session's fan-out — a single-session signal, not a benchmark' (matches SSoT).
Gates: model-versions (hardened, self-proven), surface-sync, skill-integrity — all green.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
A currency + citability release driven by a 48-agent, web-verified audit asking "is this actually up to date and the best for economists, today?" The architecture audit came back clean — every change here fixes a fact, not structure. See the CHANGELOG v2.1.0 entry for the full account.
check-model-versions.sh(now catches superlative drift, the exact class the launch falsified while the old gate stayed green). Fleet deliberately stays on Opus/Sonnet/Haiku (2× judgment-tier price + observed day-one protocol failures)./schedulesyntax; inverted Routines-connector model (all connectors included w/ write by default → least-privilege guidance);allowed-tools≠ sandbox (it pre-approves;disallowed-toolsrestricts) + new frontmatter fields documented./submission-disclosures(52 skills, fully wired): AI-use disclosure matched to verified-current journal policy + CRediT + COI + data-availability.Test plan
check-surface-sync.py— 29 count assertions + 2 table-row gates @ 52 skillscheck-skill-integrity.py— new skill parity (tools/flags/anchors)check-model-versions.sh— Fable-aware, superlative check active; proven to flag the old false claim