* fix(ci): resolve cross-platform test failures
- Sanity check script (check-codex-global-state.sh) now falls back to
grep -E when ripgrep is not available, fixing the codex-hooks sync
test on all CI platforms. Patterns converted to POSIX ERE for
portability.
- Unicode safety test accepts both / and \ path separators so the
executable-file assertion passes on Windows.
- Gacha test sets PYTHONUTF8=1 so Python uses UTF-8 stdout encoding on
Windows instead of cp1252, preventing UnicodeEncodeError on box-drawing
characters.
- Quoted-hook-path test skipped on Windows where NTFS disallows
double-quote characters in filenames.
* feat: port remotion-video-creation skill (29 rules), restore missing files
New skill:
- remotion-video-creation: 29 domain-specific Remotion rules covering 3D/Three.js,
animations, audio, captions, charts, compositions, fonts, GIFs, Lottie,
measuring, sequencing, tailwind, text animations, timing, transitions,
trimming, and video embedding. Ported from personal skills.
Restored:
- autonomous-agent-harness/SKILL.md (was in commit but missing from worktree)
- lead-intelligence/ (full directory restored from branch commit)
Updated:
- manifests/install-modules.json: added remotion-video-creation to media-generation
- README.md + AGENTS.md: synced counts to 139 skills
Catalog validates: 30 agents, 60 commands, 139 skills.
* fix(security): pin MCP server versions, add dependabot, pin github-script SHA
Critical:
- Pin all npx -y MCP server packages to specific versions in .mcp.json
to prevent supply chain attacks via version hijacking:
- @modelcontextprotocol/server-github@2025.4.8
- @modelcontextprotocol/server-memory@2026.1.26
- @modelcontextprotocol/server-sequential-thinking@2025.12.18
- @playwright/mcp@0.0.69 (was 0.0.68)
Medium:
- Add .github/dependabot.yml for weekly npm + github-actions updates
with grouped minor/patch PRs
- Pin actions/github-script to SHA (was @v7 tag, now pinned to commit)
* feat: add social-graph-ranker skill — weighted network proximity scoring
New skill: social-graph-ranker
- Weighted social graph traversal with exponential decay across hops
- Bridge Score: B(m) = Σ w(t) · λ^(d(m,t)-1) ranks mutuals by target proximity
- Extended Score incorporates 2nd-order network (mutual-of-mutual connections)
- Final ranking includes engagement bonus for responsive connections
- Runs in parallel with lead-intelligence skill for combined warm+cold outreach
- Supports X API + LinkedIn CSV for graph harvesting
- Outputs tiered action list: warm intros, direct outreach, network gap analysis
Added to business-content install module. Catalog validates: 30/60/140.
* fix(security): npm audit fix — resolve all dependency vulnerabilities
Applied npm audit fix --force to resolve:
- minimatch ReDoS (3 vulnerabilities, HIGH)
- smol-toml DoS (MODERATE)
- brace-expansion memory exhaustion (MODERATE)
- markdownlint-cli upgraded from 0.47.0 to 0.48.0
npm audit now reports 0 vulnerabilities.
* fix: resolve markdown lint and yarn lockfile sync
- MD047: ensure single trailing newline on all remotion rule files
- MD012: remove consecutive blank lines in lottie, measuring-dom-nodes, trimming
- MD034: wrap bare URLs in angle brackets (tailwind, transcribe-captions)
- yarn.lock: regenerated to sync with npm audit changes in package.json
* fix: replace unicode arrows in lead-intelligence (CI unicode safety check)
Running install.ps1/install.sh with no arguments gave a cryptic error
with no guidance. Now the usage help is printed after the error so users
know what arguments to pass.
Also added --profile full as the recommended install option in the README
quick-start section, which was previously undocumented.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat: add pending instinct TTL pruning and /prune command
Pending instincts generated by the observer accumulate indefinitely
with no cleanup mechanism. This adds lifecycle management:
- `instinct-cli.py prune` — delete pending instincts older than 30 days
(configurable via --max-age). Supports --dry-run and --quiet flags.
- Enhanced `status` command — shows pending count, warns at 5+,
highlights instincts expiring within 7 days.
- `observer-loop.sh` — runs prune before each analysis cycle.
- `/prune` slash command — user-facing command for manual pruning.
Design rationale: council consensus (4/4) rejected auto-promote in
favor of TTL-based garbage collection. Frequency of observation does
not establish correctness. Unreviewed pending instincts auto-delete
after 30 days; if the pattern is real, the observer will regenerate it.
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
* fix: remove duplicate functions, broaden extension filter, fix prune output
- Remove duplicate _collect_pending_dirs and _parse_created_date defs
- Use ALLOWED_INSTINCT_EXTENSIONS (.md/.yaml/.yml) instead of .md-only
- Track actually-deleted items separately from expired for accurate output
- Update README.md and AGENTS.md command counts: 59 → 60
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
* fix: address Copilot and CodeRabbit review findings
- Use is_dir() instead of exists() for pending path checks
- Change > to >= for --max-age boundary (--max-age 0 now prunes all)
- Use CLV2_PYTHON_CMD env var in observer-loop.sh prune call
- Remove unused source_dupes variable
- Remove extraneous f-string prefix on static string
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
* fix: update AGENTS.md project structure command count 59 → 60
Co-Authored-By: Claude <noreply@anthropic.com>
* fix: address cubic and coderabbit review findings
- Fix status early return skipping pending instinct warnings (cubic #1)
- Exclude already-expired items from expiring-soon filter (cubic #2)
- Warn on unparseable pending instinct age instead of silent skip (cubic #4)
- Log prune failures to observer.log instead of silencing (cubic #5)
Co-Authored-By: Claude <noreply@anthropic.com>
* fix: YAML single-quote unescaping, f-string cleanup, add /prune to README
- Fix single-quoted YAML unescaping: use '' doubling (YAML spec) not
backslash escaping which only applies to double-quoted strings (greptile P1)
- Remove extraneous f-string prefix on static string (coderabbit)
- Add /prune to README command catalog and file tree (cubic)
Co-Authored-By: Claude <noreply@anthropic.com>
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Happy <yesreply@happy.engineering>
* fix: replace bash TOML surgery with Node add-only MCP merge
The old sync script used awk/sed to remove and re-append MCP server
sections in config.toml, causing credential extraction races, duplicate
TOML tables, and 3 fragile code paths with 9 remove_section_inplace
calls each.
Replace with a Node script (scripts/codex/merge-mcp-config.js) that
uses @iarna/toml to parse the config, then appends only missing ECC
servers — preserving all existing content byte-for-byte. Warns on
config drift, supports legacy aliases (context7 → context7-mcp), and
adds --update-mcp flag for explicit refresh.
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
* fix: address PR #723 review findings for Codex MCP merge
- Use package-manager abstraction (scripts/lib/package-manager.js)
instead of hardcoding pnpm — respects CLAUDE_PACKAGE_MANAGER,
lock files, and project config
- Add Yarn 1.x fallback to npx (yarn dlx unsupported in classic)
- Add missing exa server to match .codex/config.toml baseline
- Wire up findSubSections for --update-mcp nested subtable removal
(fixes Greptile P1: Object.keys only returned top-level keys)
- Fix resolvedLabel to prefer canonical entry over legacy alias
when both exist (fixes context7/context7-mcp spurious warning)
- Fix removeSectionFromText to handle inline TOML comments
- Fix dry-run + --update-mcp to show removals before early return
- Update README parity table: 4 → 7 servers, TOML-parser-based
- Add non-npm install variants to README Codex quick start
- Update package-lock.json for @iarna/toml
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
* fix: address PR #723 review comments (preflight, marker validation)
- Add Node.js and merge-mcp-config.js to preflight checks so the
script fails fast before partial writes (CodeRabbit)
- Validate marker counts: require exactly 1 BEGIN + 1 END in correct
order for clean replacement (CodeRabbit)
- Corrupted markers: strip all marker lines and re-append fresh block,
preserving user content outside markers instead of overwriting
- Move MCP_MERGE_SCRIPT to preflight section, remove duplicate
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Happy <yesreply@happy.engineering>
* Add Turkish (tr) docs and update README
Add a full set of Turkish documentation under docs/tr (agents, changelog, CLAUDE guide, contributing, code of conduct, and many agents/commands/skills/rules files). Update README to include a link to the Turkish docs and increment the supported language count from 5 to 6. This commit adds localized guidance and references to help Turkish-speaking contributors and users.
* Update docs/tr/TROUBLESHOOTING.md
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
* Update docs/tr/README.md
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
* docs(tr): fix license link and update readmes
Update Turkish docs: change license badge link to point to repository root (../../LICENSE), increment displayed language count from 5 to 6, and remove two outdated related links from docs/tr/examples/README.md to keep references accurate.
* Update docs/tr/commands/instinct-import.md
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
* Update docs/tr/commands/checkpoint.md
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
---------
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
- Bump version to 1.9.0 in package.json, package-lock.json, .opencode/package.json
- Add v1.9.0 changelog with 212 commits covering selective install architecture,
6 new agents, 15+ new skills, session/state infrastructure, observer fixes,
12 language ecosystems, and community contributions
- Update README with v1.9.0 release notes and complete agents tree (27 agents)
- Add pytorch-build-resolver to AGENTS.md agent table
- Update documentation counts to 27 agents, 109 skills, 57 commands
- Update version references in zh-CN README
- All 1421 tests passing, catalog counts verified
* docs: add Antigravity setup and usage guide
Addresses #462 — users were confused about Antigravity skills setup.
Adds a comprehensive guide covering:
- Install mapping (ECC → .agent/ directory)
- Directory structure after install
- openai.yaml agent config format
- Managing installs (list, doctor, uninstall)
- Cross-target comparison table
- Troubleshooting common issues
- How to contribute skills with Antigravity support
Also links the guide from the README FAQ section.
* fix: address review feedback on Antigravity guide
- Remove spurious skills/ row from install mapping table, add note
clarifying .agents/skills/ is static repo layout not installer-mapped
- Fix repair section: doctor.js diagnoses, repair.js restores
- Fix .agents/ → .agent/ path typo in custom skills section
- Clarify 3-step workflow for adding Antigravity skills
- Fix antigravity-project → antigravity in comparison table
- Fix "flatten" → "flattened" grammar in README
- Clarify openai.yaml full nested path structure
* fix: clarify .agents/ vs .agent/ naming and fix Cursor comparison
- Explain that .agents/ (with 's') is ECC source, .agent/ (no 's')
is Antigravity runtime — installer copies between them
- Fix Cursor Agents/Skills column: Cursor has no explicit agents/skills
mapping (only rules), changed from 'skills/' to 'N/A'
* fix: correct installer behavior claims and command style
- Fix .agents/ vs .agent/ note: clarify that only rules, commands, and
agents (no dot) are explicitly mapped by the installer. The dot-prefixed
.agents/ directory falls through to default scaffold, not a direct copy.
- Fix contributor workflow: remove false auto-deploy claim for openai.yaml.
Clarify .agents/ is static repo layout, not installer-deployed.
- Fix uninstall command: use direct script call (node scripts/uninstall.js)
for consistency with doctor.js, repair.js, list-installed.js.
* fix: add missing agents/ step to contributor workflow
Contributors must add an agent definition at agents/ (no dot) for the
installer to deploy it to .agent/skills/ at runtime. Without this step,
skills only exist in the static .agents/ layout and are never deployed.
---------
Co-authored-by: vazidmansuri005 <vazidmansuri005@users.noreply.github.com>
The install script requires the ajv package (a devDependency) for
config validation. Without running npm install first, users get
"Cannot find module 'ajv'" when running ./install.sh.
Co-authored-by: Jeffrey Jordan <jeffreyjordan@dizplai.com>
