* fix: surface legacy data warning in instinct-cli status (#2036)
When the data directory moved from ~/.claude/homunculus/ to the
XDG-compliant ~/.local/share/ecc-homunculus/, legacy installs with data
still in the old path saw "No instincts found" with no explanation.
Add _warn_legacy_data() to cmd_status so users get a clear, actionable
warning pointing them to the migration script or the CLV2_HOMUNCULUS_DIR
override. Wrap the directory scan in try/except to handle permission
errors gracefully.
Closes#2036
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* fix: address review feedback — drop unused f-strings, resolve absolute migrate path
Remove extraneous f-prefix from strings without interpolation (ruff F541).
Resolve migrate-homunculus.sh path relative to instinct-cli.py instead of
hard-coding a repo-relative path that only works from the repo root.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* fix: quote migrate script path to handle spaces
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---------
Co-authored-by: kky <lingmu141592@gmail.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
rules/zh shipped ~17KB of Chinese rule text into the auto-loaded rules tree
of every default install (rules-core installs the bare 'rules' path with
defaultInstall: true), with no paths: frontmatter gating. The content had
also drifted behind both rules/common and the maintained translations in
docs/zh-CN/rules/common (e.g. zh/coding-style.md 48 lines vs the 52-line
docs/zh-CN copy), and 'zh' was already dropped from the installer's language
help in favor of the gated docs-zh-cn locale module (--locale zh-CN).
- move rules/zh/code-review.md to docs/zh-CN/rules/common/code-review.md:
the only file with no counterpart in the maintained locale tree (fills a
zh-CN parity gap with rules/common/code-review.md)
- delete the remaining 10 rules/zh files, all older duplicates of
docs/zh-CN/rules/common content
- update trae-install test to assert the rules tree via rules/web instead
Not addressed here: rules/README.md (~5.5KB of installer docs) still ships
into the auto-loaded tree via the bare 'rules' module path; filtering README
files from rule-tree expansion is a separate decision
- commands-core now ships scripts/harness-audit.js and scripts/skills-health.js:
the module installs the whole commands/ dir, so /harness-audit and
/skill-health were installed without their backing engines on
manifest-driven installs (the original 1.10.0 failure mode)
- agentic-patterns now ships scripts/claw.js: the module installs the
nanoclaw-repl skill, whose workflow operates scripts/claw.js
- package.json files array gains scripts/skills-health.js so the npm publish
surface stays aligned with the module graph (claw.js and harness-audit.js
were already listed)
- orchestration drops commands/multi-workflow.md and commands/sessions.md
from its explicit paths: both are already shipped by commands-core, which
is a declared dependency of the module, so the duplicate ownership produced
two copy operations per destination in install-state. The two scripts/lib
entries are kept because hooks-runtime is NOT a declared dependency and a
standalone orchestration install still needs them
Adds dynamic workflow/team orchestration skills, the content pack, and control-pane work-item/Kanban state DB support. Includes reviewer hardening for state-db CLI validation, optional state DB failure handling, and mergeStateStatus projection.
Salvages the useful harness-audit scoring work from #1989 while preserving the current hook registry and newer plugin install detection. Adds GitHub integration checks, conditional deploy-provider categories, dynamic applicable category metadata, and CODEOWNERS coverage.
Generate the inline hook root resolver with single-quoted JavaScript literals so Windows Git Bash does not choke on nested escaped double quotes before Node starts. Refresh hooks.json and add regression coverage for parsed hook commands and installed hook manifests.
9 new test cases pin down the two previous commits' denylist
extensions. Each verifies both detection (validator exit non-zero +
the expected `dangerous-invisible U+<HEX>` line on stderr) and,
where applicable, `--write` sanitization.
Coverage:
Tag block (commit 1):
- U+E0041 TAG LATIN CAPITAL LETTER A — the range's printable ASCII
shadow; this is the byte sequence demonstrated in published ASCII
smuggling proofs of concept.
- U+E007F CANCEL TAG — the range end.
Other invisibles (commit 2):
- U+180E MONGOLIAN VOWEL SEPARATOR
- U+115F HANGUL CHOSEONG FILLER
- U+1160 HANGUL JUNGSEONG FILLER
- U+2061 FUNCTION APPLICATION (range start)
- U+2064 INVISIBLE PLUS (range end)
- U+3164 HANGUL FILLER
Detection table is data-driven (one loop, one assertion per row) so
adding the next invisible to the denylist also gets a paired
regression test by simply appending to NEWLY_COVERED_RANGES.
Plus a `--write` integration test:
- writes a markdown file containing both Tag block (5 chars) and
U+180E, runs `--write`, asserts both removed and surrounding text
preserved character-for-character ('# Title\n\nBenigntext.\n').
- re-runs the validator without `--write` and asserts exit 0,
confirming the sanitizer's output is idempotent under the
extended denylist.
Test count: 5 → 14 in this file; full `yarn test` green; `yarn lint`
clean.
