sync (digest only) — 2026-06-08

[norbert-pap]

Weekly sync digest — 2026-06-08

Sources checked: 6. Changes applied: 0. Period: 2026-06-01 → 2026-06-08.

No clear cherry-picks found this week. All upstream changes were either gstack-internal infrastructure, reference skills with no claudebert counterpart, or content expansions requiring scope judgment. Digest below for your review.

---

Applied changes

None.

---

Deferred — notable but not cherry-picked

1. agent-skills — addyosmani/agent-skills PR #219

"Strengthen security skills: threat modeling, SSRF, supply chain & AI/LLM"

Expanded skills/security-and-hardening/SKILL.md (+28%, 349→448 lines) with:

• STRIDE threat model — "Controls bolted on without a threat model are guesses." Structured threat-boundary mapping before any controls.
• SSRF prevention — Allowlist-only outbound, DNS rebinding hardening, concrete bad-vs-good code patterns.
• Supply-chain hygiene — Lockfile integrity, typosquat detection, postinstall script auditing.
• AI/LLM security — LLM output validation, prompt injection guards, token limit handling, mapped to OWASP LLM Top 10.

Why deferred: claudebert has no dedicated security skill. The content could either enrich prod-review Section 3 (Security & Threat Model) or seed a new security skill — both require scope/placement judgment, not a clean drop-in.

---

2. anthropic-skills — anthropics/skills commit c30d329

"Update claude-api skill: auth, cloud providers, Managed Agents fixes, SDK coverage"

Major update to the claude-api reference skill across Python, Go, Java, C#, PHP:

• Auth resolution order documented (ANTHROPIC_API_KEY, ANTHROPIC_AUTH_TOKEN, ant auth login profiles)
• Managed Agents networking config fixed ("type": "limited" with explicit flags)
• Mid-conversation system messages (beta) added
• Model deprecations: Sonnet 4 and Opus 4 moved to deprecated; Opus 4.8 is current
• New: claude-platform-on-aws.md, anthropic-cli.md shared docs
• New: cache pre-warming (max_tokens: 0), request-level overrides, _request_id for error reporting

Why deferred: claudebert has no claude-api skill. Informational — worth knowing about the Opus 4.8 migration and Managed Agents networking fix if those come up.

---

3. gstack — garrytan/gstack (5 commits, all infrastructure)

v1.56.0.0–v1.57.3.0

All 5 commits this week are gstack-internal infrastructure with no review methodology changes:

Commit	What	Why dropped
v1.57.3.0	ship: PR-title version invariant + fork-PR title-sync backstop	ship skill infrastructure
v1.57.2.0	AskUserQuestion prose fallback when tool call fails	gstack AUQ infra
v1.57.0.0	Carve-guard registry + carve cso, document-release, design-consultation	carve infra (skeleton+sections pattern)
v1.56.1.0	Staging-dir ownership guard + resume-correctness fixes	sync infra
v1.56.0.0	Token-reduction Phase B: carve plan-ceo-review, plan-eng-review, plan-design-review, plan-devex-review, office-hours	carve infra — splits SKILL.md into skeleton+sections; claudebert uses flat SKILL.md files, content unchanged

The carve mechanism (splitting SKILL.md into skeleton + on-demand sections/) is gstack-specific. Claudebert's prod-review, eng-review, and design-review were not changed in methodology, only reorganized for token efficiency.

---

Sources with no relevant activity

Source	Status
rohitg00/awesome-claude-code-toolkit	No commits since 2026-05-12
Owl-Listener/designpowers	Last commit 2026-05-31; nothing since
VoltAgent/awesome-agent-skills	Only list curation (Vercel removal, Red Hat addition, Cypress section) — not skill content

---

Generated by Claude Code