@damian87/omp 0.16.0 → 0.19.0

package/dist/src/mode-state/ponytail.d.ts

@@ -0,0 +1,11 @@
+export type PonytailLevel = "lite" | "full" | "ultra";
+export interface PonytailState {
+    active: boolean;
+    level: PonytailLevel;
+    startedAt: string;
+    projectPath: string;
+}
+export declare function normalizeLevel(input?: string): PonytailLevel;
+export declare function startPonytail(cwd?: string, level?: string): PonytailState;
+export declare function readPonytail(cwd?: string): PonytailState | undefined;
+export declare function cancelPonytail(cwd?: string): void;

package/dist/src/mode-state/ponytail.js

@@ -0,0 +1,22 @@
+import { clearModeState, readModeStateJson, writeModeStateJson } from "./paths.js";
+export function normalizeLevel(input) {
+    const v = String(input ?? "").trim().toLowerCase();
+    return v === "lite" || v === "ultra" ? v : "full";
+}
+export function startPonytail(cwd = process.cwd(), level) {
+    const state = {
+        active: true,
+        level: normalizeLevel(level),
+        startedAt: new Date().toISOString(),
+        projectPath: cwd,
+    };
+    writeModeStateJson(cwd, "ponytail", state);
+    return state;
+}
+export function readPonytail(cwd = process.cwd()) {
+    return readModeStateJson(cwd, "ponytail");
+}
+export function cancelPonytail(cwd = process.cwd()) {
+    clearModeState(cwd, "ponytail");
+}
+//# sourceMappingURL=ponytail.js.map

package/dist/src/mode-state/ponytail.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ponytail.js","sourceRoot":"","sources":["../../../src/mode-state/ponytail.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AAWnF,MAAM,UAAU,cAAc,CAAC,KAAc;IAC3C,MAAM,CAAC,GAAG,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACnD,OAAO,CAAC,KAAK,MAAM,IAAI,CAAC,KAAK,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;AACpD,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,MAAc,OAAO,CAAC,GAAG,EAAE,EAAE,KAAc;IACvE,MAAM,KAAK,GAAkB;QAC3B,MAAM,EAAE,IAAI;QACZ,KAAK,EAAE,cAAc,CAAC,KAAK,CAAC;QAC5B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,WAAW,EAAE,GAAG;KACjB,CAAC;IACF,kBAAkB,CAAC,GAAG,EAAE,UAAU,EAAE,KAAK,CAAC,CAAC;IAC3C,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,MAAc,OAAO,CAAC,GAAG,EAAE;IACtD,OAAO,iBAAiB,CAAgB,GAAG,EAAE,UAAU,CAAC,CAAC;AAC3D,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,MAAc,OAAO,CAAC,GAAG,EAAE;IACxD,cAAc,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;AAClC,CAAC"}

package/docs/security-pipeline.md

@@ -0,0 +1,101 @@
+# Security & quality pipeline
+
+This repo ships two GitHub Actions workflows plus Dependabot. Together they cover
+dependency vulnerabilities, supply-chain/malicious-package risk, static code
+analysis, and **AI-skill-specific safety** (the same classes of issue that the
+[skills.sh](https://www.skills.sh) audits — Agent Trust Hub, Socket, Snyk —
+flag for Agent Skills).
+
+## Workflows
+
+### `.github/workflows/ci.yml` — build, test, lint, skills validation
+
+| Job | What it runs |
+| --- | --- |
+| `build-test` | `npm ci` → `npm run build` (tsc) → `npm run lint` (eslint) → `npm test` (vitest), on Node 20 & 22 |
+| `skills` | `npm run lint:skills` (omp's own validator) + `npm run check:catalog` |
+
+### `.github/workflows/security.yml` — security scanners
+
+| Job | Tool | Secret required | Gate |
+| --- | --- | --- | --- |
+| `npm-audit` | `npm audit` | none | fails on **high+** in **production** deps |
+| `skills-safety` | `scripts/skills-safety-scan.mjs` | none | fails on any **HIGH** finding |
+| `codeql` | GitHub CodeQL (JS/TS) | none | results in Security tab |
+| `dependency-review` | GitHub Dependency Review | none (PRs only) | fails on **high** severity |
+| `socket` | Socket CLI | `SOCKET_SECURITY_API_KEY` | skipped if secret unset |
+| `snyk` | Snyk Open Source + Snyk Code | `SNYK_TOKEN` | SARIF → Security tab |
+
+Runs on every push/PR to `main`, plus a weekly scheduled full scan (Mondays).
+Socket and Snyk jobs **self-skip with a notice** if their secret isn't set, so
+the pipeline is green out of the box and lights up as you add tokens.
+
+## Required secrets (optional but recommended)
+
+Add these under **Settings → Secrets and variables → Actions → New repository secret**:
+
+| Secret | Where to get it | Free tier |
+| --- | --- | --- |
+| `SNYK_TOKEN` | [snyk.io](https://snyk.io) → Account settings → Auth Token | Yes |
+| `SOCKET_SECURITY_API_KEY` | [socket.dev](https://socket.dev) → Settings → API Tokens | Yes |
+
+`GITHUB_TOKEN` is provided automatically — no setup needed for CodeQL,
+Dependency Review, or SARIF upload.
+
+## GitHub repo settings to flip on (one-time, free)
+
+These complement the workflows and live in **Settings → Code security**:
+
+- **Dependabot alerts** + **security updates** — `.github/dependabot.yml` already
+  schedules weekly version bumps for npm and Actions.
+- **Secret scanning** + **push protection** — blocks committed credentials.
+- **Code scanning** — surfaces CodeQL/Snyk SARIF in the Security tab.
+
+## The skills safety scanner
+
+`scripts/skills-safety-scan.mjs` statically audits `.github/skills/**`,
+`.github/agents/**`, and `catalog/**` — including SKILL.md docs and bundled
+helper scripts (`*.sh`, `*.py`, `*.mjs`, …) — for the risk classes those
+external audits care about. To avoid false positives on documentation, the
+command-style rules (S001–S003, S005–S007) only match inside fenced code blocks
+in markdown (and the full body of script files); only the prompt-injection rule
+(S004) scans prose. Multi-line commands joined with `\` are merged before
+matching so a wrapped `curl … | sh` can't slip through.
+
+| Rule | Severity | Detects |
+| --- | --- | --- |
+| S001 | HIGH | `curl … | sh` remote code execution |
+| S002 | MEDIUM | Unpinned remote install / `npx <pkg> add` |
+| S003 | LOW | Global `-g` installs |
+| S004 | MEDIUM | Indirect prompt-injection surface (fetch + act on untrusted/third-party content — cf. Snyk W011) |
+| S005 | HIGH | Credential/secret exfiltration |
+| S006 | MEDIUM | Obfuscation (`base64 -d | sh`, `eval(`, `Function(`) |
+| S007 | HIGH | Destructive shell (`rm -rf /`, `dd`, `mkfs`, `chmod 777`) |
+| S100/S101 | MEDIUM | SKILL.md missing `name` / `description` frontmatter |
+
+Run locally:
+
+```bash
+npm run scan:skills                              # human-readable, fails on HIGH
+node scripts/skills-safety-scan.mjs --json       # machine-readable
+node scripts/skills-safety-scan.mjs --strict     # also fail on MEDIUM
+node scripts/skills-safety-scan.mjs --allow-empty # don't fail when no skills exist
+```
+
+## Local commands
+
+```bash
+npm run lint          # eslint over src + scripts
+npm run lint:fix      # auto-fix
+npm run lint:skills   # omp's own SKILL.md validator
+npm run check:catalog # catalog schema validation
+npm run scan:skills   # AI-skill safety scan
+npm run audit:ci      # prod-dep vulnerability gate (high+)
+```
+
+## Notes
+
+- ESLint is scoped to `src/**` and `scripts/**`. Tests (`test/**`) are covered
+  by vitest and kept out of the lint gate to avoid a large up-front refactor.
+- `npm audit` gates on **production** dependencies only (`--omit=dev`); dev-only
+  vulns (vitest, vite, etc.) are handled by Dependabot PRs rather than blocking CI.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@damian87/omp",
-  "version": "0.16.0",
+  "version": "0.19.0",
   "description": "Multi-agent orchestration for GitHub Copilot CLI — autonomous loops (Autopilot, Ralph, UltraQA, Ultrawork), parallel tmux agent teams, a weighted-consensus model council, a Slack chat bridge, durable scheduled jobs, and in-session skills + custom agents. Zero learning curve.",
   "type": "module",
   "publishConfig": {
@@ -30,7 +30,11 @@
     "catalog:list": "npm run build && node dist/src/cli.js catalog list",
     "project:inspect": "npm run build && node dist/src/cli.js project inspect",
     "test": "vitest run",
+    "lint": "eslint .",
+    "lint:fix": "eslint . --fix",
     "lint:skills": "npm run build && node dist/src/cli.js lint:skills --root .",
+    "scan:skills": "node scripts/skills-safety-scan.mjs --root .",
+    "audit:ci": "npm audit --audit-level=high --omit=dev",
     "sync:dry-run": "npm run build && node dist/src/cli.js sync:dry-run --root .",
     "jira:dry-run": "npm run build && node dist/src/cli.js jira:dry-run --root .",
     "omp:version": "npm run build && node dist/src/cli.js version",
@@ -57,12 +61,15 @@
     "node": ">=20"
   },
   "devDependencies": {
-    "@types/node": "^22.15.29",
+    "@eslint/js": "^10.0.1",
+    "eslint": "^10.5.0",
+    "typescript-eslint": "^8.11.0",
+    "@types/node": "^26.0.1",
     "@types/node-notifier": "^8.0.5",
-    "@vitest/coverage-v8": "^3.2.4",
-    "tsx": "^4.19.4",
-    "typescript": "^5.8.3",
-    "vitest": "^3.1.4"
+    "@vitest/coverage-v8": "^4.1.9",
+    "tsx": "^4.22.4",
+    "typescript": "^6.0.3",
+    "vitest": "^4.1.9"
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.29.0",

package/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "oh-my-copilot",
   "description": "Multi-agent orchestration skills for GitHub Copilot CLI — autopilot, ralph, ultrawork, ultraqa, team, council, code-review and more as in-session slash skills + custom agents.",
-  "version": "0.16.0",
+  "version": "0.19.0",
   "author": {
     "name": "Damian Borek",
     "email": "borekdamian@yahoo.pl"

package/scripts/prompt-submit.mjs

@@ -35,6 +35,16 @@ function buildContinuationContext(directory) {
     parts.push(
       `[ULTRAQA ACTIVE: cycle ${ultraqa.cycleCount}/${ultraqa.maxCycles}]\nGoal: ${ultraqa.goal}\nRun tests → verify → fix. Iterate.`,
     );
+  const ponytail = readModeState(directory, "ponytail");
+  if (ponytail?.active)
+    parts.push(
+      `[PONYTAIL ACTIVE: ${ponytail.level}]\n` +
+        "Lazy senior dev mode. After understanding the problem, stop at the first rung that holds: " +
+        "1 needed at all? (YAGNI) 2 already here? reuse 3 stdlib? use it 4 native platform? use it " +
+        "5 installed dep? use it 6 one line? one line 7 only then the minimum that works. " +
+        "Never lazy about validation at trust boundaries, data-loss handling, security, accessibility, " +
+        "or anything requested; non-trivial logic leaves one runnable check behind.",
+    );
   return parts.join("\n\n---\n\n");
 }
 

package/scripts/skills-safety-scan.mjs

@@ -0,0 +1,231 @@
+#!/usr/bin/env node
+/**
+ * skills-safety-scan — static safety audit for Agent Skills (SKILL.md) and agents.
+ *
+ * Mirrors the kinds of issues that Agent Trust Hub / Socket / Snyk flag for
+ * AI skills (see skills.sh audits), but runs locally with no network and no
+ * secrets so it can gate every PR:
+ *
+ *   - Untrusted install / remote-code execution surfaces (curl | sh, npx <pkg>, -g, npm i remote)
+ *   - Indirect prompt-injection surfaces (fetching + acting on third-party/user content)
+ *   - Credential / secret exfiltration patterns
+ *   - Obfuscation (base64 decode + exec, eval, large encoded blobs)
+ *   - Destructive shell (rm -rf, dd, mkfs, chmod 777)
+ *   - Frontmatter hygiene (missing name/description)
+ *
+ * Exit codes:
+ *   0 = no HIGH findings (warnings allowed)
+ *   1 = at least one HIGH finding, with --strict any MEDIUM finding, or no files
+ *       scanned (target moved) unless --allow-empty is passed
+ *
+ * Usage:
+ *   node scripts/skills-safety-scan.mjs [--root .] [--strict] [--json] [--allow-empty]
+ */
+import { readFileSync, readdirSync, statSync } from "node:fs";
+import { join, relative, sep } from "node:path";
+
+const args = process.argv.slice(2);
+const opt = (flag, def = null) => {
+  const i = args.indexOf(flag);
+  return i >= 0 ? (args[i + 1] && !args[i + 1].startsWith("--") ? args[i + 1] : true) : def;
+};
+const ROOT = typeof opt("--root") === "string" ? opt("--root") : ".";
+const STRICT = !!opt("--strict", false);
+const JSON_OUT = !!opt("--json", false);
+const ALLOW_EMPTY = !!opt("--allow-empty", false);
+
+// Where skills/agents live in this repo.
+const SCAN_DIRS = [".github/skills", ".github/agents", "catalog"];
+// Markdown/JSON docs plus bundled executable helpers — dangerous shell often
+// lives in a skill's `scripts/*.sh`, not just its prose.
+const SCAN_EXT = [".md", ".json", ".sh", ".bash", ".zsh", ".py", ".ps1", ".mjs", ".cjs", ".js"];
+
+/** @type {{severity:'HIGH'|'MEDIUM'|'LOW',rule:string,file:string,line:number,match:string,why:string}[]} */
+const findings = [];
+
+const RULES = [
+  {
+    rule: "S001 remote-code-execution",
+    severity: "HIGH",
+    re: /\b(curl|wget)\b[^\n|]*\|\s*(sudo\s+)?(ba)?sh\b/i,
+    why: "Pipes a downloaded script straight into a shell (untrusted remote code execution).",
+  },
+  {
+    rule: "S002 unpinned-remote-install",
+    severity: "MEDIUM",
+    re: /\bnpx\s+(?:-y\s+|--yes\s+)?(?!tsc\b|vitest\b|eslint\b)[a-z@][\w@/.-]*\s+add\b|\bnpm\s+i(nstall)?\s+(-g\s+)?https?:\/\//i,
+    why: "Installs/executes packages from an external source at runtime (supply-chain + untrusted install surface).",
+  },
+  {
+    rule: "S003 global-install",
+    severity: "LOW",
+    re: /\bnpm\s+i(nstall)?\s+-g\b|\bnpx\b[^\n]*\s-g\b/i,
+    why: "Global install persists tooling at user/system level.",
+  },
+  {
+    rule: "S004 prompt-injection-surface",
+    severity: "MEDIUM",
+    // Natural-language instruction, not a shell command — scan prose, not just code.
+    context: "prose",
+    re: /\b(fetch|read|download|ingest|browse)\b[^\n]*\b(untrusted|third-?party|user-generated|external (registry|source|content|repos?))\b/i,
+    why: "Fetches and may act on third-party/untrusted content — indirect prompt-injection risk (cf. Snyk W011).",
+  },
+  {
+    rule: "S005 credential-exfiltration",
+    severity: "HIGH",
+    // The token keyword may be a suffix/component of the var name
+    // (`$GITHUB_TOKEN`, `$NPM_TOKEN`, `$AWS_SECRET_ACCESS_KEY`), not just a prefix.
+    re: /\b(env|printenv|cat)\b[^\n]*\b(\.env|secret|token|api[_-]?key|password|credential)\b[^\n]*\|\s*(curl|wget|nc)\b|\b(curl|wget)\b[^\n]*\$\{?\s*[A-Z0-9_]*(SECRET|TOKEN|API[_-]?KEY|PASSWORD)/i,
+    why: "Reads secrets/credentials and sends them off the machine.",
+  },
+  {
+    rule: "S006 obfuscation",
+    severity: "MEDIUM",
+    re: /\bbase64\b\s+(-d|--decode)\b[^\n]*\|\s*(ba)?sh|\beval\b\s*\(|\bFunction\s*\(\s*['"`]/i,
+    why: "Decodes/evaluates hidden code at runtime (obfuscation).",
+  },
+  {
+    rule: "S007 destructive-shell",
+    severity: "HIGH",
+    // `chmod 777` and `chmod -R 777` (and `0777`) are all world-writable.
+    re: /\brm\s+-rf\s+[/~]|\bdd\s+if=|\bmkfs\b|\bchmod\s+(-R\s+)?0?777\b|>\s*\/dev\/sd/i,
+    why: "Destructive or overly-permissive filesystem operation.",
+  },
+];
+
+function walk(dir) {
+  let out = [];
+  let entries;
+  try {
+    entries = readdirSync(dir);
+  } catch {
+    return out; // dir may not exist in every repo
+  }
+  for (const name of entries) {
+    const p = join(dir, name);
+    let s;
+    try {
+      s = statSync(p);
+    } catch {
+      continue;
+    }
+    if (s.isDirectory()) out = out.concat(walk(p));
+    else if (SCAN_EXT.some((e) => name.endsWith(e))) out.push(p);
+  }
+  return out;
+}
+
+// Logical "code" lines for command-style rules:
+//   - Markdown (.md): only lines inside fenced code blocks (``` or ~~~), so
+//     documentation that merely *mentions* a dangerous command in prose can't
+//     trip a HIGH rule and block every PR.
+//   - Scripts/JSON: the whole file is code.
+// Backslash line-continuations are merged into one logical line so a command
+// wrapped across multiple lines can't slip past single-line regexes.
+function codeLines(text, file) {
+  const isMarkdown = file.endsWith(".md");
+  const raw = text.split(/\r?\n/);
+  const out = [];
+  let inFence = false;
+  let fenceChar = "";
+  for (let i = 0; i < raw.length; i++) {
+    let line = raw[i];
+    if (isMarkdown) {
+      const fence = line.match(/^\s*(`{3,}|~{3,})/);
+      if (fence) {
+        const ch = fence[1][0];
+        if (!inFence) {
+          inFence = true;
+          fenceChar = ch;
+        } else if (ch === fenceChar) {
+          inFence = false;
+        }
+        continue; // never scan the fence marker line itself
+      }
+      if (!inFence) continue; // skip prose
+    }
+    const startLine = i + 1;
+    while (/\\[ \t]*$/.test(line) && i + 1 < raw.length) {
+      i += 1;
+      line = line.replace(/\\[ \t]*$/, " ") + raw[i];
+    }
+    out.push({ line: startLine, text: line });
+  }
+  return out;
+}
+
+function scanFile(file) {
+  const rel = relative(ROOT, file).split(sep).join("/");
+  const text = readFileSync(file, "utf8");
+
+  // Frontmatter hygiene for SKILL.md
+  if (file.endsWith("SKILL.md")) {
+    const fmEnd = text.indexOf("\n---", 3);
+    const fm = text.startsWith("---") && fmEnd !== -1 ? text.slice(3, fmEnd) : "";
+    if (!/\bname\s*:/.test(fm))
+      findings.push({ severity: "MEDIUM", rule: "S100 missing-name", file: rel, line: 1, match: "frontmatter", why: "SKILL.md is missing a `name` in frontmatter." });
+    if (!/\bdescription\s*:/.test(fm))
+      findings.push({ severity: "MEDIUM", rule: "S101 missing-description", file: rel, line: 1, match: "frontmatter", why: "SKILL.md is missing a `description` in frontmatter." });
+  }
+
+  const push = (r, line, m) =>
+    findings.push({ severity: r.severity, rule: r.rule, file: rel, line, match: m[0].slice(0, 120), why: r.why });
+
+  // Command-style rules over code context (fenced blocks / whole scripts).
+  const cmdRules = RULES.filter((r) => r.context !== "prose");
+  for (const { line, text: lt } of codeLines(text, file)) {
+    for (const r of cmdRules) {
+      const m = r.re.exec(lt);
+      if (m) push(r, line, m);
+    }
+  }
+
+  // Prose rules (e.g. prompt-injection) scan the full natural-language text.
+  const proseRules = RULES.filter((r) => r.context === "prose");
+  if (proseRules.length) {
+    text.split(/\r?\n/).forEach((line, i) => {
+      for (const r of proseRules) {
+        const m = r.re.exec(line);
+        if (m) push(r, i + 1, m);
+      }
+    });
+  }
+}
+
+// Run
+const files = SCAN_DIRS.flatMap((d) => walk(join(ROOT, d)));
+files.forEach(scanFile);
+
+const counts = { HIGH: 0, MEDIUM: 0, LOW: 0 };
+findings.forEach((f) => (counts[f.severity] += 1));
+
+if (JSON_OUT) {
+  console.log(JSON.stringify({ scanned: files.length, counts, findings }, null, 2));
+} else {
+  const C = { HIGH: "\x1b[31m", MEDIUM: "\x1b[33m", LOW: "\x1b[36m", reset: "\x1b[0m" };
+  console.log(`\nskills-safety-scan — scanned ${files.length} file(s) in ${SCAN_DIRS.join(", ")}\n`);
+  if (findings.length === 0) {
+    console.log("  ✓ No issues found.\n");
+  } else {
+    for (const f of findings.sort((a, b) => ("HML".indexOf(a.severity[0]) - "HML".indexOf(b.severity[0])))) {
+      console.log(`  ${C[f.severity]}${f.severity}${C.reset} ${f.rule}`);
+      console.log(`    ${f.file}:${f.line}`);
+      console.log(`    match: ${f.match}`);
+      console.log(`    why:   ${f.why}\n`);
+    }
+  }
+  console.log(`Summary: ${counts.HIGH} high, ${counts.MEDIUM} medium, ${counts.LOW} low\n`);
+}
+
+// Scanning zero files almost always means the target moved (renamed skill dir,
+// wrong --root) rather than a clean repo — fail loudly instead of passing green.
+const emptyScan = files.length === 0 && !ALLOW_EMPTY;
+if (emptyScan) {
+  console.error(
+    `skills-safety-scan: ERROR — scanned 0 files under ${SCAN_DIRS.join(", ")}. ` +
+      `The scan target may have moved. Pass --allow-empty if this is intentional.`,
+  );
+}
+
+const fail = counts.HIGH > 0 || (STRICT && counts.MEDIUM > 0) || emptyScan;
+process.exit(fail ? 1 : 0);