Commit Graph

148 Commits

  • fix: CI fixes, security audit, remotion skill, lead-intelligence, npm audit (#1039)
    * fix(ci): resolve cross-platform test failures
    
    - Sanity check script (check-codex-global-state.sh) now falls back to
      grep -E when ripgrep is not available, fixing the codex-hooks sync
      test on all CI platforms. Patterns converted to POSIX ERE for
      portability.
    - Unicode safety test accepts both / and \ path separators so the
      executable-file assertion passes on Windows.
    - Gacha test sets PYTHONUTF8=1 so Python uses UTF-8 stdout encoding on
      Windows instead of cp1252, preventing UnicodeEncodeError on box-drawing
      characters.
    - Quoted-hook-path test skipped on Windows where NTFS disallows
      double-quote characters in filenames.
    
    * feat: port remotion-video-creation skill (29 rules), restore missing files
    
    New skill:
    - remotion-video-creation: 29 domain-specific Remotion rules covering 3D/Three.js,
      animations, audio, captions, charts, compositions, fonts, GIFs, Lottie,
      measuring, sequencing, tailwind, text animations, timing, transitions,
      trimming, and video embedding. Ported from personal skills.
    
    Restored:
    - autonomous-agent-harness/SKILL.md (was in commit but missing from worktree)
    - lead-intelligence/ (full directory restored from branch commit)
    
    Updated:
    - manifests/install-modules.json: added remotion-video-creation to media-generation
    - README.md + AGENTS.md: synced counts to 139 skills
    
    Catalog validates: 30 agents, 60 commands, 139 skills.
    
    * fix(security): pin MCP server versions, add dependabot, pin github-script SHA
    
    Critical:
    - Pin all npx -y MCP server packages to specific versions in .mcp.json
      to prevent supply chain attacks via version hijacking:
      - @modelcontextprotocol/server-github@2025.4.8
      - @modelcontextprotocol/server-memory@2026.1.26
      - @modelcontextprotocol/server-sequential-thinking@2025.12.18
      - @playwright/mcp@0.0.69 (was 0.0.68)
    
    Medium:
    - Add .github/dependabot.yml for weekly npm + github-actions updates
      with grouped minor/patch PRs
    - Pin actions/github-script to SHA (was @v7 tag, now pinned to commit)
    
    * feat: add social-graph-ranker skill — weighted network proximity scoring
    
    New skill: social-graph-ranker
    - Weighted social graph traversal with exponential decay across hops
    - Bridge Score: B(m) = Σ w(t) · λ^(d(m,t)-1) ranks mutuals by target proximity
    - Extended Score incorporates 2nd-order network (mutual-of-mutual connections)
    - Final ranking includes engagement bonus for responsive connections
    - Runs in parallel with lead-intelligence skill for combined warm+cold outreach
    - Supports X API + LinkedIn CSV for graph harvesting
    - Outputs tiered action list: warm intros, direct outreach, network gap analysis
    
    Added to business-content install module. Catalog validates: 30/60/140.
    
    * fix(security): npm audit fix — resolve all dependency vulnerabilities
    
    Applied npm audit fix --force to resolve:
    - minimatch ReDoS (3 vulnerabilities, HIGH)
    - smol-toml DoS (MODERATE)
    - brace-expansion memory exhaustion (MODERATE)
    - markdownlint-cli upgraded from 0.47.0 to 0.48.0
    
    npm audit now reports 0 vulnerabilities.
    
    * fix: resolve markdown lint and yarn lockfile sync
    
    - MD047: ensure single trailing newline on all remotion rule files
    - MD012: remove consecutive blank lines in lottie, measuring-dom-nodes, trimming
    - MD034: wrap bare URLs in angle brackets (tailwind, transcribe-captions)
    - yarn.lock: regenerated to sync with npm audit changes in package.json
    
    * fix: replace unicode arrows in lead-intelligence (CI unicode safety check)
  • Merge pull request #932 from KT-lcz/readme
    docs: fix rule installation examples
  • Merge pull request #931 from KT-lcz/main
    docs: clarify multi-model command setup
  • fix(installer): show help text on error and document --profile full in README
    Running install.ps1/install.sh with no arguments gave a cryptic error
    with no guidance. Now the usage help is printed after the error so users
    know what arguments to pass.
    
    Also added --profile full as the recommended install option in the README
    quick-start section, which was previously undocumented.
    
    Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
  • docs: fix rule installation examples
    Clarify that manual rule installation should preserve the rules directory structure so references keep working and filename collisions are avoided.
  • docs: clarify multi-model command setup
    Document that multi-* commands require the ccg-workflow runtime so users know they must initialize the extra wrapper and prompt assets before use.
  • feat(skills): add skill-comply — automated behavioral compliance measurement (#724)
    * feat(skills): add skill-comply — automated behavioral compliance measurement
    
    Automated compliance measurement for skills, rules, and agent definitions.
    Generates behavioral specs, runs scenarios at 3 strictness levels,
    classifies tool calls via LLM, and produces self-contained reports.
    
    Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
    
    * fix(skill-comply): address bot review feedback
    
    - AGENTS.md: fix stale skill count (115 → 117) in project structure
    - run.py: replace remaining print() with logger, add zero-division guard,
      create parent dirs for --output path
    - runner.py: add returncode check for claude subprocess, clarify
      relative_to path traversal validation
    - parser.py: use is_file() instead of exists(), catch KeyError for
      missing trace fields, add file check in parse_spec
    - classifier.py: log warnings on malformed classification output,
      guard against non-dict JSON responses
    - grader.py: filter negative indices from LLM classification
    
    Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
    
    ---------
    
    Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
  • feat: pending instinct TTL pruning and /prune command (#725)
    * feat: add pending instinct TTL pruning and /prune command
    
    Pending instincts generated by the observer accumulate indefinitely
    with no cleanup mechanism. This adds lifecycle management:
    
    - `instinct-cli.py prune` — delete pending instincts older than 30 days
      (configurable via --max-age). Supports --dry-run and --quiet flags.
    - Enhanced `status` command — shows pending count, warns at 5+,
      highlights instincts expiring within 7 days.
    - `observer-loop.sh` — runs prune before each analysis cycle.
    - `/prune` slash command — user-facing command for manual pruning.
    
    Design rationale: council consensus (4/4) rejected auto-promote in
    favor of TTL-based garbage collection. Frequency of observation does
    not establish correctness. Unreviewed pending instincts auto-delete
    after 30 days; if the pattern is real, the observer will regenerate it.
    
    Generated with [Claude Code](https://claude.ai/code)
    via [Happy](https://happy.engineering)
    
    Co-Authored-By: Claude <noreply@anthropic.com>
    Co-Authored-By: Happy <yesreply@happy.engineering>
    
    * fix: remove duplicate functions, broaden extension filter, fix prune output
    
    - Remove duplicate _collect_pending_dirs and _parse_created_date defs
    - Use ALLOWED_INSTINCT_EXTENSIONS (.md/.yaml/.yml) instead of .md-only
    - Track actually-deleted items separately from expired for accurate output
    - Update README.md and AGENTS.md command counts: 59 → 60
    
    Generated with [Claude Code](https://claude.ai/code)
    via [Happy](https://happy.engineering)
    
    Co-Authored-By: Claude <noreply@anthropic.com>
    Co-Authored-By: Happy <yesreply@happy.engineering>
    
    * fix: address Copilot and CodeRabbit review findings
    
    - Use is_dir() instead of exists() for pending path checks
    - Change > to >= for --max-age boundary (--max-age 0 now prunes all)
    - Use CLV2_PYTHON_CMD env var in observer-loop.sh prune call
    - Remove unused source_dupes variable
    - Remove extraneous f-string prefix on static string
    
    Generated with [Claude Code](https://claude.ai/code)
    via [Happy](https://happy.engineering)
    
    Co-Authored-By: Claude <noreply@anthropic.com>
    Co-Authored-By: Happy <yesreply@happy.engineering>
    
    * fix: update AGENTS.md project structure command count 59 → 60
    
    Co-Authored-By: Claude <noreply@anthropic.com>
    
    * fix: address cubic and coderabbit review findings
    
    - Fix status early return skipping pending instinct warnings (cubic #1)
    - Exclude already-expired items from expiring-soon filter (cubic #2)
    - Warn on unparseable pending instinct age instead of silent skip (cubic #4)
    - Log prune failures to observer.log instead of silencing (cubic #5)
    
    Co-Authored-By: Claude <noreply@anthropic.com>
    
    * fix: YAML single-quote unescaping, f-string cleanup, add /prune to README
    
    - Fix single-quoted YAML unescaping: use '' doubling (YAML spec) not
      backslash escaping which only applies to double-quoted strings (greptile P1)
    - Remove extraneous f-string prefix on static string (coderabbit)
    - Add /prune to README command catalog and file tree (cubic)
    
    Co-Authored-By: Claude <noreply@anthropic.com>
    
    ---------
    
    Co-authored-by: Claude <noreply@anthropic.com>
    Co-authored-by: Happy <yesreply@happy.engineering>
  • fix: safe Codex config sync — merge AGENTS.md + add-only MCP servers (#723)
    * fix: replace bash TOML surgery with Node add-only MCP merge
    
    The old sync script used awk/sed to remove and re-append MCP server
    sections in config.toml, causing credential extraction races, duplicate
    TOML tables, and 3 fragile code paths with 9 remove_section_inplace
    calls each.
    
    Replace with a Node script (scripts/codex/merge-mcp-config.js) that
    uses @iarna/toml to parse the config, then appends only missing ECC
    servers — preserving all existing content byte-for-byte. Warns on
    config drift, supports legacy aliases (context7 → context7-mcp), and
    adds --update-mcp flag for explicit refresh.
    
    Generated with [Claude Code](https://claude.ai/code)
    via [Happy](https://happy.engineering)
    
    Co-Authored-By: Claude <noreply@anthropic.com>
    Co-Authored-By: Happy <yesreply@happy.engineering>
    
    * fix: address PR #723 review findings for Codex MCP merge
    
    - Use package-manager abstraction (scripts/lib/package-manager.js)
      instead of hardcoding pnpm — respects CLAUDE_PACKAGE_MANAGER,
      lock files, and project config
    - Add Yarn 1.x fallback to npx (yarn dlx unsupported in classic)
    - Add missing exa server to match .codex/config.toml baseline
    - Wire up findSubSections for --update-mcp nested subtable removal
      (fixes Greptile P1: Object.keys only returned top-level keys)
    - Fix resolvedLabel to prefer canonical entry over legacy alias
      when both exist (fixes context7/context7-mcp spurious warning)
    - Fix removeSectionFromText to handle inline TOML comments
    - Fix dry-run + --update-mcp to show removals before early return
    - Update README parity table: 4 → 7 servers, TOML-parser-based
    - Add non-npm install variants to README Codex quick start
    - Update package-lock.json for @iarna/toml
    
    Generated with [Claude Code](https://claude.ai/code)
    via [Happy](https://happy.engineering)
    
    Co-Authored-By: Claude <noreply@anthropic.com>
    Co-Authored-By: Happy <yesreply@happy.engineering>
    
    * fix: address PR #723 review comments (preflight, marker validation)
    
    - Add Node.js and merge-mcp-config.js to preflight checks so the
      script fails fast before partial writes (CodeRabbit)
    - Validate marker counts: require exactly 1 BEGIN + 1 END in correct
      order for clean replacement (CodeRabbit)
    - Corrupted markers: strip all marker lines and re-append fresh block,
      preserving user content outside markers instead of overwriting
    - Move MCP_MERGE_SCRIPT to preflight section, remove duplicate
    
    Generated with [Claude Code](https://claude.ai/code)
    via [Happy](https://happy.engineering)
    
    Co-Authored-By: Claude <noreply@anthropic.com>
    Co-Authored-By: Happy <yesreply@happy.engineering>
    
    ---------
    
    Co-authored-by: Claude <noreply@anthropic.com>
    Co-authored-by: Happy <yesreply@happy.engineering>
  • Add Turkish (tr) docs and update README (#744)
    * Add Turkish (tr) docs and update README
    
    Add a full set of Turkish documentation under docs/tr (agents, changelog, CLAUDE guide, contributing, code of conduct, and many agents/commands/skills/rules files). Update README to include a link to the Turkish docs and increment the supported language count from 5 to 6. This commit adds localized guidance and references to help Turkish-speaking contributors and users.
    
    * Update docs/tr/TROUBLESHOOTING.md
    
    Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
    
    * Update docs/tr/README.md
    
    Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
    
    * docs(tr): fix license link and update readmes
    
    Update Turkish docs: change license badge link to point to repository root (../../LICENSE), increment displayed language count from 5 to 6, and remove two outdated related links from docs/tr/examples/README.md to keep references accurate.
    
    * Update docs/tr/commands/instinct-import.md
    
    Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
    
    * Update docs/tr/commands/checkpoint.md
    
    Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
    
    ---------
    
    Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
  • security: remove supply chain risks, external promotions, and unauthorized credits
    - Remove zenith.chat references and @DRodriguezFX shoutout from README
    - Remove Inspiration Credits section (already in CHANGELOG.md)
    - Remove awesome-agent-skills reference from Links
    - Remove Plankton H3 section by @alxfazio (skill stays in skills/)
    - Remove brand names (InsAIts, VideoDB, Evos) from v1.9.0 notes
    - Remove @ericcai0814 individual credit from README (kept in CHANGELOG)
    - Add Security Guide to Links section
    - Replace curl-pipe-to-bash in autonomous-loops with review warning
    - Replace git clone in plankton-code-quality with review warning
    - Replace pip install git+ in agent-eval with review warning
    - Replace npm install -g in dmux-workflows with review warning
    - Add commercial API notice to nutrient-document-processing
    - Remove VideoDB maintainer credit from videodb skill
    - Replace skill-creator.app link with ECC-Tools GitHub App reference
  • docs: add SECURITY.md, publish agentic security guide, remove openclaw guide
    - Add SECURITY.md with vulnerability reporting policy
    - Publish "The Shorthand Guide to Everything Agentic Security" with attack
      vectors, sandboxing, sanitization, CVEs, and AgentShield coverage
    - Add security guide to README guides section (3-column layout)
    - Remove unpublished openclaw guide
    - Copy security article images to assets/images/security/
  • feat(skills): add rules-distill skill (rebased #561) (#678)
    * feat(skills): add rules-distill — extract cross-cutting principles from skills into rules
    
    Applies the skill-stocktake pattern to rules maintenance:
    scan skills → extract shared principles → propose rule changes.
    
    Key design decisions:
    - Deterministic collection (scan scripts) + LLM judgment (cross-read & verdict)
    - 6 verdict types: Append, Revise, New Section, New File, Already Covered, Too Specific
    - Anti-abstraction safeguard: 2+ skills evidence, actionable behavior test, violation risk
    - Rules full text passed to LLM (no grep pre-filter) for accurate matching
    - Never modifies rules automatically — always requires user approval
    
    * fix(skills): address review feedback for rules-distill
    
    Fixes raised by CodeRabbit, Greptile, and cubic:
    
    - Add Prerequisites section documenting skill-stocktake dependency
    - Add fallback command when skill-stocktake is not installed
    - Fix shell quoting: add IFS= and -r to while-read loops
    - Replace hardcoded paths with env var placeholders ($CLAUDE_RULES_DIR, $SKILL_STOCKTAKE_DIR)
    - Add json language identifier to code blocks
    - Add "How It Works" parent heading for Phase 1/2/3
    - Add "Example" section with end-to-end run output
    - Add revision.reason/before/after fields to output schema for Revise verdict
    - Document timestamp format (date -u +%Y-%m-%dT%H:%M:%SZ)
    - Document candidate-id format (kebab-case from principle)
    - Use concrete examples in results.json schema
    
    * fix(skills): remove skill-stocktake dependency, add self-contained scripts
    
    Address P1 review feedback:
    - Add scan-skills.sh and scan-rules.sh directly in rules-distill/scripts/
      (no external dependency on skill-stocktake)
    - Remove Prerequisites section (no longer needed)
    - Add cross-batch merge step to prevent 2+ skills requirement
      from being silently broken across batch boundaries
    - Fix nested triple-backtick fences (use quadruple backticks)
    - Remove head -100 cap (silent truncation)
    - Rename "When to Activate" → "When to Use" (ECC standard)
    - Remove unnecessary env var placeholders (SKILL.md is a prompt, not a script)
    
    * fix: update skill/command counts in README.md and AGENTS.md
    
    rules-distill added 1 skill + 1 command:
    - skills: 108 → 109
    - commands: 57 → 58
    
    Updates all count references to pass CI catalog validation.
    
    * fix(skills): address Servitor review feedback for rules-distill
    
    1. Rename SKILL_STOCKTAKE_* env vars to RULES_DISTILL_* for consistency
    2. Remove unnecessary observation counting (use_7d/use_30d) from scan-skills.sh
    3. Fix header comment: scan.sh → scan-skills.sh
    4. Use jq for JSON construction in scan-rules.sh to properly escape
       headings containing special characters (", \)
    
    * fix(skills): address CodeRabbit review — portability and scan scope
    
    1. scan-rules.sh: use jq for error JSON output (proper escaping)
    2. scan-rules.sh: replace GNU-only sort -z with portable sort (BSD compat)
    3. scan-rules.sh: fix pipefail crash on files without H2 headings
    4. scan-skills.sh: scan only SKILL.md files (skip learned/*.md and
       auxiliary docs that lack frontmatter)
    5. scan-skills.sh: add portable get_mtime helper (GNU stat/date
       fallback to BSD stat/date)
    
    * fix: sync catalog counts with filesystem (27 agents, 114 skills, 59 commands)
    
    ---------
    
    Co-authored-by: Tatsuya Shimomoto <shimo4228@gmail.com>
  • chore: prepare v1.9.0 release (#666)
    - Bump version to 1.9.0 in package.json, package-lock.json, .opencode/package.json
    - Add v1.9.0 changelog with 212 commits covering selective install architecture,
      6 new agents, 15+ new skills, session/state infrastructure, observer fixes,
      12 language ecosystems, and community contributions
    - Update README with v1.9.0 release notes and complete agents tree (27 agents)
    - Add pytorch-build-resolver to AGENTS.md agent table
    - Update documentation counts to 27 agents, 109 skills, 57 commands
    - Update version references in zh-CN README
    - All 1421 tests passing, catalog counts verified
  • docs: add Antigravity setup and usage guide (#552)
    * docs: add Antigravity setup and usage guide
    
    Addresses #462 — users were confused about Antigravity skills setup.
    
    Adds a comprehensive guide covering:
    - Install mapping (ECC → .agent/ directory)
    - Directory structure after install
    - openai.yaml agent config format
    - Managing installs (list, doctor, uninstall)
    - Cross-target comparison table
    - Troubleshooting common issues
    - How to contribute skills with Antigravity support
    
    Also links the guide from the README FAQ section.
    
    * fix: address review feedback on Antigravity guide
    
    - Remove spurious skills/ row from install mapping table, add note
      clarifying .agents/skills/ is static repo layout not installer-mapped
    - Fix repair section: doctor.js diagnoses, repair.js restores
    - Fix .agents/ → .agent/ path typo in custom skills section
    - Clarify 3-step workflow for adding Antigravity skills
    - Fix antigravity-project → antigravity in comparison table
    - Fix "flatten" → "flattened" grammar in README
    - Clarify openai.yaml full nested path structure
    
    * fix: clarify .agents/ vs .agent/ naming and fix Cursor comparison
    
    - Explain that .agents/ (with 's') is ECC source, .agent/ (no 's')
      is Antigravity runtime — installer copies between them
    - Fix Cursor Agents/Skills column: Cursor has no explicit agents/skills
      mapping (only rules), changed from 'skills/' to 'N/A'
    
    * fix: correct installer behavior claims and command style
    
    - Fix .agents/ vs .agent/ note: clarify that only rules, commands, and
      agents (no dot) are explicitly mapped by the installer. The dot-prefixed
      .agents/ directory falls through to default scaffold, not a direct copy.
    - Fix contributor workflow: remove false auto-deploy claim for openai.yaml.
      Clarify .agents/ is static repo layout, not installer-deployed.
    - Fix uninstall command: use direct script call (node scripts/uninstall.js)
      for consistency with doctor.js, repair.js, list-installed.js.
    
    * fix: add missing agents/ step to contributor workflow
    
    Contributors must add an agent definition at agents/ (no dot) for the
    installer to deploy it to .agent/skills/ at runtime. Without this step,
    skills only exist in the static .agents/ layout and are never deployed.
    
    ---------
    
    Co-authored-by: vazidmansuri005 <vazidmansuri005@users.noreply.github.com>
  • fix: update catalog counts and resolve lint error
    - Update agent count 26→27 in README.md (quick-start + comparison table) and AGENTS.md (summary + project structure)
    - Update skill count 108→109 in README.md (quick-start + comparison table) and AGENTS.md (summary)
    - Rename unused variable provenance → _provenance in tests/lib/skill-dashboard.test.js
  • feat(agents): add typescript-reviewer agent (#647)
    Adds typescript-reviewer agent following the established agent format, covering type safety, async correctness, security, and React/Next.js patterns.
  • docs: add npm install step before running install.sh (#526)
    The install script requires the ajv package (a devDependency) for
    config validation. Without running npm install first, users get
    "Cannot find module 'ajv'" when running ./install.sh.
    
    Co-authored-by: Jeffrey Jordan <jeffreyjordan@dizplai.com>
  • fix(ci): enforce catalog count integrity (#525)
    * fix(ci): enforce catalog count integrity
    
    * test: harden catalog structure parsing
  • feat: add laravel skills (#420)
    * feat: add laravel skills
    
    * docs: fix laravel patterns example
    
    * docs: add laravel api example
    
    * docs: update readme and configure-ecc for laravel skills
    
    * docs: reference laravel skills in php rules
    
    * docs: add php import guidance
    
    * docs: expand laravel skills with more pattern, security, testing, and verification examples
    
    * docs: add laravel routing, security, testing, and sail guidance
    
    * docs: fix laravel example issues from code review
    
    * docs: fix laravel examples and skills per review findings
    
    * docs: resolve remaining laravel review fixes
    
    * docs: refine laravel patterns and tdd guidance
    
    * docs: clarify laravel queue healthcheck guidance
    
    * docs: fix laravel examples and test guidance
    
    * docs: correct laravel tdd and api example details
    
    * docs: align laravel form request auth semantics
    
    * docs: fix laravel coverage, imports, and scope guidance
    
    * docs: align laravel tdd and security examples with guidance
    
    * docs: tighten laravel form request authorization examples
    
    * docs: fix laravel tdd and queue job examples
    
    * docs: harden laravel rate limiting and policy examples
    
    * docs: fix laravel pagination, validation, and verification examples
    
    * docs: align laravel controller response with envelope
    
    * docs: strengthen laravel password validation example
    
    * docs: address feedback regarding examples
    
    * docs: improve guidance and examples for pest usage
    
    * docs: clarify laravel upload storage and authorization notes
    
    * docs: tighten up examples
  • Add PowerShell installer wrapper and update documentation (#532)
    * Add install.ps1 PowerShell wrapper and tests
    
    Add a Windows-native PowerShell wrapper (install.ps1) that resolves symlinks and delegates to the Node-based installer runtime. Update README with PowerShell usage examples and cross-platform npx entrypoint guidance. Point the ecc-install bin to the Node installer (scripts/install-apply.js) in package.json (and refresh package-lock), include install.ps1 in package files, and add tests: a new install-ps1.test.js and a tweak to install-sh.test.js to skip on Windows. These changes provide native Windows installer support while keeping npm-compatible cross-platform invocation.
    
    * Improve tests for Windows HOME/USERPROFILE
    
    Make tests more cross-platform by ensuring HOME and USERPROFILE are kept in sync and by normalizing test file paths for display.
    
    - tests/lib/session-adapters.test.js: set USERPROFILE when temporarily setting HOME and restore previous USERPROFILE on teardown.
    - tests/run-all.js: use a normalized displayPath (forward-slash separated) for logging and error messages so output is consistent across platforms.
    - tests/scripts/ecc.test.js & tests/scripts/session-inspect.test.js: build envOverrides from options.env and add HOME <-> USERPROFILE fallbacks so spawned child processes receive both variables when only one is provided.
    
    These changes prevent test failures and inconsistent logs on Windows where USERPROFILE is used instead of HOME.
    
    * Fix Windows paths and test flakiness
    
    Improve cross-platform behavior and test stability.
    
    - Remove unused createLegacyInstallPlan import from install-lifecycle.js.
    - Change resolveInstallConfigPath to use path.normalize(path.join(cwd, configPath)) to produce normalized relative paths.
    - Tests: add toBashPath and normalizedRelativePath helpers to normalize Windows paths for bash and comparisons.
    - Make cleanupTestDir retry rmSync on transient Windows errors (EPERM/EBUSY/ENOTEMPTY) with short backoff using sleepMs.
    - Ensure spawned test processes receive USERPROFILE and convert repo/detect paths to bash format when invoking bash.
    
    These changes reduce Windows-specific failures and flakiness in the test suite and tidy up a small unused import.