@codyswann/lisa 2.141.1 → 2.141.2

package/package.json

@@ -84,7 +84,7 @@
     "lodash": ">=4.18.1"
   },
   "name": "@codyswann/lisa",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "Claude Code governance framework that applies guardrails, guidance, and automated enforcement to projects",
   "main": "dist/index.js",
   "exports": {

package/plugins/lisa/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "Universal governance — agents, skills, commands, hooks, and rules for all projects",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "Universal governance: agents, skills, commands, hooks, and rules for all projects.",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa/skills/analyze-claude-remote/SKILL.md

@@ -84,9 +84,19 @@ Group the findings as:
    `secrets.*`/`env:` in CI, and config-referenced tokens. Group by integration (GitHub, AWS,
    Atlassian/JIRA/Confluence, Notion, Linear, Anthropic, notifications, feature flags, other).
    Cross-reference `.lisa.config.json` `tracker`/`source` to mark which credentials are **active**
-   for this repo vs **dormant** (`OPTIONAL`). Always surface Claude Code feature flags actually set
-   in `.claude/settings.json` (e.g. `CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS`) as `REQUIRED` to match
-   local behavior, since the environment `env` block is the reliable place to set them.
+   for this repo vs **dormant** (`OPTIONAL`). Distinguish *where* each var must be set, because the
+   answer differs and getting it wrong sends the user to do redundant work:
+
+   - **Committed `.claude/settings.json` `env` flags** (e.g. `CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS`,
+     `ENABLE_LSP_TOOL`, `BASH_*`) — this file is repo-committed, so it reaches the cloud and Claude
+     Code applies its `env` block when it launches. These are **already provided — no action**.
+     Surface them as `OK` (cite the file), not `REQUIRED`. Do **not** tell the user to re-enter them
+     in the environment UI; a duplicate there only risks drifting from the committed value. The lone
+     caveat: the setup script runs *before* Claude Code launches, so it cannot see these — flag any
+     that the **setup script itself** would need (rare) as needing a UI value too.
+   - **Secrets** (tokens/keys) — cannot be committed, so the committed `settings.json` can't carry
+     them. These are the only vars that genuinely **must be set in the environment-variables UI**.
+     Mark active-integration secrets `REQUIRED`; dormant ones `OPTIONAL`.
 
 4a. **Tracker / PRD-source credentials** — this is the load-bearing part of the audit and must be
    driven by config, not by what the scan happens to find. Resolve the active integrations first:
@@ -199,7 +209,10 @@ checklist of the secrets the user must set in the routine's environment for the
 `tracker`/`source` (from group 4a). One block per active integration, each with its env-var name(s),
 an `Acquire:` URL, and an `Access:` scope line, plus a one-line note that the environment UI is where
 these are set (the generated build script only emits a names-only template, never values). If both
-`tracker` and `source` resolve to the same vendor (e.g. both `github`), render it once.
+`tracker` and `source` resolve to the same vendor (e.g. both GitHub), render it once. List **only
+secrets** here — do not include the committed `.claude/settings.json` `env` flags; close the
+subsection with a one-line reminder that those flags are already provided by the committed file and
+need no UI entry.
 
 End with a fenced, machine-readable inventory block (also printed when `--json` is passed) so
 `/lisa:generate-claude-remote-build-script` can consume it without re-deriving everything. Secret
@@ -216,7 +229,7 @@ so the generator can render acquisition comments into its template:
   "tracker": "github",
   "source": "github",
   "env": [
-    { "name": "CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS", "required": true, "secret": false, "reason": "set in .claude/settings.json" },
+    { "name": "CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS", "required": false, "secret": false, "providedBy": "settings.json", "uiAction": "none", "reason": "committed in .claude/settings.json env — applied automatically; do not re-enter in the UI" },
     {
       "name": "GH_TOKEN", "required": true, "secret": true, "integration": "github",
       "reason": "active tracker+source; gh scripts gate on gh auth status",

package/plugins/lisa/skills/generate-claude-remote-build-script/SKILL.md

@@ -51,9 +51,12 @@ tracker/source, plus the host project's own package manager and tooling — not
 3. **Emit the environment-variable template.** Write a commented block listing every `env` entry
    from the inventory grouped by integration, marked `REQUIRED`/`OPTIONAL` and `secret`/`plain`,
    with the reason. **Never write real secret values** — only names and placeholders, because the
-   environment config is visible to anyone who can edit it. Include feature flags actually set in
-   `.claude/settings.json` (e.g. `CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS`) so cloud behavior matches
-   local. For every secret entry that carries `acquireUrl`/`accessScope`/`headlessSubstrate` (the
+   environment config is visible to anyone who can edit it. Entries flagged `providedBy: settings.json`
+   (the committed `.claude/settings.json` `env` flags, e.g. `CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS`) are
+   **already applied from the committed file** — list them under an `# Already provided by committed
+   .claude/settings.json — no UI entry needed` heading, not as values to set. The "set in the
+   environment UI" template is for **secrets only**. For every secret entry that carries
+   `acquireUrl`/`accessScope`/`headlessSubstrate` (the
    active tracker/source credentials from the analysis's group 4a), render those as comment lines
    directly above the name — `# Acquire: <url>` and `# Access: <scope>` — so the user knows exactly
    where to get the token and what permissions it needs. Emit only the **env-var form** of the name
@@ -83,8 +86,9 @@ shape, not a fixed payload):
 #
 # GAPS this script cannot fix (configure separately):
 #   - <gaps from analysis, e.g. auto-memory is machine-local and not synced to cloud routines>
-# ENV VARS to set in the environment config (names only — set real values there, not here):
-#   - CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS=1   # REQUIRED, matches .claude/settings.json
+# Already provided by committed .claude/settings.json (applied automatically — no UI entry needed):
+#   - CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS, ENABLE_LSP_TOOL, BASH_DEFAULT_TIMEOUT_MS, BASH_MAX_TIMEOUT_MS
+# SECRETS to set in the environment config (names only — set real values there, not here):
 #   # --- credentials for the active tracker/source (set in the environment UI) ---
 #   # Acquire: https://github.com/settings/personal-access-tokens
 #   # Access:  fine-grained PAT on target repo: Contents R/W, Issues R/W, Pull requests R/W, Metadata R

package/plugins/lisa-agy/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "Universal governance — agents, skills, commands, hooks, and rules for all projects",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-agy/skills/analyze-claude-remote/SKILL.md

@@ -84,9 +84,19 @@ Group the findings as:
    `secrets.*`/`env:` in CI, and config-referenced tokens. Group by integration (GitHub, AWS,
    Atlassian/JIRA/Confluence, Notion, Linear, Anthropic, notifications, feature flags, other).
    Cross-reference `.lisa.config.json` `tracker`/`source` to mark which credentials are **active**
-   for this repo vs **dormant** (`OPTIONAL`). Always surface Claude Code feature flags actually set
-   in `.claude/settings.json` (e.g. `CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS`) as `REQUIRED` to match
-   local behavior, since the environment `env` block is the reliable place to set them.
+   for this repo vs **dormant** (`OPTIONAL`). Distinguish *where* each var must be set, because the
+   answer differs and getting it wrong sends the user to do redundant work:
+
+   - **Committed `.claude/settings.json` `env` flags** (e.g. `CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS`,
+     `ENABLE_LSP_TOOL`, `BASH_*`) — this file is repo-committed, so it reaches the cloud and Claude
+     Code applies its `env` block when it launches. These are **already provided — no action**.
+     Surface them as `OK` (cite the file), not `REQUIRED`. Do **not** tell the user to re-enter them
+     in the environment UI; a duplicate there only risks drifting from the committed value. The lone
+     caveat: the setup script runs *before* Claude Code launches, so it cannot see these — flag any
+     that the **setup script itself** would need (rare) as needing a UI value too.
+   - **Secrets** (tokens/keys) — cannot be committed, so the committed `settings.json` can't carry
+     them. These are the only vars that genuinely **must be set in the environment-variables UI**.
+     Mark active-integration secrets `REQUIRED`; dormant ones `OPTIONAL`.
 
 4a. **Tracker / PRD-source credentials** — this is the load-bearing part of the audit and must be
    driven by config, not by what the scan happens to find. Resolve the active integrations first:
@@ -199,7 +209,10 @@ checklist of the secrets the user must set in the routine's environment for the
 `tracker`/`source` (from group 4a). One block per active integration, each with its env-var name(s),
 an `Acquire:` URL, and an `Access:` scope line, plus a one-line note that the environment UI is where
 these are set (the generated build script only emits a names-only template, never values). If both
-`tracker` and `source` resolve to the same vendor (e.g. both `github`), render it once.
+`tracker` and `source` resolve to the same vendor (e.g. both GitHub), render it once. List **only
+secrets** here — do not include the committed `.claude/settings.json` `env` flags; close the
+subsection with a one-line reminder that those flags are already provided by the committed file and
+need no UI entry.
 
 End with a fenced, machine-readable inventory block (also printed when `--json` is passed) so
 `/lisa:generate-claude-remote-build-script` can consume it without re-deriving everything. Secret
@@ -216,7 +229,7 @@ so the generator can render acquisition comments into its template:
   "tracker": "github",
   "source": "github",
   "env": [
-    { "name": "CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS", "required": true, "secret": false, "reason": "set in .claude/settings.json" },
+    { "name": "CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS", "required": false, "secret": false, "providedBy": "settings.json", "uiAction": "none", "reason": "committed in .claude/settings.json env — applied automatically; do not re-enter in the UI" },
     {
       "name": "GH_TOKEN", "required": true, "secret": true, "integration": "github",
       "reason": "active tracker+source; gh scripts gate on gh auth status",

package/plugins/lisa-agy/skills/generate-claude-remote-build-script/SKILL.md

@@ -51,9 +51,12 @@ tracker/source, plus the host project's own package manager and tooling — not
 3. **Emit the environment-variable template.** Write a commented block listing every `env` entry
    from the inventory grouped by integration, marked `REQUIRED`/`OPTIONAL` and `secret`/`plain`,
    with the reason. **Never write real secret values** — only names and placeholders, because the
-   environment config is visible to anyone who can edit it. Include feature flags actually set in
-   `.claude/settings.json` (e.g. `CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS`) so cloud behavior matches
-   local. For every secret entry that carries `acquireUrl`/`accessScope`/`headlessSubstrate` (the
+   environment config is visible to anyone who can edit it. Entries flagged `providedBy: settings.json`
+   (the committed `.claude/settings.json` `env` flags, e.g. `CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS`) are
+   **already applied from the committed file** — list them under an `# Already provided by committed
+   .claude/settings.json — no UI entry needed` heading, not as values to set. The "set in the
+   environment UI" template is for **secrets only**. For every secret entry that carries
+   `acquireUrl`/`accessScope`/`headlessSubstrate` (the
    active tracker/source credentials from the analysis's group 4a), render those as comment lines
    directly above the name — `# Acquire: <url>` and `# Access: <scope>` — so the user knows exactly
    where to get the token and what permissions it needs. Emit only the **env-var form** of the name
@@ -83,8 +86,9 @@ shape, not a fixed payload):
 #
 # GAPS this script cannot fix (configure separately):
 #   - <gaps from analysis, e.g. auto-memory is machine-local and not synced to cloud routines>
-# ENV VARS to set in the environment config (names only — set real values there, not here):
-#   - CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS=1   # REQUIRED, matches .claude/settings.json
+# Already provided by committed .claude/settings.json (applied automatically — no UI entry needed):
+#   - CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS, ENABLE_LSP_TOOL, BASH_DEFAULT_TIMEOUT_MS, BASH_MAX_TIMEOUT_MS
+# SECRETS to set in the environment config (names only — set real values there, not here):
 #   # --- credentials for the active tracker/source (set in the environment UI) ---
 #   # Acquire: https://github.com/settings/personal-access-tokens
 #   # Access:  fine-grained PAT on target repo: Contents R/W, Issues R/W, Pull requests R/W, Metadata R

package/plugins/lisa-cdk/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-cdk",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "AWS CDK-specific plugin",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-cdk/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-cdk",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "AWS CDK-specific Lisa plugin.",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-cdk-agy/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-cdk",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "AWS CDK-specific plugin",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-cdk-copilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-cdk",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "AWS CDK-specific plugin",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-cdk-cursor/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-cdk",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "AWS CDK-specific plugin",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-copilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "Universal governance — agents, skills, commands, hooks, and rules for all projects",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-copilot/skills/analyze-claude-remote/SKILL.md

@@ -84,9 +84,19 @@ Group the findings as:
    `secrets.*`/`env:` in CI, and config-referenced tokens. Group by integration (GitHub, AWS,
    Atlassian/JIRA/Confluence, Notion, Linear, Anthropic, notifications, feature flags, other).
    Cross-reference `.lisa.config.json` `tracker`/`source` to mark which credentials are **active**
-   for this repo vs **dormant** (`OPTIONAL`). Always surface Claude Code feature flags actually set
-   in `.claude/settings.json` (e.g. `CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS`) as `REQUIRED` to match
-   local behavior, since the environment `env` block is the reliable place to set them.
+   for this repo vs **dormant** (`OPTIONAL`). Distinguish *where* each var must be set, because the
+   answer differs and getting it wrong sends the user to do redundant work:
+
+   - **Committed `.claude/settings.json` `env` flags** (e.g. `CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS`,
+     `ENABLE_LSP_TOOL`, `BASH_*`) — this file is repo-committed, so it reaches the cloud and Claude
+     Code applies its `env` block when it launches. These are **already provided — no action**.
+     Surface them as `OK` (cite the file), not `REQUIRED`. Do **not** tell the user to re-enter them
+     in the environment UI; a duplicate there only risks drifting from the committed value. The lone
+     caveat: the setup script runs *before* Claude Code launches, so it cannot see these — flag any
+     that the **setup script itself** would need (rare) as needing a UI value too.
+   - **Secrets** (tokens/keys) — cannot be committed, so the committed `settings.json` can't carry
+     them. These are the only vars that genuinely **must be set in the environment-variables UI**.
+     Mark active-integration secrets `REQUIRED`; dormant ones `OPTIONAL`.
 
 4a. **Tracker / PRD-source credentials** — this is the load-bearing part of the audit and must be
    driven by config, not by what the scan happens to find. Resolve the active integrations first:
@@ -199,7 +209,10 @@ checklist of the secrets the user must set in the routine's environment for the
 `tracker`/`source` (from group 4a). One block per active integration, each with its env-var name(s),
 an `Acquire:` URL, and an `Access:` scope line, plus a one-line note that the environment UI is where
 these are set (the generated build script only emits a names-only template, never values). If both
-`tracker` and `source` resolve to the same vendor (e.g. both `github`), render it once.
+`tracker` and `source` resolve to the same vendor (e.g. both GitHub), render it once. List **only
+secrets** here — do not include the committed `.claude/settings.json` `env` flags; close the
+subsection with a one-line reminder that those flags are already provided by the committed file and
+need no UI entry.
 
 End with a fenced, machine-readable inventory block (also printed when `--json` is passed) so
 `/lisa:generate-claude-remote-build-script` can consume it without re-deriving everything. Secret
@@ -216,7 +229,7 @@ so the generator can render acquisition comments into its template:
   "tracker": "github",
   "source": "github",
   "env": [
-    { "name": "CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS", "required": true, "secret": false, "reason": "set in .claude/settings.json" },
+    { "name": "CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS", "required": false, "secret": false, "providedBy": "settings.json", "uiAction": "none", "reason": "committed in .claude/settings.json env — applied automatically; do not re-enter in the UI" },
     {
       "name": "GH_TOKEN", "required": true, "secret": true, "integration": "github",
       "reason": "active tracker+source; gh scripts gate on gh auth status",

package/plugins/lisa-copilot/skills/generate-claude-remote-build-script/SKILL.md

@@ -51,9 +51,12 @@ tracker/source, plus the host project's own package manager and tooling — not
 3. **Emit the environment-variable template.** Write a commented block listing every `env` entry
    from the inventory grouped by integration, marked `REQUIRED`/`OPTIONAL` and `secret`/`plain`,
    with the reason. **Never write real secret values** — only names and placeholders, because the
-   environment config is visible to anyone who can edit it. Include feature flags actually set in
-   `.claude/settings.json` (e.g. `CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS`) so cloud behavior matches
-   local. For every secret entry that carries `acquireUrl`/`accessScope`/`headlessSubstrate` (the
+   environment config is visible to anyone who can edit it. Entries flagged `providedBy: settings.json`
+   (the committed `.claude/settings.json` `env` flags, e.g. `CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS`) are
+   **already applied from the committed file** — list them under an `# Already provided by committed
+   .claude/settings.json — no UI entry needed` heading, not as values to set. The "set in the
+   environment UI" template is for **secrets only**. For every secret entry that carries
+   `acquireUrl`/`accessScope`/`headlessSubstrate` (the
    active tracker/source credentials from the analysis's group 4a), render those as comment lines
    directly above the name — `# Acquire: <url>` and `# Access: <scope>` — so the user knows exactly
    where to get the token and what permissions it needs. Emit only the **env-var form** of the name
@@ -83,8 +86,9 @@ shape, not a fixed payload):
 #
 # GAPS this script cannot fix (configure separately):
 #   - <gaps from analysis, e.g. auto-memory is machine-local and not synced to cloud routines>
-# ENV VARS to set in the environment config (names only — set real values there, not here):
-#   - CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS=1   # REQUIRED, matches .claude/settings.json
+# Already provided by committed .claude/settings.json (applied automatically — no UI entry needed):
+#   - CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS, ENABLE_LSP_TOOL, BASH_DEFAULT_TIMEOUT_MS, BASH_MAX_TIMEOUT_MS
+# SECRETS to set in the environment config (names only — set real values there, not here):
 #   # --- credentials for the active tracker/source (set in the environment UI) ---
 #   # Acquire: https://github.com/settings/personal-access-tokens
 #   # Access:  fine-grained PAT on target repo: Contents R/W, Issues R/W, Pull requests R/W, Metadata R

package/plugins/lisa-cursor/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "Universal governance — agents, skills, commands, hooks, and rules for all projects",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-cursor/skills/analyze-claude-remote/SKILL.md

@@ -84,9 +84,19 @@ Group the findings as:
    `secrets.*`/`env:` in CI, and config-referenced tokens. Group by integration (GitHub, AWS,
    Atlassian/JIRA/Confluence, Notion, Linear, Anthropic, notifications, feature flags, other).
    Cross-reference `.lisa.config.json` `tracker`/`source` to mark which credentials are **active**
-   for this repo vs **dormant** (`OPTIONAL`). Always surface Claude Code feature flags actually set
-   in `.claude/settings.json` (e.g. `CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS`) as `REQUIRED` to match
-   local behavior, since the environment `env` block is the reliable place to set them.
+   for this repo vs **dormant** (`OPTIONAL`). Distinguish *where* each var must be set, because the
+   answer differs and getting it wrong sends the user to do redundant work:
+
+   - **Committed `.claude/settings.json` `env` flags** (e.g. `CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS`,
+     `ENABLE_LSP_TOOL`, `BASH_*`) — this file is repo-committed, so it reaches the cloud and Claude
+     Code applies its `env` block when it launches. These are **already provided — no action**.
+     Surface them as `OK` (cite the file), not `REQUIRED`. Do **not** tell the user to re-enter them
+     in the environment UI; a duplicate there only risks drifting from the committed value. The lone
+     caveat: the setup script runs *before* Claude Code launches, so it cannot see these — flag any
+     that the **setup script itself** would need (rare) as needing a UI value too.
+   - **Secrets** (tokens/keys) — cannot be committed, so the committed `settings.json` can't carry
+     them. These are the only vars that genuinely **must be set in the environment-variables UI**.
+     Mark active-integration secrets `REQUIRED`; dormant ones `OPTIONAL`.
 
 4a. **Tracker / PRD-source credentials** — this is the load-bearing part of the audit and must be
    driven by config, not by what the scan happens to find. Resolve the active integrations first:
@@ -199,7 +209,10 @@ checklist of the secrets the user must set in the routine's environment for the
 `tracker`/`source` (from group 4a). One block per active integration, each with its env-var name(s),
 an `Acquire:` URL, and an `Access:` scope line, plus a one-line note that the environment UI is where
 these are set (the generated build script only emits a names-only template, never values). If both
-`tracker` and `source` resolve to the same vendor (e.g. both `github`), render it once.
+`tracker` and `source` resolve to the same vendor (e.g. both GitHub), render it once. List **only
+secrets** here — do not include the committed `.claude/settings.json` `env` flags; close the
+subsection with a one-line reminder that those flags are already provided by the committed file and
+need no UI entry.
 
 End with a fenced, machine-readable inventory block (also printed when `--json` is passed) so
 `/lisa:generate-claude-remote-build-script` can consume it without re-deriving everything. Secret
@@ -216,7 +229,7 @@ so the generator can render acquisition comments into its template:
   "tracker": "github",
   "source": "github",
   "env": [
-    { "name": "CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS", "required": true, "secret": false, "reason": "set in .claude/settings.json" },
+    { "name": "CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS", "required": false, "secret": false, "providedBy": "settings.json", "uiAction": "none", "reason": "committed in .claude/settings.json env — applied automatically; do not re-enter in the UI" },
     {
       "name": "GH_TOKEN", "required": true, "secret": true, "integration": "github",
       "reason": "active tracker+source; gh scripts gate on gh auth status",

package/plugins/lisa-cursor/skills/generate-claude-remote-build-script/SKILL.md

@@ -51,9 +51,12 @@ tracker/source, plus the host project's own package manager and tooling — not
 3. **Emit the environment-variable template.** Write a commented block listing every `env` entry
    from the inventory grouped by integration, marked `REQUIRED`/`OPTIONAL` and `secret`/`plain`,
    with the reason. **Never write real secret values** — only names and placeholders, because the
-   environment config is visible to anyone who can edit it. Include feature flags actually set in
-   `.claude/settings.json` (e.g. `CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS`) so cloud behavior matches
-   local. For every secret entry that carries `acquireUrl`/`accessScope`/`headlessSubstrate` (the
+   environment config is visible to anyone who can edit it. Entries flagged `providedBy: settings.json`
+   (the committed `.claude/settings.json` `env` flags, e.g. `CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS`) are
+   **already applied from the committed file** — list them under an `# Already provided by committed
+   .claude/settings.json — no UI entry needed` heading, not as values to set. The "set in the
+   environment UI" template is for **secrets only**. For every secret entry that carries
+   `acquireUrl`/`accessScope`/`headlessSubstrate` (the
    active tracker/source credentials from the analysis's group 4a), render those as comment lines
    directly above the name — `# Acquire: <url>` and `# Access: <scope>` — so the user knows exactly
    where to get the token and what permissions it needs. Emit only the **env-var form** of the name
@@ -83,8 +86,9 @@ shape, not a fixed payload):
 #
 # GAPS this script cannot fix (configure separately):
 #   - <gaps from analysis, e.g. auto-memory is machine-local and not synced to cloud routines>
-# ENV VARS to set in the environment config (names only — set real values there, not here):
-#   - CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS=1   # REQUIRED, matches .claude/settings.json
+# Already provided by committed .claude/settings.json (applied automatically — no UI entry needed):
+#   - CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS, ENABLE_LSP_TOOL, BASH_DEFAULT_TIMEOUT_MS, BASH_MAX_TIMEOUT_MS
+# SECRETS to set in the environment config (names only — set real values there, not here):
 #   # --- credentials for the active tracker/source (set in the environment UI) ---
 #   # Acquire: https://github.com/settings/personal-access-tokens
 #   # Access:  fine-grained PAT on target repo: Contents R/W, Issues R/W, Pull requests R/W, Metadata R

package/plugins/lisa-expo/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-expo",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "Expo/React Native-specific skills, agents, rules, and MCP servers",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-expo/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-expo",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "Expo and React Native-specific skills, agents, rules, and MCP servers.",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-expo-agy/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-expo",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "Expo/React Native-specific skills, agents, rules, and MCP servers",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-expo-copilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-expo",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "Expo/React Native-specific skills, agents, rules, and MCP servers",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-expo-cursor/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-expo",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "Expo/React Native-specific skills, agents, rules, and MCP servers",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-harper-fabric/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-harper-fabric",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "Harper/Fabric-specific rules for TypeScript component apps",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-harper-fabric/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-harper-fabric",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "Harper/Fabric-specific Lisa rules for TypeScript component apps.",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-harper-fabric-agy/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-harper-fabric",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "Harper/Fabric-specific rules for TypeScript component apps",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-harper-fabric-copilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-harper-fabric",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "Harper/Fabric-specific rules for TypeScript component apps",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-harper-fabric-cursor/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-harper-fabric",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "Harper/Fabric-specific rules for TypeScript component apps",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-nestjs/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-nestjs",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "NestJS-specific skills (GraphQL, TypeORM) and hooks (migration write-protection)",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-nestjs/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-nestjs",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "NestJS-specific skills and migration write-protection hooks.",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-nestjs-agy/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-nestjs",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "NestJS-specific skills (GraphQL, TypeORM) and hooks (migration write-protection)",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-nestjs-copilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-nestjs",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "NestJS-specific skills (GraphQL, TypeORM) and hooks (migration write-protection)",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-nestjs-cursor/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-nestjs",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "NestJS-specific skills (GraphQL, TypeORM) and hooks (migration write-protection)",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-openclaw/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-openclaw",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "Connect staff roles to Telegram or Slack via OpenClaw — facilitator/specialist hub-and-spoke routing and repo-coding topics, for Claude Code and Codex",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-openclaw/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-openclaw",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "Connect staff roles to Telegram or Slack via OpenClaw — facilitator/specialist hub-and-spoke routing and repo-coding topics, across Claude and Codex.",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-openclaw-agy/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-openclaw",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "Connect staff roles to Telegram or Slack via OpenClaw — facilitator/specialist hub-and-spoke routing and repo-coding topics, for Claude Code and Codex",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-openclaw-copilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-openclaw",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "Connect staff roles to Telegram or Slack via OpenClaw — facilitator/specialist hub-and-spoke routing and repo-coding topics, for Claude Code and Codex",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-openclaw-cursor/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-openclaw",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "Connect staff roles to Telegram or Slack via OpenClaw — facilitator/specialist hub-and-spoke routing and repo-coding topics, for Claude Code and Codex",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-rails/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-rails",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "Ruby on Rails-specific hooks — RuboCop linting/formatting and ast-grep scanning on edit",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-rails/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-rails",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "Ruby on Rails-specific skills and hooks for RuboCop and ast-grep scanning on edit.",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-rails-agy/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-rails",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "Ruby on Rails-specific hooks — RuboCop linting/formatting and ast-grep scanning on edit",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-rails-copilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-rails",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "Ruby on Rails-specific hooks — RuboCop linting/formatting and ast-grep scanning on edit",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-rails-cursor/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-rails",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "Ruby on Rails-specific hooks — RuboCop linting/formatting and ast-grep scanning on edit",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-typescript/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-typescript",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "TypeScript-specific hooks — Prettier formatting, ESLint linting, ast-grep scanning, and error-suppression blocking on edit",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-typescript/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-typescript",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "TypeScript-specific hooks for formatting, linting, and ast-grep scanning on edit.",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-typescript-agy/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-typescript",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "TypeScript-specific hooks — Prettier formatting, ESLint linting, ast-grep scanning, and error-suppression blocking on edit",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-typescript-copilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-typescript",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "TypeScript-specific hooks — Prettier formatting, ESLint linting, ast-grep scanning, and error-suppression blocking on edit",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-typescript-cursor/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-typescript",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "TypeScript-specific hooks — Prettier formatting, ESLint linting, ast-grep scanning, and error-suppression blocking on edit",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-wiki/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-wiki",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "LLM Wiki — a distributable, git-native markdown knowledge base for Claude Code and Codex",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-wiki/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-wiki",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "Distributable LLM Wiki kernel — ingest, query, lint, and maintain a git-native markdown knowledge base across Claude and Codex.",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-wiki-agy/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-wiki",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "LLM Wiki — a distributable, git-native markdown knowledge base for Claude Code and Codex",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-wiki-copilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-wiki",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "LLM Wiki — a distributable, git-native markdown knowledge base for Claude Code and Codex",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-wiki-cursor/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-wiki",
-  "version": "2.141.1",
+  "version": "2.141.2",
   "description": "LLM Wiki — a distributable, git-native markdown knowledge base for Claude Code and Codex",
   "author": {
     "name": "Cody Swann"

package/plugins/src/base/skills/analyze-claude-remote/SKILL.md

@@ -84,9 +84,19 @@ Group the findings as:
    `secrets.*`/`env:` in CI, and config-referenced tokens. Group by integration (GitHub, AWS,
    Atlassian/JIRA/Confluence, Notion, Linear, Anthropic, notifications, feature flags, other).
    Cross-reference `.lisa.config.json` `tracker`/`source` to mark which credentials are **active**
-   for this repo vs **dormant** (`OPTIONAL`). Always surface Claude Code feature flags actually set
-   in `.claude/settings.json` (e.g. `CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS`) as `REQUIRED` to match
-   local behavior, since the environment `env` block is the reliable place to set them.
+   for this repo vs **dormant** (`OPTIONAL`). Distinguish *where* each var must be set, because the
+   answer differs and getting it wrong sends the user to do redundant work:
+
+   - **Committed `.claude/settings.json` `env` flags** (e.g. `CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS`,
+     `ENABLE_LSP_TOOL`, `BASH_*`) — this file is repo-committed, so it reaches the cloud and Claude
+     Code applies its `env` block when it launches. These are **already provided — no action**.
+     Surface them as `OK` (cite the file), not `REQUIRED`. Do **not** tell the user to re-enter them
+     in the environment UI; a duplicate there only risks drifting from the committed value. The lone
+     caveat: the setup script runs *before* Claude Code launches, so it cannot see these — flag any
+     that the **setup script itself** would need (rare) as needing a UI value too.
+   - **Secrets** (tokens/keys) — cannot be committed, so the committed `settings.json` can't carry
+     them. These are the only vars that genuinely **must be set in the environment-variables UI**.
+     Mark active-integration secrets `REQUIRED`; dormant ones `OPTIONAL`.
 
 4a. **Tracker / PRD-source credentials** — this is the load-bearing part of the audit and must be
    driven by config, not by what the scan happens to find. Resolve the active integrations first:
@@ -199,7 +209,10 @@ checklist of the secrets the user must set in the routine's environment for the
 `tracker`/`source` (from group 4a). One block per active integration, each with its env-var name(s),
 an `Acquire:` URL, and an `Access:` scope line, plus a one-line note that the environment UI is where
 these are set (the generated build script only emits a names-only template, never values). If both
-`tracker` and `source` resolve to the same vendor (e.g. both `github`), render it once.
+`tracker` and `source` resolve to the same vendor (e.g. both GitHub), render it once. List **only
+secrets** here — do not include the committed `.claude/settings.json` `env` flags; close the
+subsection with a one-line reminder that those flags are already provided by the committed file and
+need no UI entry.
 
 End with a fenced, machine-readable inventory block (also printed when `--json` is passed) so
 `/lisa:generate-claude-remote-build-script` can consume it without re-deriving everything. Secret
@@ -216,7 +229,7 @@ so the generator can render acquisition comments into its template:
   "tracker": "github",
   "source": "github",
   "env": [
-    { "name": "CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS", "required": true, "secret": false, "reason": "set in .claude/settings.json" },
+    { "name": "CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS", "required": false, "secret": false, "providedBy": "settings.json", "uiAction": "none", "reason": "committed in .claude/settings.json env — applied automatically; do not re-enter in the UI" },
     {
       "name": "GH_TOKEN", "required": true, "secret": true, "integration": "github",
       "reason": "active tracker+source; gh scripts gate on gh auth status",

package/plugins/src/base/skills/generate-claude-remote-build-script/SKILL.md

@@ -51,9 +51,12 @@ tracker/source, plus the host project's own package manager and tooling — not
 3. **Emit the environment-variable template.** Write a commented block listing every `env` entry
    from the inventory grouped by integration, marked `REQUIRED`/`OPTIONAL` and `secret`/`plain`,
    with the reason. **Never write real secret values** — only names and placeholders, because the
-   environment config is visible to anyone who can edit it. Include feature flags actually set in
-   `.claude/settings.json` (e.g. `CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS`) so cloud behavior matches
-   local. For every secret entry that carries `acquireUrl`/`accessScope`/`headlessSubstrate` (the
+   environment config is visible to anyone who can edit it. Entries flagged `providedBy: settings.json`
+   (the committed `.claude/settings.json` `env` flags, e.g. `CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS`) are
+   **already applied from the committed file** — list them under an `# Already provided by committed
+   .claude/settings.json — no UI entry needed` heading, not as values to set. The "set in the
+   environment UI" template is for **secrets only**. For every secret entry that carries
+   `acquireUrl`/`accessScope`/`headlessSubstrate` (the
    active tracker/source credentials from the analysis's group 4a), render those as comment lines
    directly above the name — `# Acquire: <url>` and `# Access: <scope>` — so the user knows exactly
    where to get the token and what permissions it needs. Emit only the **env-var form** of the name
@@ -83,8 +86,9 @@ shape, not a fixed payload):
 #
 # GAPS this script cannot fix (configure separately):
 #   - <gaps from analysis, e.g. auto-memory is machine-local and not synced to cloud routines>
-# ENV VARS to set in the environment config (names only — set real values there, not here):
-#   - CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS=1   # REQUIRED, matches .claude/settings.json
+# Already provided by committed .claude/settings.json (applied automatically — no UI entry needed):
+#   - CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS, ENABLE_LSP_TOOL, BASH_DEFAULT_TIMEOUT_MS, BASH_MAX_TIMEOUT_MS
+# SECRETS to set in the environment config (names only — set real values there, not here):
 #   # --- credentials for the active tracker/source (set in the environment UI) ---
 #   # Acquire: https://github.com/settings/personal-access-tokens
 #   # Access:  fine-grained PAT on target repo: Contents R/W, Issues R/W, Pull requests R/W, Metadata R

package/scripts/claude-remote-setup.sh

@@ -13,12 +13,10 @@
 #   - linear-server MCP is OAuth (browser) → unusable headless. Dormant here (tracker=github);
 #     if you switch to Linear, use LINEAR_API_KEY + Linear GraphQL instead.
 #
-# ENV VARS to set in the environment config (names only — set real values in the UI, NOT here):
-#   Plain config flags (match .claude/settings.json):
-#     - CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS=1
-#     - ENABLE_LSP_TOOL=1
-#     - BASH_DEFAULT_TIMEOUT_MS=1800000
-#     - BASH_MAX_TIMEOUT_MS=7200000
+# Already provided by committed .claude/settings.json env (applied automatically — do NOT re-enter in the UI):
+#     - CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS, ENABLE_LSP_TOOL, BASH_DEFAULT_TIMEOUT_MS, BASH_MAX_TIMEOUT_MS
+#
+# SECRETS to set in the environment config (names only — set real values in the UI, NOT here):
 #   Credentials for the active tracker/source (tracker=github, source=github):
 #     # Acquire: https://github.com/settings/personal-access-tokens
 #     # Access:  fine-grained PAT on CodySwannGT/lisa — Contents R/W, Issues R/W,