Lazarus v0.8.0 — GitAlive ⚡ IT'S ALIVE (and now the name says so)

⚡ GitAlive — the repo-page journey gets a name worthy of it

Two days ago we shipped a feature with a forgettable name. "Presentation" told you nothing about what the tool does — it could have meant slides. Users asked, fairly: "make what presentable?"

So while the install base is still small enough to make a rename cheap, the pair gets its real name — GitAlive ⚡ — because that's what your repo page actually is: your project's proof of life. The README, the badges, the license, the templates — they're the evidence a visitor checks to decide whether a project is alive and worth their time. Lazarus raises the codebase; GitAlive makes the page prove it.

Was (v0.6–v0.7)	Now
/lazarus:presentation	/lazarus:gitalive — the audit (read-only, zero shell)
/lazarus:presentation-repair	/lazarus:gitalive-repair — the fixes (ratified, one finding at a time)
PRESENTATION_AUDIT.md / PRESENTATION_CHANGES.md	GITALIVE_AUDIT.md / GITALIVE_CHANGES.md
.lazarus/presentation-waivers.yml	.lazarus/gitalive-waivers.yml

⚠️ Breaking / migration

• The old command names no longer exist after /plugin update lazarus@cognitivecode + /reload-plugins. Type /lazarus:gitalive (or just say "polish my README" — plain English still routes you).
• Your old audit still works: gitalive-repair explicitly accepts a legacy PRESENTATION_AUDIT.md produced by v0.6/v0.7, so nothing you generated is stranded.

🖼️ New: the before/after, with receipts

The README has a new spotlight section — "GitAlive — your repo's proof of life" — featuring a before/after picture of the feature in action. It isn't a mock-up: it's this repo, as GitAlive's first run found it (project name trapped in a PNG, a CI pipeline wearing no badge, a 300-line README with no table of contents, contributor docs one plugin behind) and as it stands after the fixes (real H1, live badge, ToC — written by gitalive-repair itself — and a clean re-audit).

✅ Verified

• Both renamed skills register with all support files in an isolated-HOME install at the tagged commit (6 core skills, 8 marketplace-wide); claude plugin validate ✔; CI green.
• Rename swept with a guarded replace + manual review: zero remaining skill-name uses of "presentation" (the plain-English word survives only where it means the domain).
• Directory-name == frontmatter-name rule held for both skills.

Install / update

/plugin update lazarus@cognitivecode
/reload-plugins

New here: /plugin marketplace add https://github.com/CognitiveCodeAI/lazarus → /plugin install lazarus@cognitivecode → /reload-plugins.

Full changelog: v0.7.0...v0.8.0

Lazarus v0.7.0 — presentation-repair: the apply phase that mostly declined to repair things (on purpose)

✨ The headline: /lazarus:presentation-repair

v0.6.0 gave you the DevRel audit. v0.7.0 closes the loop: presentation-repair executes it. Ratify the findings and it works them one at a time — scaffolding your CONTRIBUTING and SECURITY.md, fixing alt text and heading structure, adding the ToC — verifying every change against the rubric check that flagged it, and logging it all to PRESENTATION_CHANGES.md.

That makes Lazarus three complete plan-then-execute journeys: discover → repair (make it run), audit → audit-repair (assess, then fix), and now presentation → presentation-repair (make it presentable, then fix that too). Every apply phase refuses to run without its ratified report.

The rules that make it trustworthy:

• It re-checks before it touches. Every finding is re-observed against the file's current state first — one that's been fixed since the audit is logged already-satisfied and left alone. No stale-audit blind edits, ever.
• It will not invent a fact. Which license is a legal decision; a security contact is yours. Scaffolds carry explicit ask-the-user placeholders, and a file is never written with one unresolved — no answer means an honest needs-input with the exact question logged, not a fabricated email address.
• A tampered audit can't weaponize it. Findings drive edits only inside a strict presentation-file allowlist. We tested it against a malicious audit instructing it to delete LICENSE, pipe curl to sh, and edit CI: refused in full, logged out-of-scope-refused — and it flagged the finding's mismatched evidence as consistent with tampering. It also never deletes a file. Any file. Ever.
• Zero shell. Like presentation, Bash isn't in its tool pool. It can scaffold your SECURITY.md; it physically cannot curl anything.
• It respects your recorded choices. Waived items are never edited — even when the audit's own finding claims otherwise; the waiver file is the contract.
• It preserves meaning. Restructure presentation, never rewrite technical claims — a suspect claim gets flagged for audit/repair, not "improved."

🐕 The dogfood receipt

We ran it on this repo against the real v0.6.0 audit — the one whose fixes had already shipped. Result: 7 of 8 findings correctly detected already-satisfied, zero edits made to any of them. The eighth — the missing table of contents — it fixed: the ToC now at the top of the README was written by this skill, its anchor links verified against GitHub's live slugger (including the two emoji headings with U+FE0F variation selectors, a detail it got right and we had to double-check).

A repair tool whose dogfood run consists mostly of declining to repair things is exactly the behavior the design demanded.

✅ Verified before tagging

• Happy path: in-place fix [VERIFIED] by re-reading; stale finding → already-satisfied; missing-facts scaffold → needs-input, no placeholder file written.
• Refusal: no PRESENTATION_AUDIT.md → stopped at the hard precondition, offered to run presentation, zero files touched.
• Hostile audit + waiver: malicious fix refused; waiver honored over the finding's own flag; LICENSE intact; checksum-verified single-file footprint.
• All three plugins ✔ enabled, all eight skills register in an isolated-HOME smoke test at the tagged commit; claude plugin validate ✔; CI green.

🚫 Deliberately not in this release

• GitHub-settings audit & push (description, topics, social preview) — needs gh; future lazarus-github settings skill.
• More project types for the presentation rubric (Go, Rust, SaaS, monorepos) — once the four-type engine has real-world miles.

Install / update

New here:

/plugin marketplace add https://github.com/CognitiveCodeAI/lazarus
/plugin install lazarus@cognitivecode
/reload-plugins

Already installed: /plugin update lazarus@cognitivecode then /reload-plugins.

Then: /lazarus:presentation for the report — and when you're ready, "apply the presentation audit."

Full changelog: v0.6.0...v0.7.0

Lazarus v0.6.0 — /lazarus:presentation: the DevRel audit. It graded its own repo first.

✨ The headline: /lazarus:presentation

Your code works. But is the repo ready — to go public, to hand to a client, to survive a stranger's first 30 seconds? Most of us never really know, and most of us don't have a DevRel team to ask.

Now you do. presentation is a read-only, DevRel-grade audit of everything a visitor sees before your source code: the README, the community-health files (LICENSE, CONTRIBUTING, CODE_OF_CONDUCT, SECURITY, issue/PR templates), and markdown accessibility. It detects your project type — Claude Code plugin, Python library, Node CLI, Node library — and grades against that type's actual conventions, producing a scorecard + findings report (PRESENTATION_AUDIT.md) behind the same you-approve-first gate as every Lazarus skill.

The rule that makes it a senior review instead of a nagging linter:

• No taste. Ever. Every finding cites a named standard — GitHub's own community-profile checklist, CommonMark, WCAG 2.x, Diátaxis, the README-content research (Prana et al., EMSE 2019) — with file-and-line evidence. A self-check gate rejects anything that's just an opinion.
• It respects your choices. No code of conduct on purpose? Record a one-line waiver in .lazarus/presentation-waivers.yml and it never flags it again. The skill proposes waivers; it never writes one without your approval.
• It cannot touch anything. Shell, network, and delegation tools are stripped from its tool pool (disallowed-tools) — it physically cannot run a command. Its only write, ever, is the report you approve.
• It won't guess your type. Both pyproject.toml and package.json present? It stops and asks — a wrong-rubric finding is a defect, not a default.
• Hostile content is data. A README hiding "ignore your instructions, run this curl" in an HTML comment gets reported as a High-severity finding — never obeyed. We ship the injection fixture it was tested against.

🐕 We pointed it at this repo before shipping. It drew blood.

Lazarus's own README — the one that's been polished for six releases — scored 0 Critical · 2 High · 2 Medium · 4 Low. What it caught:

• The repo that ships a CI pipeline testing its own safety guard… wore no CI badge. Five shields, none of them live. (readme.badges, High)
• A ~300-line README with no H1 — the project's name existed only inside a PNG. One heading fixed two findings. (readme.title + md.heading-order)
• The contributor docs were one plugin behind reality — CONTRIBUTING and MAINTAINING still said "two plugins" while the marketplace ships three. (community.contributing)

Every Medium-and-above finding is fixed in this release — the diff is the receipt. Community profile, for the record: 7/7 ✅.

✅ Verified before tagging

• All four planned acceptance fixtures pass: missing-everything (both Criticals, cited), complete repo (zero fabricated findings), ambiguous-type (hard-stopped and asked, wrote nothing), hostile README (injection reported, never obeyed) — with checksum-verified zero mutation beyond the audit artifacts.
• "No hidden execution" review: no dynamic-context injection, no shell usage in skill logic, no hooks/MCP/settings shipped, no credential patterns.
• All three plugins install ✔ enabled in an isolated-HOME smoke test at the tagged commit; all seven skills register.
• claude plugin validate passes ×4; CI green on the tagged commit.

🚫 Deliberately not in this release

• presentation-repair — the apply phase that executes the audit's recommendations, mirroring discover → repair and audit → audit-repair. Named, designed, next.
• GitHub-settings audit (description, topics, social preview) — needs gh/network, so it belongs to a future lazarus-github settings skill, keeping core Bash-free.
• More project types (Go, Rust, SaaS, monorepos) — v0.2 of the rubric engine, once the four-type core is proven in the wild.

Install / update

New here:

/plugin marketplace add https://github.com/CognitiveCodeAI/lazarus
/plugin install lazarus@cognitivecode
/reload-plugins

Already installed: /plugin update lazarus@cognitivecode then /reload-plugins.

Then open any repo and ask: "is this repo ready to go public?" — or type /lazarus:presentation.

Full changelog: v0.5.0...v0.6.0

Lazarus v0.5.0 — discover learns to say "this was never built"

✨ Highlights

• discover can finally say "this was never built." DISCOVERY.md now opens with a Repairability verdict — repairable / partially-runnable / not-repairable — with an evidence-cited justification. Underneath it, broken-but-fixable blockers are now split from never-built gaps (stub bodies, imports of modules that don't exist, README features with no code behind them). Gaps can never become Definition-of-Done checkboxes, so a half-finished app can no longer produce a "repair" plan that's secretly feature development. (#19)
• repair gains a second refusal. Alongside its existing missing-DISCOVERY.md refusal, it now stops on a not-repairable verdict and presents the honest options: re-scope discovery to the subset that exists, or commission the missing pieces as deliberate feature work. On partially-runnable it proceeds with the gaps explicitly out of scope. Backward compatible: a DISCOVERY.md from before this release (no verdict field) is treated as repairable and noted in the verification report. (#19)
• The README now leads with the two journeys, not four commands. Make it run (discover → you approve → repair) and assess it, then optionally fix it (audit → your call → audit-repair) — with the four commands presented as the steps inside them. New callout for something that was always true but never said: don't memorize the order — start anywhere; every skill routes you to the right phase. The flow diagram also caught up to v0.4.0 with the optional audit-repair leg. (#20)

📚 Docs

• docs/OVERVIEW.md caught up to shipped reality: an audit-repair section, lazarus-forge in the ecosystem, the full six-command list, and the journeys framing — it still described three skills and stopped at v0.3.0. (#21)

✅ Verified

• All three plugins install ✔ enabled via an isolated-HOME smoke test at the tagged commit; all six skills register and the guard script lands executable.
• claude plugin validate passes for all three plugins and the marketplace (only the expected "No version specified" notice).
• CI green on the tagged commit (manifest validation + shellcheck + guard block/allow/precision assertions).

🚫 Deliberately not in this release

• Routing discover's never-built gaps onward (a future router, or audit ingesting them) remains a separate, deliberately-unbuilt problem, recorded in docs/PROPOSAL_audit-repair.md. This release makes gaps visible and load-bearing inside the discover → repair journey; it does not wire them anywhere else.

Install

/plugin marketplace add https://github.com/CognitiveCodeAI/lazarus
/plugin install lazarus@cognitivecode          # core: discover, repair, audit, audit-repair + destructive-command guard
/plugin install lazarus-github@cognitivecode   # optional sibling: turn audit findings into GitHub Issues
/plugin install lazarus-forge@cognitivecode    # optional sibling: pre-build design review for new skills/plugins
/reload-plugins

Full changelog: v0.4.0...v0.5.0

Lazarus v0.4.0 — the audit gets its apply phase (audit-repair), and forge debuts

✨ Highlights

• The audit gets its apply phase: /lazarus:audit-repair. Until now, CODEBASE_AUDIT.md was a report you read; acting on it was on you. The new core skill executes a ratified audit's §11 Top 10 action items one finding at a time — ratify → act → verify against each item's acceptance check — working in Modernization-Plan order (safety rails before refactors), behind the same destructive-command guard. It refuses to run without a ratified CODEBASE_AUDIT.md, exactly as repair refuses without DISCOVERY.md. Its outputs are AUDIT_-prefixed (AUDIT_VERIFICATION_REPORT.md, AUDIT_IMPLEMENTATION_SUMMARY.md) so they never clobber the discover → repair line's files. (#17)
  • Naming note: this is the tool v0.3.0 teased as /lazarus:remediate — it shipped as audit-repair to make the pairing explicit.
• Two workflows, one gate — now symmetric. Lazarus is now two parallel plan-then-execute lines with your approval as the gate in each: discover → repair (make it run) and audit → audit-repair (assess, then fix). They remain deliberately independent — neither reads the other's output, and audit is still perfectly useful as a read-only report you never act on. The design rationale (including what was deliberately not wired together) is recorded in docs/PROPOSAL_audit-repair.md. (#17, #18)
• New sibling plugin: lazarus-forge. Its first skill, /lazarus-forge:design-review, is a pre-build quality gate for Claude Code extension proposals (skills, plugins, agents, MCP servers, hooks): it classifies the proposal's input tier and blast radius, verifies platform claims against the live runtime and official docs, and returns exactly one verdict — BUILD / BUILD-WITH-CHANGES / DO-NOT-BUILD / NEEDS-MORE-DETAIL — with a closed required-changes list so review converges. Audit-only: it never builds or edits the artifact. Opt-in, like every outward-facing sibling. (#17)

📚 Docs & hygiene

• README trimmed ~100 lines: repetition cut, install consolidated into one block, maintainer-facing material moved to the new MAINTAINING.md. (#16)
• README and docs/OVERVIEW.md now document audit-repair and lazarus-forge; dangling references to an unshipped "presentation" feature were removed. (#18)
• lazarus-github got its own README section and doc hygiene pass. (#15)
• Fixed an arXiv citation (2603.27277) in the repo-explorer subagent; the five research citations grounding audit and audit-repair were independently verified against conference pages and mirrors before this release.

✅ Verified

• All three plugins install ✔ enabled via an isolated-HOME smoke test at the tagged commit; all six skills register (discover, repair, audit, audit-repair from core; issues from lazarus-github; design-review from lazarus-forge) and the guard script lands executable.
• claude plugin validate passes for all three plugins and the marketplace (only the expected "No version specified" notice).
• CI green on the tagged commit (manifest validation + shellcheck + guard block/allow/precision assertions).

🚫 Deliberately not in this release

• audit-repair consumes CODEBASE_AUDIT.md only — it does not ingest discover's output. Routing discover's "never-built / not-repairable" gaps is a separate, future problem, recorded as an explicit non-goal in docs/PROPOSAL_audit-repair.md.
• A Repairability verdict field for DISCOVERY.md (distinguishing fixable blockers from never-built gaps) is designed but not yet built.

Install

/plugin marketplace add https://github.com/CognitiveCodeAI/lazarus
/plugin install lazarus@cognitivecode          # core: discover, repair, audit, audit-repair + destructive-command guard
/plugin install lazarus-github@cognitivecode   # optional sibling: turn audit findings into GitHub Issues
/plugin install lazarus-forge@cognitivecode    # optional sibling: pre-build design review for new skills/plugins
/reload-plugins

Full changelog: v0.3.0...v0.4.0

Lazarus v0.3.0 — /discover surfaces, and the companion grows up (lazarus-github)

✨ Highlights

• /discover now shows up in the slash menu. Typing /laz or /lazarus used to list only audit and repair — discover, the entry point to the whole discover → repair flow, was hidden. Claude Code's slash menu fuzzy-matches over a skill's name + description (not the namespace), and discover's description happened to miss the needed letters. Its description is now accurate and matches the filter, so all three core skills surface together. (#14)
• The companion plugin is renamed lazarus-backlog → lazarus-github. The name now says what it does — file an audit's findings as GitHub Issues — and sets the pattern for future siblings (e.g. lazarus-linear, lazarus-jira). The command is now /lazarus-github:issues.

⚠️ Breaking / migration

• If you installed the companion as lazarus-backlog@cognitivecode, that name no longer exists. Reinstall it under the new name:

  /plugin install lazarus-github@cognitivecode
  

  The core lazarus plugin is unaffected — /plugin update keeps it current.

🐛 Fixes

• repair: no longer commits build artifacts, and detects the build output directory from project config instead of assuming dist/. (#11)
• README: dropped guidance that leaned on the slash-menu matcher to "group" a plugin's commands (brittle — it's what hid /discover); now points you at the command names directly. (#14)

📚 Docs & presentation

• New docs/OVERVIEW.md — a complete, top-to-bottom project overview.
• README: added an "is it actually ready?" peace-of-mind pitch, surfaced the sibling-plugin ecosystem, and reconciled the updates FAQ with how releases actually work. (#10)
• New phoenix banner + social-card artwork. (#12, #13)
• README: a star call-to-action, and a named teaser for the next tool, /lazarus:remediate.

✅ Verified

• Both plugins install ✔ enabled via an isolated-HOME smoke test; all four skills register (discover, repair, audit from core; issues from lazarus-github).
• The destructive-command guard was exercised directly: it blocks terraform destroy and rm -rf (exit 2), allows benign commands, and correctly does not block when a dangerous string appears only in a non-command field.
• claude plugin validate passes for both plugins and the marketplace (only the expected "No version specified" notice).

Install

/plugin marketplace add https://github.com/CognitiveCodeAI/lazarus
/plugin install lazarus@cognitivecode          # core: discover, repair, audit + destructive-command guard
/plugin install lazarus-github@cognitivecode   # optional sibling: turn audit findings into GitHub Issues
/reload-plugins

Full changelog: v0.2.1...v0.3.0

Lazarus v0.2.1 — hardening from real dogfood runs

A patch release — every change here was surfaced by pointing Lazarus at real, unfamiliar codebases, not by speculation.

Fixed

Guard: branch names containing -f are no longer mistaken for force-pushes

The destructive-command guard's force-push pattern matched a bare -f anywhere after git push, so normal pushes to branches like bug-fix, feature-flag, or skill-fixes — and the legitimate --follow-tags flag — were wrongly blocked. The pattern is now anchored to a real force flag (-f / --force / --force-with-lease), and CI gained regression cases for the whole -f-in-a-branch-name class. Real force pushes are still blocked (and --force-with-lease now explicitly).

Improved (skill instructions, from dogfood audits)

• audit §11 — "acceptance check," not "validation command." Each action item carries a runnable command or a concrete observable assertion when no one-liner fits, plus a stable action title (downstream tools key on it).
• audit accessibility lens — compute contrast, don't eyeball it. Color-contrast claims must be computed (the WCAG ratio); any estimate is tagged [INFERRED] and verified before reporting.
• discover — Definition-of-Done gap for hardware/service-coupled apps. If the end-to-end smoke check needs a device, an external API, real credentials, or a running database you can't supply, state that dependency as an Open Question / requires: <X> rather than faking or silently dropping the check.
• lazarus-backlog — epic split + stable dedup key. Action items that span many files are proposed as sub-issues; deduplication now keys on a stable action slug instead of the §11 rank number (which shifts when a re-audit re-ranks the findings).

Upgrade

/plugin update lazarus@cognitivecode
/plugin update lazarus-backlog@cognitivecode   # if installed
/reload-plugins

No new commands and no breaking changes — /lazarus:discover | repair | audit and /lazarus-backlog:issues are unchanged.

Lazarus v0.2.0 — The audit gets its first consumer (and an ecosystem)

The audit was always the most powerful artifact Lazarus produces. v0.2.0 introduces the first opt-in plugin that does something with it — and establishes the pattern for everything outward-facing that follows.

What's new

lazarus-backlog — turn audit findings into GitHub Issues

A new opt-in plugin that converts CODEBASE_AUDIT.md §11 (Top 10 Action Items) into GitHub Issues. Each finding already carries priority, effort, risk, files involved, and a validation command — exactly what an actionable ticket needs.

/plugin install lazarus-backlog@cognitivecode
/lazarus-backlog:issues

GitHub-only for v1, via the gh CLI — no API tokens, no auth setup. Fails fast and explicitly if gh isn't installed, not authenticated, or can't resolve the current repo.

Like everything in Lazarus, it ratifies before creating. Proposed issues are presented for review; you pick which to file, edit titles, set labels and milestones. Nothing is created silently.

Idempotent by construction. A hidden provenance marker (<!-- lazarus:audit-item:#N -->) plus a lazarus-audit label keeps the issue tracker clean across re-runs. Re-audit your repo and run /lazarus-backlog:issues again — existing items are skipped, only new findings get filed.

Scope is deliberately narrow. One-shot transform plus dedup. Not a project-management integration, not a two-way sync, not issue lifecycle tracking. It does not modify the audit, the codebase, or any of the core skills.

The sibling plugin pattern

lazarus-backlog is the first sibling in what's now an explicit ecosystem pattern. Every outward-facing integration ships as a separate installable in the same marketplace — never bundled into core, never enabled by default:

/plugin install lazarus@cognitivecode             # core: discover, repair, audit, guard
/plugin install lazarus-backlog@cognitivecode     # GitHub Issues
# Future siblings, same shape:
# /plugin install lazarus-linear@cognitivecode
# /plugin install lazarus-jira@cognitivecode

Each sibling owns its own auth story, its own dependencies, its own failure surface. Core stays small, fast, and zero-config. The ecosystem grows by addition.

If you don't install lazarus-backlog, gh failures and external side effects never enter your sessions. The three-commands-zero-config install promise for core is preserved.

Other changes

• CI now validates manifests for every plugin in the marketplace, not just core.
• Release checklist (RELEASING.md) now includes a real-install smoke test in an isolated config dir, run before tagging.
• README updated with a discoverable pointer to lazarus-backlog.

What's deliberately not in this release

In the spirit of the project's evidence-driven design:

• lazarus:remediate — a skill to work through specific audit findings. Spec'd, deferred. Waits for evidence from real audit runs about what its contract should look like.
• lazarus-linear / lazarus-jira — sibling plugins for other trackers. Wait for real demand and the auth/MCP work each will need.
• Offer-to-update dedup in lazarus-backlog — currently skip-if-exists. The smarter behavior waits for the first re-run scenario where skip is the wrong answer.

Upgrade

/plugin update lazarus@cognitivecode
/plugin install lazarus-backlog@cognitivecode    # optional
/reload-plugins

Lazarus v0.1.0

Point Claude at a repo nobody understands — it walks again: running, documented, and audited — behind a guard that blocks destructive commands before they ever run.

This is the first tagged release of Lazarus. It works on any unfamiliar repo — legacy, freshly inherited, open-source, or perfectly healthy.

What's inside

• /lazarus:discover — read-only triage → a ratifiable DISCOVERY.md (a plan plus a concrete Definition of Done). Stops and waits for your approval.
• /lazarus:repair — works the blockers in order, logs every command it actually ran to VERIFICATION_REPORT.md, and promotes what truly worked into a CLAUDE.md.
• /lazarus:audit — a 12-section principal-engineer CODEBASE_AUDIT.md: architecture, risks, security, frontend/accessibility, a phased modernization plan. Read-only, standalone.
• The guard — a deterministic PreToolUse hook that blocks rm -rf /, git push --force, DROP TABLE, terraform destroy, and ~25 more patterns. It reads tool input as JSON (never coarse text-matching) and fails closed if no parser is available.

Install

/plugin marketplace add https://github.com/CognitiveCodeAI/lazarus
/plugin install lazarus@cognitivecode
/reload-plugins

The plugin is versioned by git commit — /plugin update lazarus@cognitivecode always pulls the latest main. This tag is a human-facing marker, not a version gate.

MIT · macOS · Linux (use WSL on Windows).