Commit Graph

11 Commits

  • build(deps): bump the minor-and-patch group across 1 directory with 3 updates (#1582)
    Bumps the minor-and-patch group with 3 updates in the / directory: [ajv](https://github.com/ajv-validator/ajv), @opencode-ai/plugin and [globals](https://github.com/sindresorhus/globals).
    
    
    Updates `ajv` from 8.18.0 to 8.20.0
    - [Release notes](https://github.com/ajv-validator/ajv/releases)
    - [Commits](https://github.com/ajv-validator/ajv/compare/v8.18.0...v8.20.0)
    
    Updates `@opencode-ai/plugin` from 1.3.15 to 1.14.33
    
    Updates `globals` from 17.4.0 to 17.6.0
    - [Release notes](https://github.com/sindresorhus/globals/releases)
    - [Commits](https://github.com/sindresorhus/globals/compare/v17.4.0...v17.6.0)
    
    ---
    updated-dependencies:
    - dependency-name: "@opencode-ai/plugin"
      dependency-version: 1.14.25
      dependency-type: direct:development
      update-type: version-update:semver-minor
      dependency-group: minor-and-patch
    - dependency-name: ajv
      dependency-version: 8.20.0
      dependency-type: direct:production
      update-type: version-update:semver-minor
      dependency-group: minor-and-patch
    - dependency-name: globals
      dependency-version: 17.5.0
      dependency-type: direct:development
      update-type: version-update:semver-minor
      dependency-group: minor-and-patch
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
  • build(deps): bump fast-uri from 3.1.0 to 3.1.2 (#1703)
    Bumps [fast-uri](https://github.com/fastify/fast-uri) from 3.1.0 to 3.1.2.
    - [Release notes](https://github.com/fastify/fast-uri/releases)
    - [Commits](https://github.com/fastify/fast-uri/compare/v3.1.0...v3.1.2)
    
    ---
    updated-dependencies:
    - dependency-name: fast-uri
      dependency-version: 3.1.2
      dependency-type: indirect
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
  • chore(deps-dev): bump c8 from 10.1.3 to 11.0.0 (#1065)
    Bumps [c8](https://github.com/bcoe/c8) from 10.1.3 to 11.0.0.
    - [Release notes](https://github.com/bcoe/c8/releases)
    - [Changelog](https://github.com/bcoe/c8/blob/main/CHANGELOG.md)
    - [Commits](https://github.com/bcoe/c8/compare/v10.1.3...v11.0.0)
    
    ---
    updated-dependencies:
    - dependency-name: c8
      dependency-version: 11.0.0
      dependency-type: direct:development
      update-type: version-update:semver-major
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
  • chore(deps-dev): bump globals in the minor-and-patch group (#1062)
    Bumps the minor-and-patch group with 1 update: [globals](https://github.com/sindresorhus/globals).
    
    
    Updates `globals` from 17.1.0 to 17.4.0
    - [Release notes](https://github.com/sindresorhus/globals/releases)
    - [Commits](https://github.com/sindresorhus/globals/compare/v17.1.0...v17.4.0)
    
    ---
    updated-dependencies:
    - dependency-name: globals
      dependency-version: 17.4.0
      dependency-type: direct:development
      update-type: version-update:semver-minor
      dependency-group: minor-and-patch
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
  • fix: CI fixes, security audit, remotion skill, lead-intelligence, npm audit (#1039)
    * fix(ci): resolve cross-platform test failures
    
    - Sanity check script (check-codex-global-state.sh) now falls back to
      grep -E when ripgrep is not available, fixing the codex-hooks sync
      test on all CI platforms. Patterns converted to POSIX ERE for
      portability.
    - Unicode safety test accepts both / and \ path separators so the
      executable-file assertion passes on Windows.
    - Gacha test sets PYTHONUTF8=1 so Python uses UTF-8 stdout encoding on
      Windows instead of cp1252, preventing UnicodeEncodeError on box-drawing
      characters.
    - Quoted-hook-path test skipped on Windows where NTFS disallows
      double-quote characters in filenames.
    
    * feat: port remotion-video-creation skill (29 rules), restore missing files
    
    New skill:
    - remotion-video-creation: 29 domain-specific Remotion rules covering 3D/Three.js,
      animations, audio, captions, charts, compositions, fonts, GIFs, Lottie,
      measuring, sequencing, tailwind, text animations, timing, transitions,
      trimming, and video embedding. Ported from personal skills.
    
    Restored:
    - autonomous-agent-harness/SKILL.md (was in commit but missing from worktree)
    - lead-intelligence/ (full directory restored from branch commit)
    
    Updated:
    - manifests/install-modules.json: added remotion-video-creation to media-generation
    - README.md + AGENTS.md: synced counts to 139 skills
    
    Catalog validates: 30 agents, 60 commands, 139 skills.
    
    * fix(security): pin MCP server versions, add dependabot, pin github-script SHA
    
    Critical:
    - Pin all npx -y MCP server packages to specific versions in .mcp.json
      to prevent supply chain attacks via version hijacking:
      - @modelcontextprotocol/server-github@2025.4.8
      - @modelcontextprotocol/server-memory@2026.1.26
      - @modelcontextprotocol/server-sequential-thinking@2025.12.18
      - @playwright/mcp@0.0.69 (was 0.0.68)
    
    Medium:
    - Add .github/dependabot.yml for weekly npm + github-actions updates
      with grouped minor/patch PRs
    - Pin actions/github-script to SHA (was @v7 tag, now pinned to commit)
    
    * feat: add social-graph-ranker skill — weighted network proximity scoring
    
    New skill: social-graph-ranker
    - Weighted social graph traversal with exponential decay across hops
    - Bridge Score: B(m) = Σ w(t) · λ^(d(m,t)-1) ranks mutuals by target proximity
    - Extended Score incorporates 2nd-order network (mutual-of-mutual connections)
    - Final ranking includes engagement bonus for responsive connections
    - Runs in parallel with lead-intelligence skill for combined warm+cold outreach
    - Supports X API + LinkedIn CSV for graph harvesting
    - Outputs tiered action list: warm intros, direct outreach, network gap analysis
    
    Added to business-content install module. Catalog validates: 30/60/140.
    
    * fix(security): npm audit fix — resolve all dependency vulnerabilities
    
    Applied npm audit fix --force to resolve:
    - minimatch ReDoS (3 vulnerabilities, HIGH)
    - smol-toml DoS (MODERATE)
    - brace-expansion memory exhaustion (MODERATE)
    - markdownlint-cli upgraded from 0.47.0 to 0.48.0
    
    npm audit now reports 0 vulnerabilities.
    
    * fix: resolve markdown lint and yarn lockfile sync
    
    - MD047: ensure single trailing newline on all remotion rule files
    - MD012: remove consecutive blank lines in lottie, measuring-dom-nodes, trimming
    - MD034: wrap bare URLs in angle brackets (tailwind, transcribe-captions)
    - yarn.lock: regenerated to sync with npm audit changes in package.json
    
    * fix: replace unicode arrows in lead-intelligence (CI unicode safety check)
  • feat(codex): add Codex native plugin manifest and fix Claude plugin.json
    - Add .codex-plugin/plugin.json — Codex-native plugin manifest with
      skills reference and MCP server config pointer
    - Add .codex-plugin/.mcp.json — standalone MCP server config bundle
      (github, context7, exa, memory, playwright, sequential-thinking)
    - Add .codex-plugin/README.md — installation guide and server reference
    - Fix .claude-plugin/plugin.json — add missing agents[] (28 explicit
      file paths per validator rules), skills[], and commands[] arrays;
      remove hooks field (auto-loaded by Claude Code v2.1+ convention)
    - Add tests/plugin-manifest.test.js — 16 CI tests enforcing
      PLUGIN_SCHEMA_NOTES.md rules (no hooks, arrays throughout, explicit
      agent paths, version required, .mcp.json structural checks)
    - Update package.json: add .codex-plugin/ to files[], add plugin
      manifest test to npm test chain
    
    Refs: .claude-plugin/PLUGIN_SCHEMA_NOTES.md
  • fix: move ajv to dependencies and add .yarnrc.yml for node-modules linker
    ajv was in devDependencies but required at runtime by scripts/lib/install/config.js,
    causing 'Cannot find module ajv' when running ./install.sh. Also adds .yarnrc.yml
    with nodeLinker: node-modules so plain `node` can resolve packages without PnP.
    
    Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>