Add ClaudeCodeFormat to unified build system

.claude-plugin/marketplace.json

@@ -6,16 +6,13 @@
     "url": "https://project-codeguard.org",
     "email": "[email protected]"
   },
-  "repository": {
-    "type": "git",
-    "url": "https://github.com/project-codeguard/rules.git"
-  },
   "plugins": [
     {
       "name": "codeguard-security",
-      "source": ".",
+      "source": "./",
       "description": "Comprehensive security rules for AI coding agents",
       "version": "1.0.0",
+      "repository": "https://github.com/project-codeguard/rules.git",
       "tags": ["security", "code-review", "vulnerability-prevention"]
     }
   ]

.claude-plugin/plugin.json

@@ -8,10 +8,7 @@
   },
   "license": "CC-BY-4.0 (rules), Apache-2.0 (tools)",
   "homepage": "https://github.com/project-codeguard/rules",
-  "repository": {
-    "type": "git",
-    "url": "https://github.com/project-codeguard/rules.git"
-  },
+  "repository": "https://github.com/project-codeguard/rules.git",
   "keywords": ["security", "secure-coding", "vulnerability-prevention", "code-review", "appsec"]
 }
 

skills/software-security/rules/codeguard-0-additional-cryptography.md

@@ -17,6 +17,8 @@ languages:
 alwaysApply: false
 ---
 
+rule_id: codeguard-0-additional-cryptography
+
 ## Additional Cryptography & TLS
 
 Apply modern, vetted cryptography for data at rest and in transit. Manage keys safely, configure TLS correctly, deploy HSTS, and consider pinning only when appropriate.

skills/software-security/rules/codeguard-0-api-web-services.md

@@ -15,6 +15,8 @@ languages:
 alwaysApply: false
 ---
 
+rule_id: codeguard-0-api-web-services
+
 ## API & Web Services Security
 
 Secure REST, GraphQL, and SOAP/WS services end‑to‑end: transport, authn/z, schema validation, SSRF controls, DoS limits, and microservice‑safe patterns.

skills/software-security/rules/codeguard-0-authentication-mfa.md

@@ -16,6 +16,8 @@ languages:
 alwaysApply: false
 ---
 
+rule_id: codeguard-0-authentication-mfa
+
 ## Authentication & MFA
 
 Build a resilient, user-friendly authentication system that resists credential attacks, protects secrets, and supports strong, phishing-resistant MFA and secure recovery.

skills/software-security/rules/codeguard-0-authorization-access-control.md

@@ -14,6 +14,8 @@ languages:
 alwaysApply: false
 ---
 
+rule_id: codeguard-0-authorization-access-control
+
 ## Authorization & Access Control
 
 Enforce least privilege and precise access decisions for every request and resource, prevent IDOR and mass assignment, and provide strong transaction authorization where necessary.

skills/software-security/rules/codeguard-0-client-side-web-security.md

@@ -11,6 +11,8 @@ languages:
 alwaysApply: false
 ---
 
+rule_id: codeguard-0-client-side-web-security
+
 ## Client‑side Web Security
 
 Protect browser clients against code injection, request forgery, UI redress, cross‑site leaks, and unsafe third‑party scripts with layered, context‑aware controls.

skills/software-security/rules/codeguard-0-cloud-orchestration-kubernetes.md

@@ -7,6 +7,8 @@ languages:
 alwaysApply: false
 ---
 
+rule_id: codeguard-0-cloud-orchestration-kubernetes
+
 ## Cloud & Orchestration (Kubernetes)
 
 Kubernetes cluster and workload hardening: identity, policy, networking, secrets, and supply chain controls.

skills/software-security/rules/codeguard-0-data-storage.md

@@ -9,6 +9,8 @@ languages:
 alwaysApply: false
 ---
 
+rule_id: codeguard-0-data-storage
+
 ## Database Security Guidelines
 
 This rule advises on securely configuring SQL and NoSQL databases to protect against data breaches and unauthorized access:

skills/software-security/rules/codeguard-0-devops-ci-cd-containers.md

@@ -11,6 +11,8 @@ languages:
 alwaysApply: false
 ---
 
+rule_id: codeguard-0-devops-ci-cd-containers
+
 ## DevOps, CI/CD, and Containers
 
 Secure the build, packaging, and deployment supply chain: protect pipelines and artifacts, harden containers, and use virtual patching and toolchain flags when necessary.

skills/software-security/rules/codeguard-0-file-handling-and-uploads.md

@@ -13,6 +13,8 @@ languages:
 alwaysApply: false
 ---
 
+rule_id: codeguard-0-file-handling-and-uploads
+
 ## File Upload Security Guidelines
 
 This rule advises on secure file upload practices to prevent malicious file attacks and protect system integrity:

skills/software-security/rules/codeguard-0-framework-and-languages.md

@@ -15,6 +15,8 @@ languages:
 alwaysApply: false
 ---
 
+rule_id: codeguard-0-framework-and-languages
+
 ## Framework & Language Guides
 
 Apply secure‑by‑default patterns per platform. Harden configurations, use built‑in protections, and avoid common pitfalls.

skills/software-security/rules/codeguard-0-iac-security.md

@@ -11,6 +11,8 @@ languages:
 alwaysApply: false
 ---
 
+rule_id: codeguard-0-iac-security
+
 # Infrastructure as Code (IaC) Security
 
 When designing cloud infrastructure and writing Infrastructure as Code (IaC) in languages like Terraform and CloudFormation, always use secure practices and defaults such as preventing public exposure and follow the principle of least privilege. Actively identify security misconfigurations and provide secure alternatives.

skills/software-security/rules/codeguard-0-input-validation-injection.md

@@ -17,6 +17,8 @@ languages:
 alwaysApply: false
 ---
 
+rule_id: codeguard-0-input-validation-injection
+
 ## Input Validation & Injection Defense
 
 Ensure untrusted input is validated and never interpreted as code. Prevent injection across SQL, LDAP, OS commands, templating, and JavaScript runtime object graphs.

skills/software-security/rules/codeguard-0-logging.md

@@ -8,6 +8,8 @@ languages:
 alwaysApply: false
 ---
 
+rule_id: codeguard-0-logging
+
 ## Logging & Monitoring
 
 Produce structured, privacy‑aware telemetry that supports detection, response, and forensics without exposing secrets.

skills/software-security/rules/codeguard-0-mobile-apps.md

@@ -12,6 +12,8 @@ languages:
 alwaysApply: false
 ---
 
+rule_id: codeguard-0-mobile-apps
+
 ## Mobile Application Security Guidelines
 
 Essential security practices for developing secure mobile applications across iOS and Android platforms.

skills/software-security/rules/codeguard-0-privacy-data-protection.md

@@ -8,6 +8,8 @@ languages:
 alwaysApply: false
 ---
 
+rule_id: codeguard-0-privacy-data-protection
+
 - Implement strong cryptography, enforce HTTPS with HSTS, enable certificate pinning,
 and provide user privacy features to protect data and anonymity.
 - Use strong, up-to-date cryptographic algorithms for data in transit and at rest; securely hash passwords with established libraries.

skills/software-security/rules/codeguard-0-session-management-and-cookies.md

@@ -14,6 +14,8 @@ languages:
 alwaysApply: false
 ---
 
+rule_id: codeguard-0-session-management-and-cookies
+
 ## Session Management & Cookies
 
 Implement robust, attack-resistant session handling that prevents fixation, hijacking, and theft while maintaining usability.

skills/software-security/rules/codeguard-0-supply-chain-security.md

@@ -8,6 +8,8 @@ languages:
 alwaysApply: false
 ---
 
+rule_id: codeguard-0-supply-chain-security
+
 ## Dependency & Supply Chain Security
 
 Control third‑party risk across ecosystems, from selection and pinning to provenance, scanning, and rapid response.

skills/software-security/rules/codeguard-0-xml-and-serialization.md

@@ -12,6 +12,8 @@ languages:
 alwaysApply: false
 ---
 
+rule_id: codeguard-0-xml-and-serialization
+
 ## XML & Serialization Hardening
 
 Secure parsing and processing of XML and serialized data; prevent XXE, entity expansion, SSRF, DoS, and unsafe deserialization across platforms.

skills/software-security/rules/codeguard-1-crypto-algorithms.md

@@ -1,9 +1,10 @@
 ---
 description: Cryptographic Security Guidelines
-languages: []
 alwaysApply: true
 ---
 
+rule_id: codeguard-1-crypto-algorithms
+
 # Cryptographic Security Guidelines
 
 ## Banned (Insecure) Algorithms

skills/software-security/rules/codeguard-1-digital-certificates.md

@@ -1,9 +1,10 @@
 ---
 description: Certificate Best Practices
-languages: []
 alwaysApply: true
 ---
 
+rule_id: codeguard-1-digital-certificates
+
 When you encounter data that appears to be an X.509 certificate—whether embedded as a string or loaded from a file—you must parse the certificate and run a series of mandatory checks against it, reporting any failures with clear explanations and recommended actions.
 
 ### 1. How to Identify Certificate Data

skills/software-security/rules/codeguard-1-hardcoded-credentials.md

@@ -1,9 +1,10 @@
 ---
 description: No Hardcoded Credentials
-languages: []
 alwaysApply: true
 ---
 
+rule_id: codeguard-1-hardcoded-credentials
+
 # No Hardcoded Credentials
 
 NEVER store secrets, passwords, API keys, tokens or any other credentials directly in source code.

skills/software-security/rules/codeguard-1-safe-c-functions.md

@@ -1,9 +1,10 @@
 ---
 description: Safe C Functions and Memory and String Safety Guidelines
-languages: []
 alwaysApply: true
 ---
 
+rule_id: codeguard-1-safe-c-functions
+
 # Prioritize Safe Memory and String Functions in C/C++
 
 When processing C or C++ code, your primary directive is to ensure memory safety. Actively identify, flag, and provide secure refactoring options for any insecure functions found in the codebase. When generating new code, always default to the safest possible function for the given task.

src/converter.py

@@ -27,12 +27,14 @@ class FormatOutput:
     Attributes:
         content: The fully formatted content with frontmatter
         extension: File extension including dot (e.g., '.mdc')
-        subpath: Subdirectory path relative to ide_rules (e.g., '.cursor/rules')
+        subpath: Subdirectory path (e.g., '.cursor/rules', 'skills/software-security/rules')
+        outputs_to_ide_rules: Whether this format outputs to ide_rules/ or project root
     """
 
     content: str
     extension: str
     subpath: str
+    outputs_to_ide_rules: bool
 
 
 @dataclass
@@ -50,10 +52,11 @@ class ConversionResult:
             filename="my-rule.md",
             basename="my-rule",
             outputs={
-                "CursorFormat": FormatOutput(
+                "cursor": FormatOutput(
                     content="---\\n...\\n---\\n\\nContent",
                     extension=".mdc",
-                    subpath=".cursor/rules"
+                    subpath=".cursor/rules",
+                    outputs_to_ide_rules=True
                 )
             }
         )
@@ -233,6 +236,7 @@ def convert(self, filepath: str) -> ConversionResult:
                 content=format_handler.generate(rule, globs),
                 extension=format_handler.get_file_extension(),
                 subpath=format_handler.get_output_subpath(),
+                outputs_to_ide_rules=format_handler.outputs_to_ide_rules(),
             )
 
         return ConversionResult(

src/formats/__init__.py

@@ -11,27 +11,31 @@
 - CursorFormat: Generates .mdc files for Cursor IDE
 - WindsurfFormat: Generates .md files for Windsurf IDE
 - CopilotFormat: Generates .instructions.md files for GitHub Copilot
+- ClaudeCodeFormat: Generates .md files for Claude Code plugins
 
 Usage:
-    from formats import BaseFormat, ProcessedRule, CursorFormat, WindsurfFormat, CopilotFormat
+    from formats import BaseFormat, ProcessedRule, CursorFormat, WindsurfFormat, CopilotFormat, ClaudeCodeFormat
 
     version = "1.0.0"
     formats = [
         CursorFormat(version),
         WindsurfFormat(version),
         CopilotFormat(version),
+        ClaudeCodeFormat(version),
     ]
 """
 
 from formats.base import BaseFormat, ProcessedRule
 from formats.cursor import CursorFormat
 from formats.windsurf import WindsurfFormat
 from formats.copilot import CopilotFormat
+from formats.claudecode import ClaudeCodeFormat
 
 __all__ = [
     "BaseFormat",
     "ProcessedRule",
     "CursorFormat",
     "WindsurfFormat",
     "CopilotFormat",
+    "ClaudeCodeFormat",
 ]

src/formats/base.py

@@ -77,13 +77,25 @@ def get_file_extension(self) -> str:
     @abstractmethod
     def get_output_subpath(self) -> str:
         """
-        Return the subdirectory path for this format relative to ide_rules.
+        Return the subdirectory path for this format.
 
         Returns:
-            Subdirectory path (e.g., '.cursor/rules', '.windsurf/rules')
+            Subdirectory path (e.g., '.cursor/rules', 'skills/software-security/rules')
         """
         pass
 
+    def outputs_to_ide_rules(self) -> bool:
+        """
+        Return whether this format outputs to the ide_rules directory.
+
+        Returns:
+            True if output should go to ide_rules/, False for project root
+
+        Override this method if your format outputs to project root instead
+        of ide_rules/ (e.g., Claude Code plugin outputs to skills/)
+        """
+        return True
+
     @abstractmethod
     def generate(self, rule: ProcessedRule, globs: str) -> str:
         """