* fix(ci): resolve cross-platform test failures
- Sanity check script (check-codex-global-state.sh) now falls back to
grep -E when ripgrep is not available, fixing the codex-hooks sync
test on all CI platforms. Patterns converted to POSIX ERE for
portability.
- Unicode safety test accepts both / and \ path separators so the
executable-file assertion passes on Windows.
- Gacha test sets PYTHONUTF8=1 so Python uses UTF-8 stdout encoding on
Windows instead of cp1252, preventing UnicodeEncodeError on box-drawing
characters.
- Quoted-hook-path test skipped on Windows where NTFS disallows
double-quote characters in filenames.
* feat: port remotion-video-creation skill (29 rules), restore missing files
New skill:
- remotion-video-creation: 29 domain-specific Remotion rules covering 3D/Three.js,
animations, audio, captions, charts, compositions, fonts, GIFs, Lottie,
measuring, sequencing, tailwind, text animations, timing, transitions,
trimming, and video embedding. Ported from personal skills.
Restored:
- autonomous-agent-harness/SKILL.md (was in commit but missing from worktree)
- lead-intelligence/ (full directory restored from branch commit)
Updated:
- manifests/install-modules.json: added remotion-video-creation to media-generation
- README.md + AGENTS.md: synced counts to 139 skills
Catalog validates: 30 agents, 60 commands, 139 skills.
* fix(security): pin MCP server versions, add dependabot, pin github-script SHA
Critical:
- Pin all npx -y MCP server packages to specific versions in .mcp.json
to prevent supply chain attacks via version hijacking:
- @modelcontextprotocol/server-github@2025.4.8
- @modelcontextprotocol/server-memory@2026.1.26
- @modelcontextprotocol/server-sequential-thinking@2025.12.18
- @playwright/mcp@0.0.69 (was 0.0.68)
Medium:
- Add .github/dependabot.yml for weekly npm + github-actions updates
with grouped minor/patch PRs
- Pin actions/github-script to SHA (was @v7 tag, now pinned to commit)
* feat: add social-graph-ranker skill — weighted network proximity scoring
New skill: social-graph-ranker
- Weighted social graph traversal with exponential decay across hops
- Bridge Score: B(m) = Σ w(t) · λ^(d(m,t)-1) ranks mutuals by target proximity
- Extended Score incorporates 2nd-order network (mutual-of-mutual connections)
- Final ranking includes engagement bonus for responsive connections
- Runs in parallel with lead-intelligence skill for combined warm+cold outreach
- Supports X API + LinkedIn CSV for graph harvesting
- Outputs tiered action list: warm intros, direct outreach, network gap analysis
Added to business-content install module. Catalog validates: 30/60/140.
* fix(security): npm audit fix — resolve all dependency vulnerabilities
Applied npm audit fix --force to resolve:
- minimatch ReDoS (3 vulnerabilities, HIGH)
- smol-toml DoS (MODERATE)
- brace-expansion memory exhaustion (MODERATE)
- markdownlint-cli upgraded from 0.47.0 to 0.48.0
npm audit now reports 0 vulnerabilities.
* fix: resolve markdown lint and yarn lockfile sync
- MD047: ensure single trailing newline on all remotion rule files
- MD012: remove consecutive blank lines in lottie, measuring-dom-nodes, trimming
- MD034: wrap bare URLs in angle brackets (tailwind, transcribe-captions)
- yarn.lock: regenerated to sync with npm audit changes in package.json
* fix: replace unicode arrows in lead-intelligence (CI unicode safety check)
* fix: replace bash TOML surgery with Node add-only MCP merge
The old sync script used awk/sed to remove and re-append MCP server
sections in config.toml, causing credential extraction races, duplicate
TOML tables, and 3 fragile code paths with 9 remove_section_inplace
calls each.
Replace with a Node script (scripts/codex/merge-mcp-config.js) that
uses @iarna/toml to parse the config, then appends only missing ECC
servers — preserving all existing content byte-for-byte. Warns on
config drift, supports legacy aliases (context7 → context7-mcp), and
adds --update-mcp flag for explicit refresh.
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
* fix: address PR #723 review findings for Codex MCP merge
- Use package-manager abstraction (scripts/lib/package-manager.js)
instead of hardcoding pnpm — respects CLAUDE_PACKAGE_MANAGER,
lock files, and project config
- Add Yarn 1.x fallback to npx (yarn dlx unsupported in classic)
- Add missing exa server to match .codex/config.toml baseline
- Wire up findSubSections for --update-mcp nested subtable removal
(fixes Greptile P1: Object.keys only returned top-level keys)
- Fix resolvedLabel to prefer canonical entry over legacy alias
when both exist (fixes context7/context7-mcp spurious warning)
- Fix removeSectionFromText to handle inline TOML comments
- Fix dry-run + --update-mcp to show removals before early return
- Update README parity table: 4 → 7 servers, TOML-parser-based
- Add non-npm install variants to README Codex quick start
- Update package-lock.json for @iarna/toml
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
* fix: address PR #723 review comments (preflight, marker validation)
- Add Node.js and merge-mcp-config.js to preflight checks so the
script fails fast before partial writes (CodeRabbit)
- Validate marker counts: require exactly 1 BEGIN + 1 END in correct
order for clean replacement (CodeRabbit)
- Corrupted markers: strip all marker lines and re-append fresh block,
preserving user content outside markers instead of overwriting
- Move MCP_MERGE_SCRIPT to preflight section, remove duplicate
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Happy <yesreply@happy.engineering>
- Bump version to 1.9.0 in package.json, package-lock.json, .opencode/package.json
- Add v1.9.0 changelog with 212 commits covering selective install architecture,
6 new agents, 15+ new skills, session/state infrastructure, observer fixes,
12 language ecosystems, and community contributions
- Update README with v1.9.0 release notes and complete agents tree (27 agents)
- Add pytorch-build-resolver to AGENTS.md agent table
- Update documentation counts to 27 agents, 109 skills, 57 commands
- Update version references in zh-CN README
- All 1421 tests passing, catalog counts verified
* Add install.ps1 PowerShell wrapper and tests
Add a Windows-native PowerShell wrapper (install.ps1) that resolves symlinks and delegates to the Node-based installer runtime. Update README with PowerShell usage examples and cross-platform npx entrypoint guidance. Point the ecc-install bin to the Node installer (scripts/install-apply.js) in package.json (and refresh package-lock), include install.ps1 in package files, and add tests: a new install-ps1.test.js and a tweak to install-sh.test.js to skip on Windows. These changes provide native Windows installer support while keeping npm-compatible cross-platform invocation.
* Improve tests for Windows HOME/USERPROFILE
Make tests more cross-platform by ensuring HOME and USERPROFILE are kept in sync and by normalizing test file paths for display.
- tests/lib/session-adapters.test.js: set USERPROFILE when temporarily setting HOME and restore previous USERPROFILE on teardown.
- tests/run-all.js: use a normalized displayPath (forward-slash separated) for logging and error messages so output is consistent across platforms.
- tests/scripts/ecc.test.js & tests/scripts/session-inspect.test.js: build envOverrides from options.env and add HOME <-> USERPROFILE fallbacks so spawned child processes receive both variables when only one is provided.
These changes prevent test failures and inconsistent logs on Windows where USERPROFILE is used instead of HOME.
* Fix Windows paths and test flakiness
Improve cross-platform behavior and test stability.
- Remove unused createLegacyInstallPlan import from install-lifecycle.js.
- Change resolveInstallConfigPath to use path.normalize(path.join(cwd, configPath)) to produce normalized relative paths.
- Tests: add toBashPath and normalizedRelativePath helpers to normalize Windows paths for bash and comparisons.
- Make cleanupTestDir retry rmSync on transient Windows errors (EPERM/EBUSY/ENOTEMPTY) with short backoff using sleepMs.
- Ensure spawned test processes receive USERPROFILE and convert repo/detect paths to bash format when invoking bash.
These changes reduce Windows-specific failures and flakiness in the test suite and tidy up a small unused import.
* feat: add SQLite state store and ECC status CLI
* fix: replace better-sqlite3 with sql.js to eliminate native module CI failures
better-sqlite3 requires native C++ compilation (node-gyp, prebuild-install)
which fails in CI across npm/pnpm on all platforms:
- npm ci: lock file out of sync with native transitive deps
- pnpm: native bindings not found at runtime
- Windows: native compilation fails entirely
sql.js is a pure JavaScript/WASM SQLite implementation with zero native
dependencies. The adapter in index.js wraps the sql.js API to match the
better-sqlite3 interface used by migrations.js and queries.js.
Key implementation detail: sql.js db.export() implicitly ends active
transactions, so the adapter defers disk writes (saveToDisk) until
after transaction commit via an inTransaction guard flag.
createStateStore is now async (sql.js requires async WASM init).
Updated status.js, sessions-cli.js, and tests accordingly.
- Registry accepts { type, value } structured targets
- Add --list-adapters and --target-type CLI flags to session-inspect
- Export adapter type from claude-history and dmux-tmux adapters
- 71 new session adapter tests, 34 new session-inspect tests
- All 1142 tests passing
The "Traction & Distribution" section contained internal business
context (sponsor-call checklists, partner reporting instructions)
that doesn't belong in a user-facing README. Moved to docs/business/.
