claude-cookbooks

9aa24e41 - feat: add cookbook-audit skill for automated notebook validation (#242)

feat: add cookbook-audit skill for automated notebook validation (#242) * feat: add cookbook-audit skill for automated notebook validation Refactor notebook-review command to delegate validation to a new cookbook-audit skill. Add comprehensive automated validation script (validate_notebook.py) that: - Checks for hardcoded secrets and API keys - Validates notebook structure and introductions - Detects code quality issues (variable names, verbosity) - Identifies deprecated API patterns and invalid models - Converts notebooks to markdown for easier review Add detailed audit rubric (SKILL.md) with: - Structured audit workflow and report format - Scoring framework across 4 dimensions (20 points total) - Concrete examples of high and low-scoring audits - Comprehensive checklist and content philosophy - Style and structural requirements for cookbook notebooks The validate_notebook.py script runs automated checks and generates a markdown version of notebooks (saved to gitignored tmp/ folder) for more efficient context usage during manual review. * feat(security): add detect-secrets configuration and Anthropic credentials detector Add baseline configuration for the detect-secrets library with a custom plugin to detect Anthropic API keys and credentials in notebooks. Includes comprehensive set of built-in detectors and heuristic filters to prevent secrets from being committed to the repository. feat(cookbook-audit): integrate detect-secrets for hardcoded credential detection Enhanced the notebook validation to use detect-secrets for identifying hardcoded API keys and credentials. The implementation: - Runs detect-secrets-hook on notebooks with baseline configuration - Automatically locates baseline at `scripts/detect-secrets/.secrets.baseline` - Falls back to basic pattern matching if detect-secrets unavailable - Provides detailed output for manual review of potential secrets Updated documentation to reflect the automated secret scanning capability. * chore(workflows): remove unnecessary id-token permission Remove id-token: write permission from Claude Code workflow files as it is not needed for these operations. The workflows only require: - contents: read (to checkout repository code) - pull-requests: write (to comment on pull requests) The id-token: write permission is used for OIDC authentication with cloud providers (AWS, GCP, Azure) which these workflows do not use. This follows the principle of least privilege and reduces the security attack surface. Affected workflows: - claude-notebook-review.yml - claude-link-review.yml 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * use relative paths and run ruff on notebook script --------- Co-authored-by: Claude <noreply@anthropic.com>