Agent Harness Performance System ยท Anthropic Hackathon Winner

EVERY
THING
CLAUDE CODE

Not just configs. A complete agent harness: 183 skills, 48 agents, 79 commands, memory, instincts, security scanning, and research-first development. Works across Claude Code, Codex, Cursor, OpenCode, and Gemini. Built over 10+ months of intensive daily use.

183 Skills48 Agents79 Commands 14 MCP ConfigsAgentShield 102 Rules 140K+ Stars12 Language Ecosystems
00
Architecture
Overview & Architecture

ECC is a multi-layer operating system for AI coding agents. It shapes agent behaviour from day one through five core pillars:

๐Ÿง 

Skills

183 workflow skills covering every dev domain โ€” TDD, debugging, research, security, frontend, DevOps, and more. Auto-invoked when relevant.

๐Ÿค–

Agents

48 specialized subagents (code-reviewer, security-reviewer, architect, build-error-resolver, etc.) dispatched automatically.

๐Ÿ›ก๏ธ

Security

AgentShield: 1282 tests, 102 rules. Scans CLAUDE.md, settings.json, MCP configs, hooks, agents, and skills for vulnerabilities and injection risks.

๐Ÿงฌ

Memory & Instincts

Persistent cross-session memory via MCP. Instinct system observes sessions, extracts patterns, and evolves them into new skills automatically.

โšก

Commands & Rules

79 slash commands + always-on rules per language: TypeScript, Python, Go, PHP, C++, Java, Kotlin, Rust, C#, Flutter, PyTorch, Nuxt 4.

๐Ÿ”Œ

MCP Configurations

14 pre-configured MCP servers: Supabase, Playwright, Context7, Exa, GitHub, Memory, Sequential Thinking โ€” ready to use.

Repo Structure

agents/ โ€” 48 subagents  ยท  skills/ โ€” 183 workflow skills  ยท  commands/ โ€” 79 slash commands  ยท  hooks/ โ€” trigger automations  ยท  rules/ โ€” always-follow guidelines  ยท  mcp-configs/ โ€” 14 MCP configs  ยท  tests/ โ€” 978 tests

01
Getting Started
Installation
Before You Start

You need Node.js and one or more supported agents: Claude Code, Codex, Cursor, OpenCode, or Gemini CLI. ECC works across all of them from a single config source.

Method A โ€” Plugin Marketplace (Recommended)

Install via Claude Code plugin system

# Step 1: Register marketplace /plugin marketplace add affaan-m/everything-claude-code # Step 2: Install plugin /plugin install everything-claude-code@affaan-m-everything-claude-code
Canonical ID

Always use everything-claude-code@affaan-m-everything-claude-code. Old shorthand nicknames are deprecated.

Method B โ€” OSS Installer (Most Reliable)

Clone and copy rules directly

git clone https://github.com/affaan-m/everything-claude-code.git # User-level (all projects) mkdir -p ~/.claude/rules cp -r everything-claude-code/rules/common ~/.claude/rules/ cp -r everything-claude-code/rules/typescript ~/.claude/rules/ # Project-level (current project only) mkdir -p .claude/rules && cp -r everything-claude-code/rules/common .claude/rules/
Method C โ€” Selective Install

Install only what you need

ecc install --profile developer --with lang:typescript --with agent:security-reviewer --without skill:continuous-learning
Method D โ€” GitHub Extension

Install via GitHub CLI

gh ext install affaan-m/everything-claude-code
Verify Install

Run /harness-audit to baseline what's active and check for issues.

02
Multi-Agent
Agent Setup
๐Ÿค– Claude Code โ€” Full support, all layers
/plugin marketplace add affaan-m/everything-claude-code /plugin install everything-claude-code@affaan-m-everything-claude-code /harness-audit
๐Ÿ”ท Codex โ€” Sync MCP config, instruction-based security
bash scripts/sync-ecc-to-codex.sh # Or tell Codex directly: Fetch and follow https://raw.githubusercontent.com/affaan-m/everything-claude-code/main/.codex/AGENTS.md
Codex Note

Codex lacks hooks โ€” security enforcement is instruction-based. Always validate inputs and never hardcode secrets.

๐Ÿ–ฑ๏ธ Cursor โ€” Agent chat or marketplace search
/add-plugin everything-claude-code # Or search "everything-claude-code" in the Cursor plugin marketplace
๐ŸŸฃ OpenCode โ€” Full harness parity
{ "plugin": ["everything-claude-code@latest"] } # Add to opencode.json, then restart OpenCode
๐Ÿ’Ž Gemini CLI โ€” Rules and skills supported
cp -r everything-claude-code/rules/common ~/.gemini/rules/ cp -r everything-claude-code/rules/typescript ~/.gemini/rules/
03
Everyday Use
Basic Use
Basic โ€” Harness Audit

Run this first after every install or update

/harness-audit

Shows which skills, agents, rules, and hooks are loaded. Flags anything missing or misconfigured.

Basic โ€” Security Scan

Scan your entire Claude config for vulnerabilities

# Quick scan npx ecc-agentshield scan # Auto-fix safe issues npx ecc-agentshield scan --fix # Deep 3-agent analysis npx ecc-agentshield scan --opus --stream
Basic โ€” Quality Gate

Full repo quality check before committing

/quality-gate . --strict
Basic โ€” Generate Skills from Your Git History

Let ECC learn from what you've already built

/skill-create /skill-create --instincts
Basic โ€” Desktop Dashboard

Visual GUI for managing ECC

npm run dashboard

Dark/light theme, font customisation, shows active skills/agents/hooks at a glance.

04
Power User
Advanced Use
Advanced โ€” Autonomous Agent Harness

Scheduled, self-directing agents using native Claude Code crons

# Schedule a daily PR review (9 AM weekdays) mcp__scheduled-tasks__create_scheduled_task({ name: "daily-pr-review", schedule: "0 9 * * 1-5", prompt: "Review all open PRs, check CI, flag issues, post summary to memory." }) # Trigger remotely from CI/CD curl -X POST "https://api.anthropic.com/dispatch" \ -H "Authorization: Bearer $ANTHROPIC_API_KEY" \ -d '{"prompt":"Build failed on main. Diagnose and fix.","project":"/repo"}'
Advanced โ€” Instinct System (Continuous Learning v2.1)

Sessions observed, patterns extracted, skills evolved automatically

/instinct-import # Import from session /instinct-create "Always run npm audit before pushing" /instinct-list # View all learned instincts
v2.1 Project Scoping

Instincts are now project-scoped โ€” no cross-project contamination. Each project builds its own instinct library.

Advanced โ€” Multi-Agent Orchestration

PM2-backed parallel multi-service workflows

/multi-plan # Plan across multiple services /multi-execute # Execute in parallel /multi-backend # Backend-specific agents /multi-frontend # Frontend-specific agents /pm2 # Process management
Advanced โ€” AgentShield Deep Security

CVE database, supply chain verification, 102 rules

npx ecc-agentshield init # Generate secure config from scratch npx ecc-agentshield scan --cve # Check 25+ known MCP CVEs npx ecc-agentshield scan --supply-chain# Supply chain verification
Advanced โ€” Research-First Development

Search docs and code before writing anything

/exa-search "OAuth2 PKCE Node.js 2026 best practices" # Or naturally: Before implementing rate limiting, use exa-search to find current best practices and known pitfalls.
Advanced โ€” Context Window & Cost Audit

Find token bloat, reduce costs, route by complexity

/context-audit # Find token bloat across all components /cost-optimize # Route tasks to cheaper models
05
Quick Reference
Cheat Sheet

๐Ÿ›  Install Commands

  • /plugin marketplace add affaan-m/everything-claude-codeRegister marketplace
  • /plugin install everything-claude-code@affaan-m-everything-claude-codeInstall plugin
  • gh ext install affaan-m/everything-claude-codeGitHub CLI install
  • npx ecc-agentshield scanQuick security scan
  • /harness-auditBaseline after install
  • npm run dashboardOpen GUI dashboard

โšก Key Commands

  • /harness-auditAudit all active components
  • /quality-gate . --strictFull repo quality check
  • /skill-create [--instincts]Generate skills from git history
  • /instinct-import / list / createManage continuous learning
  • /context-auditFind token bloat
  • /cost-optimizeModel routing optimiser
  • /multi-plan / execute / backend / frontendMulti-agent orchestration
  • /exa-searchResearch before code

๐Ÿง  Key Skills

  • autonomous-agent-harnessPersistent scheduled agents
  • continuous-agent-loopAutonomous loop with quality gates
  • exa-searchResearch-first development
  • skill-creator / instinct-creatorSelf-improvement
  • analyze-repo / pattern-detectionRepo intelligence
  • learning-dnaSession learning extraction
  • frontend-slidesHTML slide deck builder
  • market-research / investor-materialsBusiness content

๐Ÿ›ก๏ธ Security Commands

  • npx ecc-agentshield scanQuick scan
  • npx ecc-agentshield scan --fixAuto-fix safe issues
  • npx ecc-agentshield scan --opus --streamDeep 3-agent scan
  • npx ecc-agentshield initGenerate secure config
  • npx ecc-agentshield scan --cveCVE database check
  • npx ecc-agentshield scan --supply-chainSupply chain verify

๐Ÿ”ฎ Hidden Gems (8 Commands)

  • /aside <question>Side question, auto-resume task
  • /santa-loopAdversarial dual-review convergence
  • /gan-design / /gan-buildGenerator-evaluator harness
  • /clawNanoClaw v2 interactive REPL
  • /save-session / /resume-sessionPersist & resume context
  • /learn-evalExtract patterns + self-evaluate
  • /evolveEvolve instincts into skills
  • /plugin list everything-claude-code@...See everything installed

๐Ÿ“ Instinct Management (8)

  • /instinct-import <file|url>Import from file or URL
  • /instinct-exportExport for sharing/backup
  • /instinct-statusShow with confidence scores
  • /promoteProject scope โ†’ global
  • /pruneDelete stale (>30 day) instincts
  • /evolveGenerate evolved skill structures
  • /projectsList projects + stats
  • /learn-evalExtract + eval + save

๐Ÿš€ PRP Pipeline (Productโ†’PR)

  • /prp-prdInteractive PRD generator
  • /prp-planImplementation plan + codebase scan
  • /prp-implementExecute with validation loops
  • /prp-commitNatural-language commit
  • /prp-prAuto-create GitHub PR
  • /hookify / -list / -configureAuto-generate behaviour hooks
  • /checkpoint / /update-codemapsWorkflow checkpointing
  • /refactor-clean / /test-coverageDead code + test coverage

๐ŸŒ Environment Variables

  • ECC_HOOK_PROFILE=minimalMinimal hooks only
  • ECC_HOOK_PROFILE=standardDefault profile
  • ECC_HOOK_PROFILE=strictAll hooks + extra validation
  • ECC_DISABLED_HOOKS="h1,h2"Disable specific hooks by name
  • ECC_ROOT=/pathOverride source location
  • INSTALL_LEVEL=user|project|bothInstall scope selector

โ›” Rejected / Never Do This

  • hooks field in plugin.jsonโŒ Causes duplicate detection errors in CC v2.1+ (issues #29, #52, #103)
  • everything-claude-code@everything-claude-code (short form)โŒ Use @affaan-m-everything-claude-code โ€” canonical ID
  • Modifying files in $ECC_ROOT/โŒ Only modify target install dir, never source
  • Installing all 183 skills at onceโŒ Bloats context; use --with / --without selective install
  • npm install without --legacy-peer-depsโŒ May fail on peer conflicts
  • Running /santa-loop on trivial codeโŒ Expensive โ€” reserve for security/payment/auth
  • Using deprecated autonomous-loops skillโŒ Renamed to continuous-agent-loop (v5+)
  • Hardcoding API keys in CLAUDE.mdโŒ AgentShield flags this; use env vars
  • /plugin install from untrusted marketplacesโŒ Scan first with npx ecc-agentshield scan
  • Running /evolve without reviewing firstโŒ Use /instinct-status first to check confidence scores
  • Disabling security-reviewer agentโŒ Core safety layer โ€” keep enabled

๐Ÿšฆ Troubleshooting

ProblemFix
Plugin not resolvingUse the OSS installer: git clone + cp -r rules/ โ€” more reliable for some Claude Code builds
Skills not activatingRun /harness-audit. Restart agent after install.
Instincts bleeding across projectsUpdate to v2.1+ โ€” instincts are now project-scoped
Old install ID not workingUse: everything-claude-code@affaan-m-everything-claude-code. Old shortcuts are deprecated.
Codex hooks not firingCodex doesn't support hooks โ€” use AGENTS.md instruction-based enforcement
MCP configs not loading in CodexRun bash scripts/sync-ecc-to-codex.sh
Token costs too highRun /context-audit + /cost-optimize
06
Undocumented
Hidden Commands & Easter Eggs
The Other 70 Commands

ECC has 79 slash commands but most users only know 5-10. Here are the hidden gems, easter eggs, and undocumented flags discovered by reading the ECC Explorer catalog and plugin source code.

Hidden #01 โ€” Check What's Actually Installed

See every agent, skill, and command ECC registered ESSENTIAL

/plugin list everything-claude-code@everything-claude-code

Shows all 79 commands, 48 agents, 183 skills, 14 MCP configs in one view. Most users have never run this and don't realise 90% of what they installed.

Hidden #02 โ€” /aside โ€” Side Questions Without Context Loss

Answer a quick question then resume HIDDEN GEM

Mid-task, you realise you need to ask something unrelated. Normally that pollutes the conversation context. /aside spins up a quick side answer and automatically resumes the original task:

/aside what's the shortest way to check if a port is free in bash? # โ†’ Quick answer, then auto-resumes your previous task
Hidden #03 โ€” /santa-loop โ€” Adversarial Dual Review

Two independent reviewers must BOTH approve before code ships POWERFUL

Nicknamed after "two Santas checking the list twice". Spawns two independent model reviewers who must converge on approval:

/santa-loop src/auth/login.ts # โ†’ Reviewer A finds issues โ†’ fix โ†’ Reviewer B finds different issues # โ†’ Loop continues until both approve independently
When to Use

Use for security-critical code, payment flows, auth logic, or anything where a single-agent review isn't enough.

Hidden #04 โ€” GAN-Inspired Build Commands

Generator-Evaluator harness for high-quality code 2026 RESEARCH

Based on Anthropic's March 2026 harness design paper. Uses a generator-evaluator pattern where one agent builds and another evaluates iteratively:

/gan-design "user profile page with social links" # โ†’ Generator proposes designs, evaluator scores them, best wins /gan-build "auth middleware with rate limiting" # โ†’ Generator builds, evaluator tests, loop until quality threshold met
Hidden #05 โ€” /save-session & /resume-session

Persist session state to disk and resume it tomorrow UNDERRATED

Working on a multi-day task? Save your session context to ~/.claude/session-data/ and resume it with full context later:

/save-session # โ†’ Saves current context to ~/.claude/session-data/YYYY-MM-DD.json # Next day, in a fresh session: /resume-session # โ†’ Loads the most recent session file with full context restored
Hidden #06 โ€” /claw โ€” NanoClaw v2 REPL

Interactive model routing & skill hot-load REPL POWER USER

NanoClaw v2 is ECC's own interactive REPL. Lets you route between models mid-session, hot-load skills, branch sessions, search history, export conversations, compact context, and view metrics:

/claw # Enters NanoClaw REPL. Commands inside: # :route opus โ€” switch to Opus for next turn # :route haiku โ€” switch to Haiku for quick tasks # :load skill-name โ€” hot-load a skill # :branch โ€” branch the session # :search foo โ€” search session history # :export โ€” export session as markdown # :compact โ€” compact context now # :metrics โ€” show token usage, cost, cache hits
Hidden #07 โ€” The Full Instinct Management Suite

Manage the continuous learning system HIDDEN

Beyond /instinct-import and /instinct-list, ECC ships a full management suite:

/instinct-status
Show all learned instincts with confidence scores
/instinct-export
Export instincts to file for sharing or backup
/instinct-import <file|url>
Import instincts from file or URL into project/global
/promote
Promote project-scoped instincts to global scope
/prune
Delete pending instincts older than 30 days
/evolve
Analyse instincts and generate evolved skill structures
/projects
List all known projects with instinct statistics
/learn-eval
Extract patterns + self-evaluate quality before saving
Hidden #08 โ€” /hookify Suite

Create hooks to prevent unwanted behaviours automatically HIDDEN

Most people don't know ECC has its own hook creation system. It analyses your conversations and auto-generates hooks to prevent patterns you don't want:

/hookify # โ†’ Analyses conversation, suggests hooks to prevent repeated mistakes /hookify-list # โ†’ Lists all configured hookify rules /hookify-configure # โ†’ Enable/disable rules interactively /hookify-help # โ†’ Get help with the hookify system
Hidden #09 โ€” PRP Workflow (Planโ†’Implementโ†’Commitโ†’PR)

Full product development request pipeline HIDDEN

ECC has a complete PRP (Product Requirements Pipeline) workflow most users never discover:

/prp-prd
Interactive PRD generator โ€” problem-first, hypothesis-driven spec
/prp-plan
Feature implementation plan with codebase analysis
/prp-implement
Execute plan with rigorous validation loops
/prp-commit
Natural language commit โ€” "commit the auth changes"
/prp-pr
Create GitHub PR with template discovery and auto-push
Hidden #10 โ€” Infrastructure & Code Commands

Lesser-known utility commands HIDDEN

/checkpoint
Create or verify a checkpoint in your workflow
/update-codemaps
Token-lean architecture docs from codebase structure
/update-docs
Sync docs with codebase from source-of-truth files
/refactor-clean
Safely remove dead code with test verification
/test-coverage
Analyse coverage, generate missing tests to 80%+
/feature-dev
Guided feature development with codebase understanding
/build-fix
Incrementally fix build/type errors, minimal changes
/model-route
Recommend best model tier by complexity & budget
/loop-start
Start managed autonomous loop with safety defaults
/loop-status
Inspect active loop state, progress, failures
/skill-health
Skill portfolio health dashboard with analytics
/setup-pm
Configure package manager (npm/pnpm/yarn/bun)
Hidden #11 โ€” Language-Specific Command Matrix

Every language has build/review/test commands 12 LANGUAGES

ECC ships 12 language ecosystems โ€” each with 3 commands. Most users don't realise all of these exist:

/python-review
PEP 8, type hints, security, Pythonic idioms
/go-build / /go-review / /go-test
Fix build, review concurrency, TDD with 80%+ coverage
/rust-build / /rust-review / /rust-test
Ownership, lifetimes, cargo-llvm-cov coverage
/kotlin-build / /kotlin-review / /kotlin-test
Null safety, coroutines, Kover coverage
/cpp-build / /cpp-review / /cpp-test
Memory safety, modern C++, GoogleTest + gcov/lcov
/flutter-build / /flutter-review / /flutter-test
Dart, widgets, state, golden + integration tests
/gradle-build
Android + KMP Gradle error fixes
Hidden #12 โ€” Hook Runtime Controls (Environment Variables)

Tune hooks without editing files POWER USER

# Control hook behaviour at runtime export ECC_HOOK_PROFILE=minimal # Minimal hooks only export ECC_HOOK_PROFILE=standard # Default export ECC_HOOK_PROFILE=strict # All hooks + extra validation # Disable specific hooks by name, comma-separated export ECC_DISABLED_HOOKS="hook-name-1,hook-name-2"
When to Use

Great for CI environments where you want fewer hooks, or for debugging when you suspect a specific hook is interfering.

Hidden #13 โ€” Common Gotchas & Traps

Things that will break ECC setups

  • โš ๏ธ Never add "hooks" to plugin.json โ€” Claude Code v2.1+ auto-loads hooks/hooks.json. Explicit declaration causes duplicate detection errors (see issues #29, #52, #103)
  • ๐ŸŽฏ Canonical install ID is mandatory โ€” everything-claude-code@everything-claude-code. Older nicknames are deprecated
  • ๐Ÿ“ OSS installer is more reliable โ€” if /plugin install fails, git clone + cp -r rules/ is the fallback that always works
  • ๐ŸŒ Works with any model gateway โ€” doesn't hardcode Anthropic transport, so works with custom API endpoints
  • ๐Ÿ”’ Project-scoped instincts โ€” v2.1+ prevents cross-project contamination. Always update to latest
Hidden #14 โ€” Built-in Claude Code Commands That Pair With ECC

Native commands that complement ECC workflows

  • /help โ€” lists ECC commands with plugin tag
  • /compact โ€” compress context (pairs well with /context-audit)
  • /clear โ€” fresh session (use after /save-session to resume)
  • /review โ€” Claude Code built-in (chains with /code-review from ECC)
  • /security-review โ€” built-in (complements /security-scan + AgentShield)
  • /init โ€” initialise CLAUDE.md (ECC rules inject automatically)
  • /plugin list โ€” see all installed plugins and their components
  • /plugin update โ€” pull latest ECC updates
  • Ctrl+B โ€” background current subagent (great for long /quality-gate runs)
  • ultrathink (keyword) โ€” force high-effort model for complex planning
  • Shift+Tab ร— 2 โ€” enter plan mode (pairs with ECC's /plan command)
Hidden #15 โ€” Commands I'd Add That Don't Exist Yet

Feature wishlist โ€” submit as PRs

  • ๐Ÿ” /ecc-explore โ€” interactive browser for all 183 skills with preview
  • ๐Ÿ“Š /ecc-metrics โ€” session metrics: which skills fired, token cost per skill
  • ๐Ÿ”„ /agent-diff โ€” show what changed when you switched agent (code-reviewer vs architect)
  • ๐ŸŽฏ /skill-benchmark โ€” benchmark a skill against a test repo for reliability
  • ๐Ÿ“ฆ /skill-bundle โ€” export a curated skill set for team distribution
  • ๐Ÿค– /ai-pair โ€” real-time pair programming mode with persistent subagent
  • ๐Ÿ“ˆ /agent-report โ€” weekly report of all agent activities + decisions
  • ๐Ÿ” /secrets-audit โ€” deeper than AgentShield โ€” check git history for leaked secrets
  • ๐ŸŽฏ /cost-budget <amount> โ€” hard budget cap per session, warns when approaching
  • ๐Ÿ“ข Submit via PR at github.com/affaan-m/everything-claude-code
๐Ÿง 
Component Deep Dive
183 Skills
What skills are

Skills are SKILL.md files giving the agent structured instructions for specific tasks. They auto-invoke when relevant. ECC ships 183 across every dev domain โ€” and you can write your own or auto-generate from git history.

Development
TDD, debugging, code review, refactoring, architecture patterns
Security
security-scan, AgentShield integration, CVE checking, sanitisation
Research
exa-search, documentation-lookup, analyze-repo, pattern-detection
Autonomous
autonomous-agent-harness, continuous-agent-loop, scheduled operations
Learning
skill-creator, instinct-creator, learning-dna, workflow-discovery
Business
article-writing, market-research, investor-materials, content-engine
Frontend
frontend-slides, nextjs-turbopack, bun-runtime, UI patterns
DevOps
pm2 workflows, multi-agent orchestration, CI/CD integration
๐Ÿค–
Component Deep Dive
48 Specialized Agents
What agents are

Specialized subagents dispatched by the harness for specific roles. They operate with two-stage review (spec compliance, then code quality) and can run in parallel.

code-reviewer
Reviews code against spec and standards after each task
security-reviewer
Dedicated security analysis โ€” triggers on any security finding
architect / code-architect
System design and code-level architectural decisions
build-error-resolver
Diagnoses and fixes build failures automatically
chief-of-staff
Communication triage for complex coordination workflows
a11y-architect
Accessibility review and WCAG compliance
code-simplifier
Reduces complexity, applies YAGNI and DRY principles
typescript/java/kotlin-reviewer
Language-specific review agents (10 languages total)
โšก
Component Deep Dive
79 Slash Commands
Note

Commands are legacy slash-entry compatibility shims. New workflows land in skills/ first. Commands are added only when a compatibility shim is required.

/harness-audit
Baseline all active components and flag issues
/quality-gate [path] --strict
Lint, test, build, and security gate
/skill-create [--instincts]
Generate skills from git history
/instinct-import / list / create
Manage the continuous learning system
/context-audit
Token usage analysis across all components
/cost-optimize
Model routing and cost reduction
/exa-search [query]
Research-first web search via Exa
/multi-plan / execute / backend / frontend / pm2
Multi-agent orchestration suite
๐Ÿ›ก๏ธ
Component Deep Dive
AgentShield Security
Why This Matters

A repo, a PR, a PDF, a helpful MCP, a skill from Discord โ€” any of these can be an injection vector. AgentShield treats agent security as infrastructure, not an afterthought.

5 Scanning Categories

102 rules, 1282 tests, built at Anthropic hackathon

Secrets Detection
14 patterns โ€” API keys, tokens, passwords hardcoded in configs
Permission Auditing
Over-broad permissions in settings.json and agent definitions
Hook Injection Analysis
Suspicious hook patterns, prompt injection vectors
MCP Server Risk
CVE database with 25+ known MCP vulnerabilities
Agent Config Review
Misconfigured agents, unsafe patterns in CLAUDE.md
Skills Review
Skill files checked for injection risks
Immutability Rule (Critical)

Always create new objects โ€” never mutate

// WRONG โ€” mutates config.apiKey = process.env.KEY; // RIGHT โ€” creates new object const newConfig = { ...config, apiKey: process.env.KEY }; // NEVER hardcode secrets const key = "sk-1234abcd"; // ALWAYS use environment variables const key = process.env.ANTHROPIC_API_KEY;
Security Protocol

If a security issue is found: STOP โ†’ use security-reviewer agent โ†’ fix CRITICAL issues โ†’ rotate exposed secrets โ†’ review codebase for similar issues.

๐Ÿงฌ
Component Deep Dive
Memory & Instincts
Persistent Intelligence

ECC's memory system uses MCP to persist context across sessions. The instinct system observes your work, extracts patterns, and evolves them into reusable skills โ€” a homunculus-inspired continuous learning loop.

Memory MCP โ€” Cross-Session Persistence

Bootstrap your identity and context once, remember forever

Create memory entities for: me (user profile), my projects, my key contacts. Add observations about current priorities. # Schedule weekly pattern extraction Create scheduled task: every Sunday 8pm, extract patterns from this week's sessions and update learned skills.
Instinct System v2.1 โ€” Project-Scoped Continuous Learning

Atomic instincts with confidence scoring

  • ๐Ÿ” Hooks observe sessions and flag recurring patterns
  • โšก /instinct-import creates atomic instincts with confidence scores
  • ๐Ÿ“ˆ High-confidence instincts graduate to full skills automatically
  • ๐Ÿ”’ v2.1: Project-scoped โ€” no cross-project contamination
  • ๐Ÿงฌ learning-dna extracts your unique coding DNA from sessions
๐Ÿ”Œ
Component Deep Dive
14 MCP Configurations
Pre-configured MCP Servers

ECC ships ready-to-use configs for 14 MCP servers. User configs are never touched โ€” only ECC-managed sections are updated.

Memory
Cross-session persistent memory store
GitHub
PR creation, issue management, repo operations
Exa
Research-first web search for documentation and code
Context7
Up-to-date library docs and API references
Playwright
Browser automation and UI testing
Supabase
Database operations and auth management
Sequential Thinking
Structured multi-step reasoning
Scheduled Tasks
Cron-based autonomous agent scheduling
# Sync all ECC MCP servers (add-only, safe, never removes user config) bash scripts/sync-ecc-to-codex.sh # Update to latest recommended config bash scripts/sync-ecc-to-codex.sh --update-mcp
06
Practical Use
Real-World Examples
Example 01 โ€” First Day Setup

Fully configured and audited in 5 minutes

/plugin marketplace add affaan-m/everything-claude-code /plugin install everything-claude-code@affaan-m-everything-claude-code /harness-audit npx ecc-agentshield scan /skill-create --instincts
Example 02 โ€” Research Before Build

Research-first: search docs before writing code

Before implementing rate limiting, use exa-search to find current best practices and any known pitfalls for Express.js rate limiting in 2026.
Example 03 โ€” Autonomous Daily PR Review

Scheduled agent reviews PRs every morning

Set up a scheduled task for every weekday at 9 AM: review all open PRs on my repo, check CI status, flag blocking issues, write summary to memory.
Example 04 โ€” Secure a Vibe-Coded Repo

Audit and harden an existing codebase

npx ecc-agentshield scan --opus --stream --fix /quality-gate . --strict /skill-create
Example 05 โ€” Multi-Service Feature

Orchestrate across backend, frontend, and tests in parallel

Use multi-agent orchestration to implement the notifications feature across the Express backend, React frontend, and test suite in parallel.
07
Tips & Tricks
Best Practices
BP 01 โ€” Research First, Always

Never implement without checking current docs first

Use /exa-search before any library integration, security feature, or architectural pattern. A 2-minute search prevents a 2-hour debugging session. This is ECC philosophy: battle-tested patterns beat gut instinct.

BP 02 โ€” Agent Security is Infrastructure

Run AgentShield before every merge to main

A malicious MCP, a skill from Discord, a PR hook โ€” any can be an injection vector. Run npx ecc-agentshield scan in your CI/CD pipeline.

# Add to .github/workflows/security.yml npx ecc-agentshield scan --fix
BP 03 โ€” Small Files, Feature-Organised

200โ€“400 lines typical, 800 max. Feature/domain over type

ECC's rules enforce this. High cohesion, low coupling. Makes parallel subagent execution more reliable and reduces merge conflicts.

BP 04 โ€” Use Selective Install in Teams

Not every project needs all 183 skills

# TypeScript API project ecc install --profile developer --with lang:typescript --with agent:security-reviewer # Data science project ecc install --profile developer --with lang:python --with skill:pytorch-patterns
BP 05 โ€” Review Instincts Weekly

Let high-confidence instincts graduate to skills

Check /instinct-list weekly, prune false positives, promote the best ones to shared team skills via PR.

BP 06 โ€” Audit After Every Update

Always baseline after updating ECC

/plugin update everything-claude-code /harness-audit /quality-gate . --strict
08
For Developers
Developer Guidelines
Dev โ€” Always-On Coding Standards (rules/common)

These rules apply to every project, every session

Immutability
Always create new objects. Never mutate. Return new copies.
File Size
200โ€“400 lines typical. 800 max. Feature-organised, not type-organised.
Error Handling
Handle errors at every level. Never silent fails.
Secrets
NEVER hardcode. Use env vars. Rotate any exposed secrets immediately.
Parallel Execution
Use parallel agents for independent operations.
API Responses
Consistent envelope: success, data, error, pagination.
Dev โ€” Commit & PR Workflow

Conventional commits + comprehensive PR summaries

# Types: feat, fix, refactor, docs, test, chore, perf, ci feat: add oauth2 pkce flow for mobile clients fix: prevent session persistence after logout perf: cache exa search results for 5 minutes
Dev โ€” Contributing New Skills

New workflows land in skills/ first โ€” commands are legacy shims

  1. Fork github.com/affaan-m/everything-claude-code
  2. Create skills/your-skill-name/SKILL.md
  3. Test with subagents using realistic scenarios
  4. Run npm test โ€” 978 tests must pass
  5. Submit PR with commit analysis, description, test plan
Multi-Language Community

ECC has contributors in English, Portuguese, Chinese (Simplified & Traditional), Japanese, Korean, and Turkish. Welcome contributors in any language.

Dev โ€” Repository Pattern (enforced by rules)

Data access always behind a standard interface

interface Repository<T> { findAll(): Promise<T[]> findById(id: string): Promise<T | null> create(data: Partial<T>): Promise<T> update(id: string, data: Partial<T>): Promise<T> delete(id: string): Promise<void> } // Business logic depends on the interface, not storage mechanism