Commit Graph

21 Commits

  • fix: CI fixes, security audit, remotion skill, lead-intelligence, npm audit (#1039)
    * fix(ci): resolve cross-platform test failures
    
    - Sanity check script (check-codex-global-state.sh) now falls back to
      grep -E when ripgrep is not available, fixing the codex-hooks sync
      test on all CI platforms. Patterns converted to POSIX ERE for
      portability.
    - Unicode safety test accepts both / and \ path separators so the
      executable-file assertion passes on Windows.
    - Gacha test sets PYTHONUTF8=1 so Python uses UTF-8 stdout encoding on
      Windows instead of cp1252, preventing UnicodeEncodeError on box-drawing
      characters.
    - Quoted-hook-path test skipped on Windows where NTFS disallows
      double-quote characters in filenames.
    
    * feat: port remotion-video-creation skill (29 rules), restore missing files
    
    New skill:
    - remotion-video-creation: 29 domain-specific Remotion rules covering 3D/Three.js,
      animations, audio, captions, charts, compositions, fonts, GIFs, Lottie,
      measuring, sequencing, tailwind, text animations, timing, transitions,
      trimming, and video embedding. Ported from personal skills.
    
    Restored:
    - autonomous-agent-harness/SKILL.md (was in commit but missing from worktree)
    - lead-intelligence/ (full directory restored from branch commit)
    
    Updated:
    - manifests/install-modules.json: added remotion-video-creation to media-generation
    - README.md + AGENTS.md: synced counts to 139 skills
    
    Catalog validates: 30 agents, 60 commands, 139 skills.
    
    * fix(security): pin MCP server versions, add dependabot, pin github-script SHA
    
    Critical:
    - Pin all npx -y MCP server packages to specific versions in .mcp.json
      to prevent supply chain attacks via version hijacking:
      - @modelcontextprotocol/server-github@2025.4.8
      - @modelcontextprotocol/server-memory@2026.1.26
      - @modelcontextprotocol/server-sequential-thinking@2025.12.18
      - @playwright/mcp@0.0.69 (was 0.0.68)
    
    Medium:
    - Add .github/dependabot.yml for weekly npm + github-actions updates
      with grouped minor/patch PRs
    - Pin actions/github-script to SHA (was @v7 tag, now pinned to commit)
    
    * feat: add social-graph-ranker skill — weighted network proximity scoring
    
    New skill: social-graph-ranker
    - Weighted social graph traversal with exponential decay across hops
    - Bridge Score: B(m) = Σ w(t) · λ^(d(m,t)-1) ranks mutuals by target proximity
    - Extended Score incorporates 2nd-order network (mutual-of-mutual connections)
    - Final ranking includes engagement bonus for responsive connections
    - Runs in parallel with lead-intelligence skill for combined warm+cold outreach
    - Supports X API + LinkedIn CSV for graph harvesting
    - Outputs tiered action list: warm intros, direct outreach, network gap analysis
    
    Added to business-content install module. Catalog validates: 30/60/140.
    
    * fix(security): npm audit fix — resolve all dependency vulnerabilities
    
    Applied npm audit fix --force to resolve:
    - minimatch ReDoS (3 vulnerabilities, HIGH)
    - smol-toml DoS (MODERATE)
    - brace-expansion memory exhaustion (MODERATE)
    - markdownlint-cli upgraded from 0.47.0 to 0.48.0
    
    npm audit now reports 0 vulnerabilities.
    
    * fix: resolve markdown lint and yarn lockfile sync
    
    - MD047: ensure single trailing newline on all remotion rule files
    - MD012: remove consecutive blank lines in lottie, measuring-dom-nodes, trimming
    - MD034: wrap bare URLs in angle brackets (tailwind, transcribe-captions)
    - yarn.lock: regenerated to sync with npm audit changes in package.json
    
    * fix: replace unicode arrows in lead-intelligence (CI unicode safety check)
  • chore: pin actions to commit SHAs and add Skills section to CLAUDE.md
    Pin all GitHub Actions to commit SHAs instead of mutable version tags
    across ci.yml, release.yml, maintenance.yml, and all reusable workflows.
    This prevents supply-chain attacks via tag hijacking.
    
    Add the required Skills section to CLAUDE.md mapping project files
    (README.md, .github/workflows/*.yml) to their respective review skills.
  • fix(ci): remove --ignore-engines for Yarn Berry (v4+)
    Yarn Berry removed the --ignore-engines flag; engine checking is no
    longer a core feature. The deprecated flag causes yarn install to exit
    with error code 1.
  • fix(ci): enable Corepack for yarn and relax pnpm strict mode
    All 18 pnpm/yarn CI jobs fail on main because:
    1. pnpm v9+ refuses to install when package.json declares
       "packageManager": "yarn@4.9.2" — fixed by setting
       COREPACK_ENABLE_STRICT=0 and --no-frozen-lockfile
    2. CI runners only have Yarn Classic (v1.x) but the project
       uses Yarn Berry (v4.x) — fixed by activating Corepack
       before the cache/install steps
  • fix(ci): enforce catalog count integrity (#525)
    * fix(ci): enforce catalog count integrity
    
    * test: harden catalog structure parsing
  • feat: project-scoped instinct isolation
    * feat: add project-scoped instinct isolation
    
    * fix(continuous-learning-v2): harden instinct loading and promotion safety; sync v2.1 command docs
    
    * fix(ci): make copilot-setup-steps a valid GitHub Actions workflow
    
    * fix(hooks): stabilize docs warning inline JS regex parsing
  • Add Go environment setup step to workflow
    Added a step to set up the Go environment in GitHub Actions workflow.
  • fix: resolve multiple reported issues (#205, #182, #188, #172, #173) (#207)
    * fix: resolve multiple reported issues (#205, #182, #188, #172, #173)
    
    - fix(observe.sh): replace triple-quote JSON parsing with stdin pipe to
      prevent ~49% parse failures on payloads with quotes/backslashes/unicode
    - fix(hooks.json): correct matcher syntax to use simple tool name regexes
      instead of unsupported logical expressions; move command/path filtering
      into hook scripts; use exit code 2 for blocking hooks
    - fix(skills): quote YAML descriptions containing colons in 3 skill files
      and add missing frontmatter to 2 skill files for Codex CLI compatibility
    - feat(rules): add paths: filters to all 15 language-specific rule files
      so they only load when working on matching file types
    - fix(agents): align model fields with CONTRIBUTING.md recommendations
      (opus for planner/architect, sonnet for reviewers/workers, haiku for
      doc-updater)
    
    * ci: use AgentShield GitHub Action instead of npx
    
    Switch from npx ecc-agentshield to uses: affaan-m/agentshield@v1
    for proper GitHub Action demo and marketplace visibility.
  • fix: sync plugin.json version with latest tag (#171)
    Sync plugin.json version to 1.4.1, add CI check to verify versions match on release, and add release.sh script. Fixes #170.
  • feat: add comprehensive CI/CD pipeline
    Adds GitHub Actions workflows for CI, maintenance, and releases with multi-platform testing matrix.