fix: multiple community-reported issues

- feat(plugin.json): add agents declaration to make 9 agents visible
  in /agents command (fixes #66, closes PR #67)

- fix(backend-patterns): correct requirePermission HOF pattern to
  properly wrap handlers instead of expecting Request directly
  (fixes #54, closes PR #63)

- docs(user-CLAUDE): add privacy guideline about redacting secrets
  from logs before sharing (fixes #38, closes PR #39)

- fix(eval-harness): add mandatory frontmatter with name, description,
  and tools fields (closes PR #58)

skills/backend-patterns/SKILL.md

@@ -395,21 +395,26 @@ export function hasPermission(user: User, permission: Permission): boolean {
 }
 
 export function requirePermission(permission: Permission) {
-  return async (request: Request) => {
-    const user = await requireAuth(request)
+  return (handler: (request: Request, user: User) => Promise<Response>) => {
+    return async (request: Request) => {
+      const user = await requireAuth(request)
 
-    if (!hasPermission(user, permission)) {
-      throw new ApiError(403, 'Insufficient permissions')
+      if (!hasPermission(user, permission)) {
+        throw new ApiError(403, 'Insufficient permissions')
+      }
+
+      return handler(request, user)
     }
-
-    return user
   }
 }
 
-// Usage
-export const DELETE = requirePermission('delete')(async (request: Request) => {
-  // Handler with permission check
-})
+// Usage - HOF wraps the handler
+export const DELETE = requirePermission('delete')(
+  async (request: Request, user: User) => {
+    // Handler receives authenticated user with verified permission
+    return new Response('Deleted', { status: 200 })
+  }
+)
 ```
 
 ## Rate Limiting