Commit Graph

157 Commits

  • fix: CI fixes, security audit, remotion skill, lead-intelligence, npm audit (#1039)
    * fix(ci): resolve cross-platform test failures
    
    - Sanity check script (check-codex-global-state.sh) now falls back to
      grep -E when ripgrep is not available, fixing the codex-hooks sync
      test on all CI platforms. Patterns converted to POSIX ERE for
      portability.
    - Unicode safety test accepts both / and \ path separators so the
      executable-file assertion passes on Windows.
    - Gacha test sets PYTHONUTF8=1 so Python uses UTF-8 stdout encoding on
      Windows instead of cp1252, preventing UnicodeEncodeError on box-drawing
      characters.
    - Quoted-hook-path test skipped on Windows where NTFS disallows
      double-quote characters in filenames.
    
    * feat: port remotion-video-creation skill (29 rules), restore missing files
    
    New skill:
    - remotion-video-creation: 29 domain-specific Remotion rules covering 3D/Three.js,
      animations, audio, captions, charts, compositions, fonts, GIFs, Lottie,
      measuring, sequencing, tailwind, text animations, timing, transitions,
      trimming, and video embedding. Ported from personal skills.
    
    Restored:
    - autonomous-agent-harness/SKILL.md (was in commit but missing from worktree)
    - lead-intelligence/ (full directory restored from branch commit)
    
    Updated:
    - manifests/install-modules.json: added remotion-video-creation to media-generation
    - README.md + AGENTS.md: synced counts to 139 skills
    
    Catalog validates: 30 agents, 60 commands, 139 skills.
    
    * fix(security): pin MCP server versions, add dependabot, pin github-script SHA
    
    Critical:
    - Pin all npx -y MCP server packages to specific versions in .mcp.json
      to prevent supply chain attacks via version hijacking:
      - @modelcontextprotocol/server-github@2025.4.8
      - @modelcontextprotocol/server-memory@2026.1.26
      - @modelcontextprotocol/server-sequential-thinking@2025.12.18
      - @playwright/mcp@0.0.69 (was 0.0.68)
    
    Medium:
    - Add .github/dependabot.yml for weekly npm + github-actions updates
      with grouped minor/patch PRs
    - Pin actions/github-script to SHA (was @v7 tag, now pinned to commit)
    
    * feat: add social-graph-ranker skill — weighted network proximity scoring
    
    New skill: social-graph-ranker
    - Weighted social graph traversal with exponential decay across hops
    - Bridge Score: B(m) = Σ w(t) · λ^(d(m,t)-1) ranks mutuals by target proximity
    - Extended Score incorporates 2nd-order network (mutual-of-mutual connections)
    - Final ranking includes engagement bonus for responsive connections
    - Runs in parallel with lead-intelligence skill for combined warm+cold outreach
    - Supports X API + LinkedIn CSV for graph harvesting
    - Outputs tiered action list: warm intros, direct outreach, network gap analysis
    
    Added to business-content install module. Catalog validates: 30/60/140.
    
    * fix(security): npm audit fix — resolve all dependency vulnerabilities
    
    Applied npm audit fix --force to resolve:
    - minimatch ReDoS (3 vulnerabilities, HIGH)
    - smol-toml DoS (MODERATE)
    - brace-expansion memory exhaustion (MODERATE)
    - markdownlint-cli upgraded from 0.47.0 to 0.48.0
    
    npm audit now reports 0 vulnerabilities.
    
    * fix: resolve markdown lint and yarn lockfile sync
    
    - MD047: ensure single trailing newline on all remotion rule files
    - MD012: remove consecutive blank lines in lottie, measuring-dom-nodes, trimming
    - MD034: wrap bare URLs in angle brackets (tailwind, transcribe-captions)
    - yarn.lock: regenerated to sync with npm audit changes in package.json
    
    * fix: replace unicode arrows in lead-intelligence (CI unicode safety check)
  • Merge pull request #932 from KT-lcz/readme
    docs: fix rule installation examples
  • Merge pull request #931 from KT-lcz/main
    docs: clarify multi-model command setup
  • fix(installer): show help text on error and document --profile full in README
    Running install.ps1/install.sh with no arguments gave a cryptic error
    with no guidance. Now the usage help is printed after the error so users
    know what arguments to pass.
    
    Also added --profile full as the recommended install option in the README
    quick-start section, which was previously undocumented.
    
    Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
  • docs: fix rule installation examples
    Clarify that manual rule installation should preserve the rules directory structure so references keep working and filename collisions are avoided.
  • docs: clarify multi-model command setup
    Document that multi-* commands require the ccg-workflow runtime so users know they must initialize the extra wrapper and prompt assets before use.
  • feat(skills): add skill-comply — automated behavioral compliance measurement (#724)
    * feat(skills): add skill-comply — automated behavioral compliance measurement
    
    Automated compliance measurement for skills, rules, and agent definitions.
    Generates behavioral specs, runs scenarios at 3 strictness levels,
    classifies tool calls via LLM, and produces self-contained reports.
    
    Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
    
    * fix(skill-comply): address bot review feedback
    
    - AGENTS.md: fix stale skill count (115 → 117) in project structure
    - run.py: replace remaining print() with logger, add zero-division guard,
      create parent dirs for --output path
    - runner.py: add returncode check for claude subprocess, clarify
      relative_to path traversal validation
    - parser.py: use is_file() instead of exists(), catch KeyError for
      missing trace fields, add file check in parse_spec
    - classifier.py: log warnings on malformed classification output,
      guard against non-dict JSON responses
    - grader.py: filter negative indices from LLM classification
    
    Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
    
    ---------
    
    Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
  • feat: pending instinct TTL pruning and /prune command (#725)
    * feat: add pending instinct TTL pruning and /prune command
    
    Pending instincts generated by the observer accumulate indefinitely
    with no cleanup mechanism. This adds lifecycle management:
    
    - `instinct-cli.py prune` — delete pending instincts older than 30 days
      (configurable via --max-age). Supports --dry-run and --quiet flags.
    - Enhanced `status` command — shows pending count, warns at 5+,
      highlights instincts expiring within 7 days.
    - `observer-loop.sh` — runs prune before each analysis cycle.
    - `/prune` slash command — user-facing command for manual pruning.
    
    Design rationale: council consensus (4/4) rejected auto-promote in
    favor of TTL-based garbage collection. Frequency of observation does
    not establish correctness. Unreviewed pending instincts auto-delete
    after 30 days; if the pattern is real, the observer will regenerate it.
    
    Generated with [Claude Code](https://claude.ai/code)
    via [Happy](https://happy.engineering)
    
    Co-Authored-By: Claude <noreply@anthropic.com>
    Co-Authored-By: Happy <yesreply@happy.engineering>
    
    * fix: remove duplicate functions, broaden extension filter, fix prune output
    
    - Remove duplicate _collect_pending_dirs and _parse_created_date defs
    - Use ALLOWED_INSTINCT_EXTENSIONS (.md/.yaml/.yml) instead of .md-only
    - Track actually-deleted items separately from expired for accurate output
    - Update README.md and AGENTS.md command counts: 59 → 60
    
    Generated with [Claude Code](https://claude.ai/code)
    via [Happy](https://happy.engineering)
    
    Co-Authored-By: Claude <noreply@anthropic.com>
    Co-Authored-By: Happy <yesreply@happy.engineering>
    
    * fix: address Copilot and CodeRabbit review findings
    
    - Use is_dir() instead of exists() for pending path checks
    - Change > to >= for --max-age boundary (--max-age 0 now prunes all)
    - Use CLV2_PYTHON_CMD env var in observer-loop.sh prune call
    - Remove unused source_dupes variable
    - Remove extraneous f-string prefix on static string
    
    Generated with [Claude Code](https://claude.ai/code)
    via [Happy](https://happy.engineering)
    
    Co-Authored-By: Claude <noreply@anthropic.com>
    Co-Authored-By: Happy <yesreply@happy.engineering>
    
    * fix: update AGENTS.md project structure command count 59 → 60
    
    Co-Authored-By: Claude <noreply@anthropic.com>
    
    * fix: address cubic and coderabbit review findings
    
    - Fix status early return skipping pending instinct warnings (cubic #1)
    - Exclude already-expired items from expiring-soon filter (cubic #2)
    - Warn on unparseable pending instinct age instead of silent skip (cubic #4)
    - Log prune failures to observer.log instead of silencing (cubic #5)
    
    Co-Authored-By: Claude <noreply@anthropic.com>
    
    * fix: YAML single-quote unescaping, f-string cleanup, add /prune to README
    
    - Fix single-quoted YAML unescaping: use '' doubling (YAML spec) not
      backslash escaping which only applies to double-quoted strings (greptile P1)
    - Remove extraneous f-string prefix on static string (coderabbit)
    - Add /prune to README command catalog and file tree (cubic)
    
    Co-Authored-By: Claude <noreply@anthropic.com>
    
    ---------
    
    Co-authored-by: Claude <noreply@anthropic.com>
    Co-authored-by: Happy <yesreply@happy.engineering>
  • fix: safe Codex config sync — merge AGENTS.md + add-only MCP servers (#723)
    * fix: replace bash TOML surgery with Node add-only MCP merge
    
    The old sync script used awk/sed to remove and re-append MCP server
    sections in config.toml, causing credential extraction races, duplicate
    TOML tables, and 3 fragile code paths with 9 remove_section_inplace
    calls each.
    
    Replace with a Node script (scripts/codex/merge-mcp-config.js) that
    uses @iarna/toml to parse the config, then appends only missing ECC
    servers — preserving all existing content byte-for-byte. Warns on
    config drift, supports legacy aliases (context7 → context7-mcp), and
    adds --update-mcp flag for explicit refresh.
    
    Generated with [Claude Code](https://claude.ai/code)
    via [Happy](https://happy.engineering)
    
    Co-Authored-By: Claude <noreply@anthropic.com>
    Co-Authored-By: Happy <yesreply@happy.engineering>
    
    * fix: address PR #723 review findings for Codex MCP merge
    
    - Use package-manager abstraction (scripts/lib/package-manager.js)
      instead of hardcoding pnpm — respects CLAUDE_PACKAGE_MANAGER,
      lock files, and project config
    - Add Yarn 1.x fallback to npx (yarn dlx unsupported in classic)
    - Add missing exa server to match .codex/config.toml baseline
    - Wire up findSubSections for --update-mcp nested subtable removal
      (fixes Greptile P1: Object.keys only returned top-level keys)
    - Fix resolvedLabel to prefer canonical entry over legacy alias
      when both exist (fixes context7/context7-mcp spurious warning)
    - Fix removeSectionFromText to handle inline TOML comments
    - Fix dry-run + --update-mcp to show removals before early return
    - Update README parity table: 4 → 7 servers, TOML-parser-based
    - Add non-npm install variants to README Codex quick start
    - Update package-lock.json for @iarna/toml
    
    Generated with [Claude Code](https://claude.ai/code)
    via [Happy](https://happy.engineering)
    
    Co-Authored-By: Claude <noreply@anthropic.com>
    Co-Authored-By: Happy <yesreply@happy.engineering>
    
    * fix: address PR #723 review comments (preflight, marker validation)
    
    - Add Node.js and merge-mcp-config.js to preflight checks so the
      script fails fast before partial writes (CodeRabbit)
    - Validate marker counts: require exactly 1 BEGIN + 1 END in correct
      order for clean replacement (CodeRabbit)
    - Corrupted markers: strip all marker lines and re-append fresh block,
      preserving user content outside markers instead of overwriting
    - Move MCP_MERGE_SCRIPT to preflight section, remove duplicate
    
    Generated with [Claude Code](https://claude.ai/code)
    via [Happy](https://happy.engineering)
    
    Co-Authored-By: Claude <noreply@anthropic.com>
    Co-Authored-By: Happy <yesreply@happy.engineering>
    
    ---------
    
    Co-authored-by: Claude <noreply@anthropic.com>
    Co-authored-by: Happy <yesreply@happy.engineering>
  • Add Turkish (tr) docs and update README (#744)
    * Add Turkish (tr) docs and update README
    
    Add a full set of Turkish documentation under docs/tr (agents, changelog, CLAUDE guide, contributing, code of conduct, and many agents/commands/skills/rules files). Update README to include a link to the Turkish docs and increment the supported language count from 5 to 6. This commit adds localized guidance and references to help Turkish-speaking contributors and users.
    
    * Update docs/tr/TROUBLESHOOTING.md
    
    Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
    
    * Update docs/tr/README.md
    
    Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
    
    * docs(tr): fix license link and update readmes
    
    Update Turkish docs: change license badge link to point to repository root (../../LICENSE), increment displayed language count from 5 to 6, and remove two outdated related links from docs/tr/examples/README.md to keep references accurate.
    
    * Update docs/tr/commands/instinct-import.md
    
    Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
    
    * Update docs/tr/commands/checkpoint.md
    
    Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
    
    ---------
    
    Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
  • security: remove supply chain risks, external promotions, and unauthorized credits
    - Remove zenith.chat references and @DRodriguezFX shoutout from README
    - Remove Inspiration Credits section (already in CHANGELOG.md)
    - Remove awesome-agent-skills reference from Links
    - Remove Plankton H3 section by @alxfazio (skill stays in skills/)
    - Remove brand names (InsAIts, VideoDB, Evos) from v1.9.0 notes
    - Remove @ericcai0814 individual credit from README (kept in CHANGELOG)
    - Add Security Guide to Links section
    - Replace curl-pipe-to-bash in autonomous-loops with review warning
    - Replace git clone in plankton-code-quality with review warning
    - Replace pip install git+ in agent-eval with review warning
    - Replace npm install -g in dmux-workflows with review warning
    - Add commercial API notice to nutrient-document-processing
    - Remove VideoDB maintainer credit from videodb skill
    - Replace skill-creator.app link with ECC-Tools GitHub App reference
  • docs: add SECURITY.md, publish agentic security guide, remove openclaw guide
    - Add SECURITY.md with vulnerability reporting policy
    - Publish "The Shorthand Guide to Everything Agentic Security" with attack
      vectors, sandboxing, sanitization, CVEs, and AgentShield coverage
    - Add security guide to README guides section (3-column layout)
    - Remove unpublished openclaw guide
    - Copy security article images to assets/images/security/
  • feat(skills): add rules-distill skill (rebased #561) (#678)
    * feat(skills): add rules-distill — extract cross-cutting principles from skills into rules
    
    Applies the skill-stocktake pattern to rules maintenance:
    scan skills → extract shared principles → propose rule changes.
    
    Key design decisions:
    - Deterministic collection (scan scripts) + LLM judgment (cross-read & verdict)
    - 6 verdict types: Append, Revise, New Section, New File, Already Covered, Too Specific
    - Anti-abstraction safeguard: 2+ skills evidence, actionable behavior test, violation risk
    - Rules full text passed to LLM (no grep pre-filter) for accurate matching
    - Never modifies rules automatically — always requires user approval
    
    * fix(skills): address review feedback for rules-distill
    
    Fixes raised by CodeRabbit, Greptile, and cubic:
    
    - Add Prerequisites section documenting skill-stocktake dependency
    - Add fallback command when skill-stocktake is not installed
    - Fix shell quoting: add IFS= and -r to while-read loops
    - Replace hardcoded paths with env var placeholders ($CLAUDE_RULES_DIR, $SKILL_STOCKTAKE_DIR)
    - Add json language identifier to code blocks
    - Add "How It Works" parent heading for Phase 1/2/3
    - Add "Example" section with end-to-end run output
    - Add revision.reason/before/after fields to output schema for Revise verdict
    - Document timestamp format (date -u +%Y-%m-%dT%H:%M:%SZ)
    - Document candidate-id format (kebab-case from principle)
    - Use concrete examples in results.json schema
    
    * fix(skills): remove skill-stocktake dependency, add self-contained scripts
    
    Address P1 review feedback:
    - Add scan-skills.sh and scan-rules.sh directly in rules-distill/scripts/
      (no external dependency on skill-stocktake)
    - Remove Prerequisites section (no longer needed)
    - Add cross-batch merge step to prevent 2+ skills requirement
      from being silently broken across batch boundaries
    - Fix nested triple-backtick fences (use quadruple backticks)
    - Remove head -100 cap (silent truncation)
    - Rename "When to Activate" → "When to Use" (ECC standard)
    - Remove unnecessary env var placeholders (SKILL.md is a prompt, not a script)
    
    * fix: update skill/command counts in README.md and AGENTS.md
    
    rules-distill added 1 skill + 1 command:
    - skills: 108 → 109
    - commands: 57 → 58
    
    Updates all count references to pass CI catalog validation.
    
    * fix(skills): address Servitor review feedback for rules-distill
    
    1. Rename SKILL_STOCKTAKE_* env vars to RULES_DISTILL_* for consistency
    2. Remove unnecessary observation counting (use_7d/use_30d) from scan-skills.sh
    3. Fix header comment: scan.sh → scan-skills.sh
    4. Use jq for JSON construction in scan-rules.sh to properly escape
       headings containing special characters (", \)
    
    * fix(skills): address CodeRabbit review — portability and scan scope
    
    1. scan-rules.sh: use jq for error JSON output (proper escaping)
    2. scan-rules.sh: replace GNU-only sort -z with portable sort (BSD compat)
    3. scan-rules.sh: fix pipefail crash on files without H2 headings
    4. scan-skills.sh: scan only SKILL.md files (skip learned/*.md and
       auxiliary docs that lack frontmatter)
    5. scan-skills.sh: add portable get_mtime helper (GNU stat/date
       fallback to BSD stat/date)
    
    * fix: sync catalog counts with filesystem (27 agents, 114 skills, 59 commands)
    
    ---------
    
    Co-authored-by: Tatsuya Shimomoto <shimo4228@gmail.com>
  • chore: prepare v1.9.0 release (#666)
    - Bump version to 1.9.0 in package.json, package-lock.json, .opencode/package.json
    - Add v1.9.0 changelog with 212 commits covering selective install architecture,
      6 new agents, 15+ new skills, session/state infrastructure, observer fixes,
      12 language ecosystems, and community contributions
    - Update README with v1.9.0 release notes and complete agents tree (27 agents)
    - Add pytorch-build-resolver to AGENTS.md agent table
    - Update documentation counts to 27 agents, 109 skills, 57 commands
    - Update version references in zh-CN README
    - All 1421 tests passing, catalog counts verified