From rkstack
Configure project-level safety guards and working rules. Reads the detection cache from .rkstack/settings.json, installs .claude/settings.json hooks, .claude/hooks/ scripts, and .claude/rules/ files. Guards protect against destructive commands (rm -rf, force-push, drop table). Rules are curated best-practice documents copied as-is from templates. Run once per project, update when rkstack ships new templates. Use when asked to "setup project", "configure guards", "protect this project", or "add safety hooks".
npx claudepluginhub mrkhachaturov/ccode-personal-plugins --plugin rkstackThis skill is limited to using the following tools:
<!-- AUTO-GENERATED from SKILL.md.tmpl — do not edit directly -->
SKILL.md.tmplrefs/hooks-guide.mdrefs/hooks.mdrefs/permission-modes.mdrefs/permissions.mdrefs/sandboxing.mdrefs/security.mdrefs/settings.mdtemplates/guards/ansible.jsontemplates/guards/baseline.jsontemplates/guards/docker.jsontemplates/guards/kubernetes.jsontemplates/guards/node.jsontemplates/guards/python.jsontemplates/guards/secrets.jsontemplates/guards/terraform.jsontemplates/rules/ansible.tmpltemplates/rules/context-hygiene.tmpltemplates/rules/docker.tmpltemplates/rules/node.tmplSearches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.
Searches prompts.chat for AI prompt templates by keyword or category, retrieves by ID with variable handling, and improves prompts via AI. Use for discovering or enhancing prompts.
Guides TDD-style skill creation: pressure scenarios as tests, baseline agent failures, write docs to enforce compliance, verify with RED-GREEN-REFACTOR.
# === RKstack Preamble (setup-project) ===
# Read detection cache (written by session-start via rkstack detect)
if [ -f .rkstack/settings.json ]; then
cat .rkstack/settings.json
else
echo "WARNING: .rkstack/settings.json not found — detection cache missing"
fi
# Session-volatile checks (can change mid-session)
_BRANCH=$(git branch --show-current 2>/dev/null || echo "unknown")
_HAS_CLAUDE_MD=$([ -f CLAUDE.md ] && echo "yes" || echo "no")
echo "BRANCH: $_BRANCH"
echo "CLAUDE_MD: $_HAS_CLAUDE_MD"
Use the detection cache and preamble output to adapt your behavior:
detection.flowType (web or default). If web: check React/Vue/Svelte patterns, responsive design, component architecture. If default: CLI tools, MCP servers, backend scripts.just commands instead of raw shell.detection.stack for what's in the project and detection.stats for scale (files, code, complexity).detection.repoMode for solo vs collaborative.detection.services for Supabase and other service integrations.ALWAYS follow this structure for every AskUserQuestion call:
_BRANCH value from preamble — NOT any branch from conversation history or gitStatus), and the current plan/task. (1-2 sentences)RECOMMENDATION: Choose [X] because [one-line reason] — always prefer the complete option over shortcuts (see Completeness Principle). Include Completeness: X/10 for each option. Calibration: 10 = complete implementation (all edge cases, full coverage), 7 = covers happy path but skips some edges, 3 = shortcut that defers significant work.A) ... B) ... C) ... — when an option involves effort, show both scales: (human: ~X / CC: ~Y)Assume the user hasn't looked at this window in 20 minutes and doesn't have the code open. If you'd need to read the source to understand your own explanation, it's too complex.
AI makes completeness near-free. Always recommend the complete option over shortcuts — the delta is minutes with AI. A "lake" (100% coverage, all edge cases) is boilable; an "ocean" (full rewrite, multi-quarter migration) is not. Boil lakes, flag oceans.
Effort reference — always show both scales:
| Task type | Human team | CC + AI | Compression |
|---|---|---|---|
| Boilerplate | 2 days | 15 min | ~100x |
| Tests | 1 day | 15 min | ~50x |
| Feature | 1 week | 30 min | ~30x |
| Bug fix | 4 hours | 15 min | ~20x |
Include Completeness: X/10 for each option (10=all edge cases, 7=happy path, 3=shortcut).
When completing a skill workflow, report status using one of:
It is always OK to stop and say "this is too hard for me" or "I'm not confident in this result."
Bad work is worse than no work. You will not be penalized for escalating.
Escalation format:
STATUS: BLOCKED | NEEDS_CONTEXT
REASON: [1-2 sentences]
ATTEMPTED: [what you tried]
RECOMMENDATION: [what the user should do next]
Configure this project with always-on safety guards and stack-specific working rules.
When the user types /setup-project, run this skill.
/setup-project — full setup (guards + rules)/setup-project --update — update existing setup with new templatesRead the detection cache written by rkstack detect (called automatically during session-start):
if [ -f .rkstack/settings.json ]; then
cat .rkstack/settings.json
else
echo "MISSING: .rkstack/settings.json — detection cache not found"
fi
If .rkstack/settings.json does not exist, tell the user: "Detection cache not found. Please start a new session so rkstack can detect your project stack, then run /setup-project again." and stop.
Parse the detection cache JSON. The relevant fields are:
detection.stack — flat boolean map of what's in the project (e.g., typescript, python, terraform, docker)detection.stats — SCC numbers per stack item (files, code, complexity)detection.flowType — web or defaultAlso check the existing project setup state:
ls .claude/settings.json 2>/dev/null && echo "HAS_SETTINGS=yes" || echo "HAS_SETTINGS=no"
ls .claude/hooks/ 2>/dev/null && echo "HAS_HOOKS=yes" || echo "HAS_HOOKS=no"
ls .claude/rules/ 2>/dev/null && echo "HAS_RULES=yes" || echo "HAS_RULES=no"
If this is an --update run and .rkstack/settings.json has a meta.setupVersion that matches the current rkstack version, tell the user: "Project is already up to date with rkstack vX.Y.Z. No new templates to install." and stop.
The baseline guard protects against destructive commands on every session. This is always installed.
.claude/hooks/ directory:mkdir -p .claude/hooks
Read the baseline guard template from the skill directory. The template is at:
skills/setup-project/templates/guards/baseline.json
Use the Read tool to get it. If you can't read from the plugin directory, the guard script content is embedded in this skill (see Step 1.1 below).
Copy guard-destructive.sh to the project:
Read skills/setup-project/templates/scripts/guard-destructive.sh from the plugin.
Write it to .claude/hooks/guard-destructive.sh.
Make it executable: chmod +x .claude/hooks/guard-destructive.sh
If the file already exists: Compare contents. If identical, skip. If different, use AskUserQuestion:
Re-ground: Setting up project safety in
<project>on branch<branch>. Simplify: You already have a guard-destructive.sh file but it's different from the latest template. You may have customized it. RECOMMENDATION: Choose A to keep your version. Completeness: 9/10. A) Keep my customized version B) Replace with latest template C) Show me the diff first
Merge the hook entry into .claude/settings.json:
Read .claude/settings.json if it exists. If it doesn't, start with {}.
Merge algorithm:
hooks key: add "hooks": { "PreToolUse": [<baseline entry>] }hooks.PreToolUse exists: check if any entry already has command containing guard-destructive.sh. If yes, skip (dedupe). If no, append the baseline entry to the array.Write the merged JSON back to .claude/settings.json.
Using the detection cache from Step 0, determine which guard templates are relevant:
| Template | Condition (from detection cache) |
|---|---|
| terraform | detection.stack.terraform is true |
| secrets | .env files or secrets/ directory exists (check filesystem) |
| docker | detection.stack.docker is true OR detection.stack.compose is true |
| kubernetes | files matching *.yaml with kind: content exist (check filesystem) |
| python | detection.stack.python is true |
| node | detection.stack.typescript is true OR detection.stack.javascript is true |
| ansible | detection.stack.ansible is true |
For the filesystem checks (secrets, kubernetes), run:
# Secrets check
(ls .env* 2>/dev/null || ls secrets/ 2>/dev/null) && echo "SECRETS_DETECTED=yes" || echo "SECRETS_DETECTED=no"
# Kubernetes check
grep -rl '^kind:' *.yaml **/*.yaml 2>/dev/null && echo "K8S_DETECTED=yes" || echo "K8S_DETECTED=no"
For each detected template, read its JSON from skills/setup-project/templates/guards/<name>.json to get the description.
Present via AskUserQuestion (multi-select):
Re-ground: Setting up project safety in
<project>on branch<branch>. Baseline destructive command guard is installed. Simplify: I detected your project uses [detected stacks]. I have additional guards for each. Pick which ones to install — they'll warn before dangerous operations specific to each tool. RECOMMENDATION: Install all detected guards. They use "ask" mode — you can always override.[List each detected template with its description from the JSON] Select which to install (multiple allowed).
For each selected guard:
.claude/hooks/ (same overwrite logic as baseline).claude/settings.json (same dedupe logic)permissions (like node.json has deny rules), merge those tooCopy context-hygiene.md to .claude/rules/:
mkdir -p .claude/rulesskills/setup-project/templates/rules/context-hygiene.tmpl from the plugin.claude/rules/context-hygiene.md (the .tmpl is already final markdown for this one — no generation needed)If file exists: same overwrite logic as guard scripts (compare, ask if different).
Copy each matched rule template to .claude/rules/<stack>.md. The templates are complete best-practice documents — no generation or customization needed.
For each stack detected in Step 2 that also has a rule template:
skills/setup-project/templates/rules/<stack>.tmpl.claude/rules/<stack>.md as-isIf file exists: same overwrite logic as guard scripts (compare, ask if different).
Present via AskUserQuestion after copying:
Installed N rules for [stacks]. Each rule is scoped to relevant files only — it won't bloat context when working on other parts of the project.
Read the current rkstack plugin version. Use the rkstack binary (available in session context as $RKSTACK_BIN):
rkstack version 2>/dev/null || echo "unknown"
If .rkstack/settings.json exists, read it to preserve the detection and overrides sections.
Write .rkstack/settings.json, merging the new meta key with the existing content:
{
"detection": <preserved from existing file>,
"meta": {
"setupVersion": "<plugin version>",
"setupDate": "<YYYY-MM-DD>",
"baseline": true,
"guards": ["baseline", "<selected guards>"],
"rules": ["context-hygiene", "<installed rules>"]
},
"overrides": <preserved from existing file, or {}>
}
Output:
/setup-project complete
Guards installed:
✅ baseline (rm -rf, force-push, drop table, reset --hard, etc.)
✅ terraform (blocks direct tofu/terraform commands)
✅ secrets (protects .env and secrets/ from full overwrite)
...
Rules installed:
✅ context-hygiene (global — what belongs in CLAUDE.md vs rules vs memory)
✅ terraform (scoped to terraform/** — root ownership, lifecycle rules)
...
Files created/updated:
.claude/settings.json — N hook entries merged
.claude/hooks/ — N scripts
.claude/rules/ — N rules
.rkstack/settings.json — setup metadata (v<version>)
Every session in this project is now protected. Guards warn before
destructive commands. Rules teach Claude your project conventions.