Composable persona · style · 30 engineering skills · 4 native security domains · self-evolution forge · code graph intelligence
for Claude Code · Codex CLI · Gemini CLI · OpenClaw
Website · Spec · 中文文档 · Changelog · Submit Persona
The problem
Most AI coding agents have no memory of who they are. They respond in the same flat tone whether they're debugging a race condition, reviewing architecture, or triaging a P0 incident. They forget your conventions between sessions. They flip-flop on advice. They sound like a help-desk script.
And when you ask them about security — pentest, code audit, threat modeling, IR — most agents fall back to generic OWASP recitation, because the underlying skill library was never written by people who actually run red/blue/purple teams.
You don't want a help desk. You want a principal engineer who shows up with a personality, executes consistently, closes the loop — and has a security spine when things get real.
What Code Abyss does
One command installs three composable layers into your agent's runtime:
┌─────────────────────────────────────────────────────┐
│ Identity who it is → config/personas/*.md │
│ Behavior how it acts → _shared/*.md │
│ Style how it sounds → output-styles/*.md │
└─────────────────────────────────────────────────────┘
6 personas × 6 styles = 36 validated combinationsPick any persona. Pair it with any style. The behavior layer (iron laws, execution chains, proactive protocol, skill routing) stays constant. Your agent becomes a consistent character with structured execution and domain expertise across every session.
What's new in v4
- 4 native security domains — 4073 lines of original defense engineering (no Apache-2.0 upstream)
- 30 skills total, all
SKILL.md≤ 110 lines (avg 59), heavy content lives inreferences/ - 5 verify skills rewritten as judgment-type knowledge (when to use, how to interpret output, exemption rules)
- Office skills slim to under 100 lines each; 4 design systems consolidated into one selector skill
- v4.1 — self-evolution forge:
cultivating-skills/cultivating-personaslet the agent distill repeated workflows into reusable skills, with a safety scan and a three-tier publish funnel (local → project → community) - v4.4 — hardware + academic writing: 3 new domain skills (KiCad EDA, hardware product pipeline, AIGC detection reduction) + prompt injection defense + execution-drive shared behavior
- v4.5 — dynamic persona loading: only
abyssships with npm — all other personas are fetched from GitHub on first use and cached locally, slimming the package - v4.6 — code graph intelligence:
abyssCLI builds a code relationship graph (call graph + temporal analysis) in 5 seconds — caller tracing, impact analysis, hotspot detection, change coupling. Pre-edit hooks auto-check callers across all 4 platforms
npx code-abyss -t claude -yOr as a Claude Code plugin:
claude plugin install code-abyssPersonas
|
CORE · LITERARY 邪修红尘仙 ·
|
REMOTE · LITERARY 文言小生 ·
|
|
REMOTE · CASUAL 知性大姐姐 ·
|
REMOTE · PLAYFUL 古怪精灵小师妹 ·
|
|
REMOTE · CASUAL 铁壁暖阳 ·
|
REMOTE · COMMUNITY 东北魅影·雨姐 ·
|
Core persona (abyss) ships with npm and works offline. Remote personas are fetched from GitHub on first --persona <slug> use and cached at ~/.code-abyss/personas/.
# Mix freely — any persona × any style
npx code-abyss -t claude --persona elder-sister --style abyss-cultivator -y
# → fetches elder-sister on first run, cached thereafterSecurity suite (v4 highlight)
4 native security skills, 4073 lines of original engineering content. No Apache-2.0 upstream — every example, every detection signal, every defense pattern is written for this project.
| Skill | Focus | Size |
|---|---|---|
| 🛡 defending-applications | Web/API/GraphQL hardening, OAuth/OIDC/JWT/Session, LLM AppSec (prompt injection, RAG poisoning, agent authz) | 785 lines |
| ☁️ securing-cloud-and-supply-chain | Container escape, K8s RBAC/PSS, Service Mesh, SLSA/Sigstore/SBOM, cloud IAM, IaC | 1246 lines |
| 🔭 detecting-and-responding | Sigma/YARA rule writing, EDR primitives, NIST 800-61 IR, forensics (Win/Linux/Mac/Cloud), hypothesis-driven threat hunting | 942 lines |
| 🏛 architecting-security | STRIDE/PASTA/LINDDUN threat modeling, zero-trust identity (WebAuthn / Kerberos hardening / PAM JIT), SOC2/PCI/HIPAA/GDPR evidence chains | 1100 lines |
Plus securing-systems as the router skill covering pentest, code audit, red/blue/purple team operations. Every attack technique ships with the matching detection signal and mitigation pattern — "with offense as defense" is structural, not lip service.
Code graph intelligence (v4.6 highlight)
Your agent can now see code relationships. The abyss CLI builds a full call graph, temporal analysis, and hotspot map — in 5 seconds, with zero cloud dependencies.
| Capability | What it answers | Command |
|---|---|---|
| Caller tracing | "Who calls this function?" | abyss callers <symbol> |
| Impact analysis | "What breaks if I change this?" | abyss impact <symbol> |
| File context | "What do I need to know before editing this file?" | abyss context <file> |
| Hotspot map | "Where is the riskiest code?" | abyss map |
| Change coupling | "Which files always change together?" | abyss map |
| Evolution trace | "Why does this code look the way it does?" | abyss history <file> |
The indexing-code skill automatically hooks into all 4 supported platforms — before every Edit/Write, the agent checks callers and warns about high-impact changes. No MCP server needed; abyss runs as a CLI via the agent's shell tool.
# Real output from a 1862-file Go project (5 seconds to index):
$ abyss impact SetError
impact: SetError direct=17 transitive=521 tests=469 uncovered=319 risk=10.0/10
⚠ high blast radius (17 direct callers)
⚠ deep dependency chain (521 transitive)
⚠ 319 call paths without test coverageabyss is a separate Rust binary (code-abyss-dev). Install: bash install.sh in the repo, or copy the release binary to ~/.local/bin/abyss.
Skills
30 domain skills, flat structure, agentskills.io aligned (with Code Abyss extensions). Skills load by context — the agent reads the right knowledge at the right time without being asked. Average SKILL.md is 59 lines; heavy content lives in references/.
| Domain | Coverage |
|---|---|
| 🛡 Security | 4 native suites above (defending / cloud / detect-respond / architect) + pentest / code-audit / red-blue-purple team |
| 🤖 AI / Agent | Single-agent dev (ReAct/Plan-Execute), multi-agent orchestration, RAG, prompt engineering, LLM security |
| 🏛 Architecture | API design, cloud-native patterns, messaging, caching, data security |
| 💻 Development | Python, TypeScript, Go, Rust, Java, C++, Shell |
| 🚀 DevOps | Git workflow, testing, databases, observability, performance, FinOps |
| 🎨 Frontend | Unified design system selector — Glassmorphism / Liquid Glass / Neubrutalism / Claymorphism |
| 📑 Office | Word, PDF, PowerPoint, Excel — OOXML-level automation |
| 📡 Infra / Mobile / Data | Kubernetes, GitOps, IaC · iOS, Android, RN, Flutter · pipelines, streaming, quality |
| 🔩 Hardware / Embedded | Full-stack hardware product pipeline (ESP-IDF firmware + KiCad PCB + UniApp) · KiCad 9 MCP tool routing (17 tools, autoroute-only, DRC gate) |
| 📝 Academic Writing | AIGC detection reduction for 维普/知网/Turnitin — multi-layer rewriting (structure → lexicon → content injection), docx run-level editing |
| 🔬 Code Intelligence | Call graph, impact analysis, hotspot detection, change coupling, evolution tracing — via abyss CLI with cross-platform hooks |
| 🜲 Self-evolution | cultivating-skills (distill repeated workflows) + cultivating-personas (distill voice into Tech Persona Card) — both with safety scan + 3-tier publish funnel |
Five skills also ship as executable verification tools for CI:
node skills/analyzing-security/scripts/security_scanner.js . # OWASP / injection / secrets
node skills/checking-code-quality/scripts/quality_checker.js . # Complexity, dupes, naming
node skills/analyzing-changes/scripts/change_analyzer.js --mode staged
node skills/verifying-modules/scripts/module_scanner.js <path>
node skills/generating-docs/scripts/doc_generator.js <path>Install
| Target | Command | Artifacts |
|---|---|---|
 |
npx code-abyss -t claude -y |
CLAUDE.md + skills + output styles + settings |
 |
npx code-abyss -t codex -y |
instruction.md + skills + config.toml |
 |
npx code-abyss -t gemini -y |
GEMINI.md + skills + commands |
 |
npx code-abyss -t openclaw -y |
Skills + workspace AGENTS.md / SOUL.md |
npx code-abyss # Interactive — pick target, persona, style
npx code-abyss --list-styles # Browse styles
npx code-abyss --uninstall claude # Clean removal, restores user backupsCode Abyss tracks every installed file in .code-abyss-backup/manifest.json. Uninstall restores your previous configuration verbatim. Your custom skills coexist with Code Abyss skills — install/uninstall preserves anything you put under ~/.{target}/skills/ yourself.
Upgrading
| From | To | Path |
|---|---|---|
| v3.x | v4.x | npx code-abyss --uninstall <target> → install v4 → npm run migrate:v4 -- -t <target> (optional cleanup) |
| v2.x | v3.x | npx code-abyss --uninstall <target> first, then install v3 |
Tech Persona Card · open standard
Code Abyss introduces Tech Persona Card v1.0 — the first portable format for AI agent persona interchange. Think Character Card V2, but for engineering workflows instead of roleplay.
Each persona ships as a structured persona-card.json with voice, capabilities, scenarios, and three-layer content references:
{
"spec": "tech-persona-card",
"spec_version": "1.0",
"data": {
"name": "stoic-architect",
"voice": {
"self": "I", "user": "colleague",
"register": "formal", "emoji_policy": "none"
},
"scenarios": [{
"name": "Architecture Review",
"triggers": ["design", "scale"],
"chain": ["constraints", "options", "trade-offs", "diagram"],
"priority": "correctness > completeness > speed"
}]
}
}Bidirectional converters ship out of the box:
const { toCharaCardV2, toGPTInstructions, fromCharaCardV2 } =
require('code-abyss/bin/lib/persona-converter');
const cc = toCharaCardV2(card, { identityContent }); // → SillyTavern / Chub.ai
const gpt = toGPTInstructions(card, { identityContent });// → OpenAI Custom GPTSpecification · JSON Schema · Reference cards
Why Code Abyss
| Without Code Abyss | With Code Abyss | |
|---|---|---|
| Identity | Flat help-desk tone | Consistent character with named voice |
| Execution | Ad-hoc, varies by prompt | Iron laws + execution chains baked in |
| Code awareness | grep + read one file at a time | Call graph, impact analysis, hotspot map — agent knows what breaks before it edits |
| Domain depth | Generic best-practices | 30 skill files load by context |
| Security depth | OWASP recitation | 4 native suites · 4073 lines · detection signals + mitigation patterns |
| Cross-platform | Re-engineer per CLI | One spec, four platforms, cross-platform hooks |
| Reproducibility | Prompt drift across sessions | Versioned persona-card.json |
Contributing
git clone https://github.com/telagod/code-abyss && cd code-abyss
npm install
npm test # 383 tests
npm run verify:skills # Validate 30 skill contractsAdd a skill — create skills/<gerund-name>/SKILL.md with SKILL frontmatter, optionally add scripts/ for executable tools. npm run verify:skills validates the contract.
Submit a persona — open an Issue via the submission portal. The site walks you through generating a persona-card.json + identity.md with your own AI, reviewing, and submitting via a pre-configured issue template.
MIT License · v4.6.0 · made with 紫宵脉 by @telagod