Fix all actionable findings from post-integration codebase review

Resolves 19 issues (1 critical, 4 high, 4 medium, 10 low) identified
after 12 rapid squash-merges into main. Reclassified 5 findings as
intentional or not-issues (M-4, M-5, L-5, L-7, L-10).

Critical: worktree skill crash (plain strings → weighted tuples),
merge conflict marker in first-session.md. Security: dangerous-command-
blocker now fails closed on unexpected exceptions. Python: remove
redundant ValueError, add maxsplit to split(). Shell: executable bit,
variable quoting, pipefail, POSIX redirects, command -v. Docs: agent
count 17→21, skill count→38, plugin count→14, feature count→22 across
all pages; new plugin pages for git-workflow and prompt-snippets;
cc-orc and dbr added to commands reference; architecture tree updated.

Author: AnExiledDev

.devcontainer/CHANGELOG.md

@@ -52,6 +52,18 @@
 
 ### Fixed
 
+#### Post-Integration Review Fixes
+- **skill-engine** — worktree skill definition uses weighted tuples (was plain strings, caused crash)
+- **dangerous-command-blocker** — fail closed on unexpected exceptions (was fail-open)
+- **ticket-workflow** — remove redundant `ValueError` from exception handlers
+- **workspace-scope-guard** — use maxsplit in variable assignment detection
+- **Shell scripts** — add executable bit to `check-setup.sh`, quote `PLUGIN_BLACKLIST` variable, add `set -uo pipefail` to tmux installer, replace deprecated `which` with `command -v`, normalize `&>` redirects in setup scripts
+- **Documentation** — update agent count to 21, skill count to 38, plugin count to 14 across all docs site pages
+- **Documentation** — add missing plugin pages for git-workflow and prompt-snippets
+- **Documentation** — add `cc-orc` and `dbr` to commands reference
+- **Documentation** — remove merge conflict marker from first-session.md
+- **Documentation** — update architecture.md directory tree with new plugins
+
 #### CodeRabbit Review Fixes
 - **`implementer.md`** — changed PostToolUse hook (fires every Edit) to Stop hook (fires once at task end) with 120s timeout; prevents redundant test runs during multi-file tasks
 - **`tester.md`** — increased Stop hook timeout from 30s to 120s to accommodate larger test suites

.devcontainer/connect-external-terminal.sh

@@ -49,7 +49,7 @@ echo "Found container: $CONTAINER_NAME ($CONTAINER_ID)"
 echo ""
 
 # Check if tmux is available in the container
-if ! docker exec "$CONTAINER_ID" which tmux >/dev/null 2>&1; then
+if ! docker exec "$CONTAINER_ID" command -v tmux >/dev/null 2>&1; then
 	echo "ERROR: tmux is not installed in the container."
 	echo "Rebuild the devcontainer to install the tmux feature."
 	exit 1

.devcontainer/features/tmux/install.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 # SPDX-License-Identifier: GPL-3.0-only
 # Copyright (c) 2026 Marcus Krueger
-set -e
+set -euo pipefail
 
 VERSION="${VERSION:-latest}"
 

.devcontainer/plugins/devs-marketplace/plugins/dangerous-command-blocker/scripts/block-dangerous.py

@@ -127,9 +127,9 @@ def main():
         # Fail closed: can't parse means can't verify safety
         sys.exit(2)
     except Exception as e:
-        # Log error but don't block on hook failure
+        # Fail closed: unexpected errors should block, not allow
         print(f"Hook error: {e}", file=sys.stderr)
-        sys.exit(0)
+        sys.exit(2)
 
 
 if __name__ == "__main__":

.devcontainer/plugins/devs-marketplace/plugins/skill-engine/scripts/skill-suggester.py

@@ -546,18 +546,19 @@
     },
     "worktree": {
         "phrases": [
-            "create a worktree",
-            "work in a worktree",
-            "git worktree",
-            "worktree",
-            "parallel branches",
-            "isolate my work",
-            "clean up worktrees",
-            "list worktrees",
-            "set up a worktree",
-            "enter worktree",
+            ("create a worktree", 0.9),
+            ("work in a worktree", 0.8),
+            ("git worktree", 0.9),
+            ("worktree", 0.7),
+            ("parallel branches", 0.6),
+            ("isolate my work", 0.5),
+            ("clean up worktrees", 0.8),
+            ("list worktrees", 0.7),
+            ("set up a worktree", 0.8),
+            ("enter worktree", 0.8),
         ],
         "terms": ["worktree", "EnterWorktree", "WorktreeCreate"],
+        "priority": 5,
     },
 }
 

.devcontainer/plugins/devs-marketplace/plugins/ticket-workflow/scripts/ticket-linker.py

@@ -71,7 +71,7 @@ def fetch_ticket(number: int) -> str | None:
 
     try:
         data = json.loads(result.stdout)
-    except (json.JSONDecodeError, ValueError):
+    except json.JSONDecodeError:
         return None
 
     title = data.get("title", "(no title)")
@@ -103,7 +103,7 @@ def main():
 
     try:
         data = json.loads(raw)
-    except (json.JSONDecodeError, ValueError):
+    except json.JSONDecodeError:
         sys.exit(0)
 
     prompt = data.get("prompt", "")

.devcontainer/plugins/devs-marketplace/plugins/workspace-scope-guard/scripts/guard-workspace-scope.py

@@ -157,7 +157,7 @@ def extract_primary_command(command: str) -> str:
     while i < len(tokens):
         tok = tokens[i]
         # Skip inline variable assignments: VAR=value
-        if "=" in tok and not tok.startswith("-") and tok.split("=")[0].isidentifier():
+        if "=" in tok and not tok.startswith("-") and tok.split("=", 1)[0].isidentifier():
             i += 1
             continue
         # Skip sudo and its flags

.devcontainer/scripts/check-setup.sh

@@ -59,7 +59,7 @@ if [ -d "$MARKETPLACE_PATH/plugins" ]; then
         plugin_name=$(basename "$plugin_dir")
 
         # Skip blacklisted plugins
-        if echo ",$PLUGIN_BLACKLIST," | grep -q ",$plugin_name,"; then
+        if echo ",${PLUGIN_BLACKLIST}," | grep -q ",$plugin_name,"; then
             echo "[setup-plugins] Skipping $plugin_name (blacklisted)"
             continue
         fi

.devcontainer/scripts/setup-plugins.sh

@@ -178,7 +178,7 @@ start_watcher() {
 	fi
 
 	# Check if inotifywait is available (installed by tmux feature at build time)
-	if ! command -v inotifywait &>/dev/null; then
+	if ! command -v inotifywait >/dev/null 2>&1; then
 		echo "$LOG_PREFIX WARNING: inotify-tools not installed, watcher disabled"
 		return 1
 	fi