@boxes-dev/dvb-runtime 1.0.189 → 1.0.190

package/dist/prompts/local-scan-env-secrets.md

@@ -9,14 +9,18 @@ Note: this inventory is used to bundle/copy required local-dev files to the remo
 Important: you must base your response on actual evidence from this machine. Do not guess.
 You must run shell commands to scan the repo and environment before returning the final JSON.
 Do not scan devbox-generated state directories.
+Never enumerate dependency, cache, or build-output trees. Always exclude or prune at least `node_modules`, `.git`, `.devbox`, `dist`, `build`, `.next`, `.turbo`, `.vite`, and `coverage`.
+Never use shell globstar patterns such as `**/*.md` or `**/package.json`; in zsh they can expand into `node_modules`. Prefer `find ... -prune` or `rg --glob '!node_modules/**'`.
+Do not run `git ls-files --others --ignored --exclude-standard`; it can dump huge ignored dependency trees. Prefer `git status --porcelain=v1 --ignored --untracked-files=normal`.
 Before returning JSON, verify every `path` you include currently exists on disk.
 Do not include any missing/nonexistent paths in `envFiles` or `secretFiles`.
 
 Minimum evidence to gather (run these, plus anything else you need):
 
 - `ls -la`
+- `cat .gitignore 2>/dev/null || true`
 - `find . -maxdepth 4 -type f -name '.env*' -not -path './node_modules/*' -not -path './.git/*' -not -path './.devbox/*'`
-- `git status --porcelain=v1 --ignored`
+- `git status --porcelain=v1 --ignored --untracked-files=normal`
 - `cat package.json`
 - `rg -n \"VITE_|CONVEX_|dotenv\" package.json vite.config.ts src convex 2>/dev/null || true`
 

package/dist/prompts/local-scan-external.md

@@ -10,6 +10,9 @@ Important: you must base your response on actual evidence from this machine. Do
 You must run shell commands to scan the repo and environment before returning the final JSON.
 Do not deeply / recursively scan the home directory; it's ok to list files, but keep your exploration tight: prefer checking specific, high-signal locations you can justify (like `~/.npmrc`).
 Do not scan devbox-generated state directories.
+Never enumerate dependency, cache, or build-output trees. Always exclude or prune at least `node_modules`, `.git`, `.devbox`, `dist`, `build`, `.next`, `.turbo`, `.vite`, and `coverage`.
+Never use shell globstar patterns such as `**/*.md` or `**/package.json`; in zsh they can expand into `node_modules`. Prefer `find ... -prune` or `rg --glob '!node_modules/**'`.
+Keep command output tight. Prefer listing candidate files first, then reading only the small set of relevant files.
 Before returning JSON, verify every `path` in `externalConfigs` currently exists on disk.
 Do not include any missing/nonexistent paths.
 
@@ -17,8 +20,9 @@ Minimum evidence to gather (run these, plus anything else you need):
 
 - `ls -la`
 - `cat package.json`
+- `find . -maxdepth 4 -type f \\( -name 'README*' -o -path './docs/*' -o -path './.github/*' -o -path './scripts/*' -o -name 'package.json' \\) -not -path './node_modules/*' -not -path './.git/*' -not -path './.devbox/*' | sort | head -n 200`
 - `command -v just >/dev/null && just --list || true`
-- `rg -n \"\\b(just|make|task|npm|pnpm|yarn|bun|docker|wrangler|fly|convex|codex|sprite)\\b\" README* docs .github scripts package.json **/package.json 2>/dev/null || true`
+- `command -v rg >/dev/null && rg -n --glob '!node_modules/**' --glob '!.git/**' --glob '!.devbox/**' --glob '!dist/**' --glob '!build/**' --glob '*.md' --glob 'package.json' \"\\b(just|make|task|npm|pnpm|yarn|bun|docker|wrangler|fly|convex|codex|sprite)\\b\" . 2>/dev/null || true`
 - `command -v node >/dev/null && node --version || true`
 - `command -v npm >/dev/null && npm --version || true`
 

package/dist/prompts/local-scan-extra-artifacts.md

@@ -7,14 +7,18 @@ Be sure to only include items that are required for operation of the development
 Important: you must base your response on actual evidence from this machine. Do not guess.
 You must run shell commands to scan the repo before returning the final JSON.
 Do not scan devbox-generated state directories.
+Never enumerate dependency, cache, or build-output trees. Always exclude or prune at least `node_modules`, `.git`, `.devbox`, `dist`, `build`, `.next`, `.turbo`, `.vite`, and `coverage`.
+Never use shell globstar patterns such as `**/*.md` or `**/package.json`; in zsh they can expand into `node_modules`. Prefer `find ... -prune` or `rg --glob '!node_modules/**'`.
+Keep command output tight. Prefer candidate-file lists over recursive dumps.
 Before returning JSON, verify every `path` in `extraArtifacts` currently exists on disk.
 Do not include any missing/nonexistent paths.
 
 Minimum evidence to gather (run these, plus anything else you need):
 
 - `ls -la`
-- `git status --porcelain=v1 --ignored`
-- `rg -n \"\\b(artifact|cert|key|token|config|credential|cache)\\b\" README* docs .github scripts package.json **/*.md 2>/dev/null || true`
+- `git status --porcelain=v1 --ignored --untracked-files=normal`
+- `find . -maxdepth 4 -type f \\( -name 'README*' -o -path './docs/*' -o -path './.github/*' -o -path './scripts/*' -o -name 'package.json' \\) -not -path './node_modules/*' -not -path './.git/*' -not -path './.devbox/*' | sort | head -n 200`
+- `command -v rg >/dev/null && rg -n --glob '!node_modules/**' --glob '!.git/**' --glob '!.devbox/**' --glob '!dist/**' --glob '!build/**' --glob '*.md' --glob 'package.json' \"\\b(artifact|cert|key|token|config|credential|cache)\\b\" . 2>/dev/null || true`
 
 Return JSON with this shape:
 

package/dist/prompts/local-services-scan.md

@@ -12,6 +12,9 @@ Important requirements (read carefully):
 - You MUST run shell commands to scan the repo before returning the final JSON.
 - Only include commands that are required or explicitly documented in this repo (README/docs, task runners, scripts, config files). Treat `package.json` scripts, `Justfile` recipes, `Makefile` targets, and compose files as explicit documentation.
 - Avoid broad recursive scans of huge directories.
+- Never enumerate dependency, cache, or build-output trees. Always exclude or prune at least `node_modules`, `.git`, `.devbox`, `dist`, `build`, `.next`, `.turbo`, `.vite`, and `coverage`.
+- Never use shell globstar patterns such as `**/*.md` or `**/package.json`; in zsh they can expand into `node_modules`. Prefer `find ... -prune` or `rg --glob '!node_modules/**'`.
+- Keep command output tight. Prefer listing candidate files first, then reading only the files that look relevant.
 - Do not scan devbox-generated state directories. Ignore devbox.toml.
 - If you return empty arrays, it must be because you performed the evidence-gathering steps below and found no documented entrypoints/services.
 
@@ -25,8 +28,8 @@ Minimum evidence to gather (run these, plus anything else you need):
 - `ls -la`
 - `find . -maxdepth 4 -type f \\( -name 'README*' -o -name 'CONTRIBUTING*' -o -name 'Justfile' -o -name 'Makefile' -o -name 'Taskfile.yml' -o -name 'taskfile.yml' -o -name 'package.json' -o -name 'pnpm-workspace.yaml' -o -name 'lerna.json' -o -name 'turbo.json' -o -name 'nx.json' -o -name 'Dockerfile*' -o -name 'docker-compose*.yml' -o -name 'docker-compose*.yaml' -o -name 'compose*.yml' -o -name 'compose*.yaml' -o -name 'Procfile*' -o -name 'devcontainer.json' -o -name 'wrangler.toml' -o -name 'fly.toml' -o -name 'firebase.json' -o -name 'vercel.json' -o -name 'netlify.toml' -o -name 'supabase/config.toml' -o -name 'cargo.toml' -o -name 'go.mod' -o -name 'pyproject.toml' -o -name 'requirements*.txt' -o -name 'Pipfile' -o -name 'Gemfile' -o -name 'mix.exs' -o -name '*.csproj' -o -name '*.sln' \\) -not -path './node_modules/*' -not -path './.git/*' -not -path './.devbox/*'`
 - `find . -maxdepth 4 -type f \\( -path './docs/*' -o -path './.github/*' -o -path './scripts/*' -o -path './bin/*' -o -path './docker/*' -o -path './dev/*' -o -path './infra/*' \\) -not -path './node_modules/*' -not -path './.git/*' -not -path './.devbox/*' | head -n 200`
-- `command -v rg >/dev/null && rg -n \"(^|\\\\b)(just|make|task|npm|pnpm|yarn|bun|docker compose|docker-compose|foreman|honcho|overmind|tilt|skaffold)\\\\b\" README* docs .github scripts bin package.json **/package.json **/*.md 2>/dev/null || true`
-- `command -v rg >/dev/null && rg -n \"\\\\b(dev|start|serve|up|run|watch|worker|daemon|api|web|frontend|backend)\\\\b\" README* docs .github scripts bin package.json **/package.json **/*.md 2>/dev/null || true`
+- `command -v rg >/dev/null && rg -n --glob '!node_modules/**' --glob '!.git/**' --glob '!.devbox/**' --glob '!dist/**' --glob '!build/**' --glob '*.md' --glob 'package.json' \"(^|\\\\b)(just|make|task|npm|pnpm|yarn|bun|docker compose|docker-compose|foreman|honcho|overmind|tilt|skaffold)\\\\b\" . 2>/dev/null || true`
+- `command -v rg >/dev/null && rg -n --glob '!node_modules/**' --glob '!.git/**' --glob '!.devbox/**' --glob '!dist/**' --glob '!build/**' --glob '*.md' --glob 'package.json' \"\\\\b(dev|start|serve|up|run|watch|worker|daemon|api|web|frontend|backend)\\\\b\" . 2>/dev/null || true`
 - If present, inspect task runners:
   - `command -v just >/dev/null && just --list`
   - `test -f Makefile && make -qp | head -n 200` (or at least `rg -n \"^([A-Za-z0-9_.-]+):\" Makefile`)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@boxes-dev/dvb-runtime",
-  "version": "1.0.189",
+  "version": "1.0.190",
   "type": "module",
   "license": "UNLICENSED",
   "publishConfig": {
@@ -39,5 +39,5 @@
     "@boxes-dev/core": "*",
     "@boxes-dev/daemon": "*"
   },
-  "devboxReleasedAt": "2026-03-12T20:03:59Z"
+  "devboxReleasedAt": "2026-03-12T21:12:59Z"
 }