@damian87/omp 0.17.0 → 0.19.0

package/.github/dependabot.yml

@@ -0,0 +1,42 @@
+version: 2
+updates:
+  # npm dependencies
+  - package-ecosystem: npm
+    directory: "/"
+    schedule:
+      interval: weekly
+      day: monday
+      time: "06:00"
+      timezone: Europe/London
+    open-pull-requests-limit: 10
+    labels: ["dependencies"]
+    groups:
+      # Coupled peer pairs must upgrade together or npm hits ERESOLVE.
+      # Listed first so they take precedence over the type-based groups
+      # below, and intentionally unrestricted on update-types so majors
+      # (e.g. eslint 9->10) bump alongside their peers in one PR.
+      eslint:
+        patterns: ["eslint", "@eslint/*"]
+      vitest:
+        patterns: ["vitest", "@vitest/*"]
+      dev-dependencies:
+        dependency-type: development
+        update-types: ["minor", "patch"]
+      production-dependencies:
+        dependency-type: production
+        update-types: ["minor", "patch"]
+    commit-message:
+      prefix: "chore(deps)"
+      prefix-development: "chore(dev-deps)"
+
+  # GitHub Actions used in workflows
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: weekly
+      day: monday
+      time: "06:00"
+      timezone: Europe/London
+    labels: ["ci", "dependencies"]
+    commit-message:
+      prefix: "ci(actions)"

package/.github/skills/code-review/SKILL.md

@@ -17,13 +17,17 @@ Use `/code-review` before merge or final handoff.
 
 1. **Read the diff** — `git diff` for unstaged, `git diff --staged` for staged, or `git diff main...HEAD` for branch diff
 2. **Check for blockers** — bugs, logic errors, missing error handling, broken contracts
-3. **Check for security** — secrets in code, injection risks, auth gaps, unsafe defaults
+3. **Check for security** — secrets in code, injection risks, auth gaps, unsafe defaults, and
+   **data exposure / least privilege**: does the change return, log, or expose more than it
+   needs (PII, password hashes, `SELECT *`, tokens, internal fields)?
 4. **Check for regressions** — does the change break existing tests or documented behaviour?
 5. **Check for scope drift** — does the change do more or less than requested?
 6. **Run tests** if they exist and haven't been run
 
 ## Rules
 
+- **Don't stop at the first issue.** Once you find a blocker, keep scanning the whole change —
+  a serious bug (e.g. a data leak) often hides behind the obvious one. Review every line.
 - Only flag issues that genuinely matter — no style nits, no formatting opinions
 - If the code works, tests pass, and scope is right, say so clearly
 - Flag anything you'd reject in a PR review

package/.github/skills/debug/SKILL.md

@@ -17,7 +17,7 @@ Use `/debug` for broken, failing, slow, or confusing behavior.
 
 ## Steps (follow in order)
 
-1. **Reproduce** — get the failure to happen reliably. If you can't reproduce, that's important information.
+1. **Reproduce** — get the failure to happen reliably. If you can't reproduce, that's important information. For a web UI bug, use `/qa-browse` to drive the page and reproduce the broken flow.
 2. **Minimise** — find the smallest case that still fails. Strip away unrelated code/config.
 3. **Hypothesise** — form 2–3 ranked theories about the cause. Start with the most likely.
 4. **Inspect** — gather evidence for/against each hypothesis. Read code, add logging, check state.

package/.github/skills/qa-browse/SKILL.md

@@ -0,0 +1,125 @@
+---
+name: qa-browse
+description: Drive a real browser from the CLI to QA a flow — navigate, click, fill, verify. Uses @playwright/cli (token-efficient, not MCP). Use with /qa-browse when the user wants to manually check a web flow works, not write a test suite.
+argument-hint: "<url> <what to verify>"
+---
+
+# QA Browse — CLI browser driving with @playwright/cli
+
+`/qa-browse` opens a live browser via `@playwright/cli` (binary `playwright-cli`) and walks a flow to verify it works. No test files. No MCP. This is distinct from the standard Playwright CLI (`npx playwright`, used for test/codegen/show-trace).
+
+Engine: `@playwright/cli` (Microsoft). Snapshots live on disk, not in context — cheap tokens. Browser stays alive between commands.
+
+## Rules
+
+- If not installed globally, run via the scoped package: `npx @playwright/cli` (NOT `npx playwright-cli` — that resolves the unscoped name and fails with ENOTFOUND). Never assume global.
+- Loop: **snapshot → read refs → act → re-snapshot.** Always.
+- Refs (`e5`, `e12`) are valid only for the latest snapshot. Re-snapshot after any navigation/click that changes the page.
+- Headless by default. Add `--headed` only when a human must watch.
+- Prefer refs over CSS. Use `getByRole`/`getByText` selectors only if a ref isn't available.
+- Verify with `eval` or a snapshot of the result region — don't assume an action worked.
+- Screenshot on each pass/fail checkpoint so there's evidence.
+- `close` when done.
+
+## Setup
+
+```bash
+npm install -g @playwright/cli@latest   # or run ad-hoc: npx @playwright/cli
+playwright-cli install-browser chromium  # first run in a fresh env (NOT `install` — that inits a workspace)
+```
+
+## Core loop
+
+```bash
+playwright-cli open <url>        # open + navigate (prints a snapshot path)
+playwright-cli snapshot          # accessibility tree with refs → read it
+playwright-cli click e15         # act using a ref
+playwright-cli fill e5 "text"    # fill input (add --submit to press Enter)
+playwright-cli type "text"       # type into focused element
+playwright-cli press Enter       # key press
+playwright-cli snapshot          # re-snapshot to confirm new state
+playwright-cli screenshot        # evidence
+playwright-cli close
+```
+
+## Interact
+
+```bash
+playwright-cli click <ref> [button]     # left/right/middle
+playwright-cli dblclick <ref>
+playwright-cli fill <ref> <text> --submit
+playwright-cli select <ref> <value>     # dropdown
+playwright-cli check <ref> / uncheck <ref>
+playwright-cli hover <ref>
+playwright-cli drag <startRef> <endRef>
+playwright-cli upload ./file.pdf
+playwright-cli dialog-accept / dialog-dismiss
+```
+
+## Navigate
+
+```bash
+playwright-cli goto <url>
+playwright-cli go-back / go-forward / reload
+```
+
+## Inspect & verify
+
+```bash
+playwright-cli snapshot --depth=4          # shallow tree on big pages
+playwright-cli snapshot e34                 # drill into a subtree
+playwright-cli snapshot --raw | grep button # script-friendly
+playwright-cli eval "document.title"        # read page state
+playwright-cli eval "el => el.textContent" e5
+playwright-cli eval "el => el.getAttribute('data-testid')" e5
+playwright-cli console                       # console messages
+```
+
+## Evidence
+
+```bash
+playwright-cli screenshot --full-page        # full scrollable page (bare `screenshot` = current viewport)
+playwright-cli screenshot e5                 # one element
+playwright-cli screenshot --filename=step1.png
+playwright-cli video-start / video-stop
+playwright-cli tracing-start / tracing-stop  # record a trace; view it with: npx playwright show-trace <trace>
+playwright-cli pdf --filename=page.pdf
+```
+
+## Sessions
+
+State (cookies, localStorage) persists within a session across commands.
+
+```bash
+playwright-cli --session=qa open <url>       # named session
+playwright-cli -s=qa open <url> --persistent # save profile to disk
+playwright-cli list                          # running sessions
+playwright-cli show                          # live dashboard, take over mouse/kbd
+playwright-cli close-all / kill-all
+```
+
+## QA flow checklist
+
+1. `open <url>` → `snapshot`.
+2. For each step: find ref in snapshot → act → re-snapshot → verify expected element/text.
+3. `screenshot` at each checkpoint (pass and fail).
+4. On failure: `eval` the element, capture `console`, take a `--headed` re-run or trace.
+5. Report: what passed, what failed, with screenshot/snapshot paths. `close`.
+
+## Example — login flow
+
+```bash
+playwright-cli open https://app.example.com/login
+playwright-cli snapshot
+playwright-cli fill e1 "user@example.com"
+playwright-cli fill e2 "secret" --submit
+playwright-cli snapshot                       # expect dashboard
+playwright-cli eval "document.title"
+playwright-cli screenshot --filename=logged-in.png
+playwright-cli close
+```
+
+## When NOT to use
+
+- Want a saved, repeatable test suite → use `/tdd` or write `@playwright/test` specs.
+- Need long-running autonomous loops or persistent introspection → Playwright MCP may fit better.

package/.github/skills/ralplan/SKILL.md

@@ -19,7 +19,10 @@ Use `/ralplan` when the task needs planning before edits.
 2. **List implementation slices** in execution order — each slice should be independently verifiable
 3. **Define acceptance criteria** — what must be true when done
 4. **Define test shape** — which tests to write or run, what they cover
-5. **Call out risks** — what could go wrong, tradeoffs chosen, alternatives rejected
+5. **Call out risks** — what could go wrong, tradeoffs chosen, alternatives rejected. For any
+   auth, security, or data-handling feature, the plan **must** name the security specifics even
+   if the request didn't: secret/token **expiry**, **single-use / replay** protection, and
+   **enumeration / rate-limiting**. Leaving these implicit is how the plan ships a hole.
 6. **Stop at the plan** unless the user explicitly asked to implement
 
 ## Output

package/.github/skills/tdd/SKILL.md

@@ -13,15 +13,29 @@ Use `/tdd` when a change can be specified by tests.
 - The codebase has an existing test framework
 - You want to prove correctness incrementally
 
-## Loop (repeat until done)
-
-1. **Red** — write or identify a failing test that describes the desired behaviour
-2. **Green** — write the minimal code to make the test pass
-3. **Refactor** — clean up the code while keeping tests green
-4. **Run** — run the full related test suite to check for regressions
+## Loop (Canon TDD — repeat until the list is empty)
+
+0. **List first** — before writing any code, read the **full spec/docstring** and write a
+   **test list**: every scenario you need to cover. Don't start from the happy path — walk the
+   edge-case taxonomy against the spec and add a line for each that applies:
+   - **Boundary** — min/max, zero, empty, first/last, length limits, collapsing/trimming
+   - **Empty/Null** — `""`, `None`, empty collection, whitespace-only
+   - **Format** — **unicode / accented characters**, emoji, special chars, malformed input
+   - **Implicit** — anything the spec *implies* but the prompt didn't spell out
+   A requirement that appears in the spec but not your list is the bug you're about to ship.
+1. **Red** — turn **exactly one** list item into a concrete test with real **assertions**
+   (`assert`, `expect`, `self.assertEqual`); run it and watch it **fail for the right reason**.
+2. **Green** — write the minimal code to make that test (and all previous tests) pass.
+3. **Refactor** — clean up while tests stay green.
+4. **Repeat** — take the next list item; add new items as you discover them. Run the full
+   related suite at the end to check for regressions.
 
 ## Rules
 
+- Use **executable assertions** — a script that only prints results for a human to eyeball is
+  **not a test** and does not count as red-green. Every scenario on the list gets an assertion.
+- Work the **whole list**, not just the first case — the bugs hide in the edge cases the prompt
+  didn't spell out (unicode/accents, empty input, boundaries).
 - Test **behaviour** through public surfaces, not implementation details
 - Each test should describe one behaviour — name it clearly (e.g. "returns 404 when user not found")
 - Avoid brittle tests that break when implementation changes but behaviour doesn't
@@ -30,6 +44,7 @@ Use `/tdd` when a change can be specified by tests.
 
 ## Output
 
+- `Test list` — the scenarios you enumerated from the spec (incl. the edge cases)
 - `Tests written` — list of test names and what they cover
 - `Implementation` — what was changed to make tests pass
 - `Refactoring` — what was cleaned up

package/.github/skills/ultraqa/SKILL.md

@@ -54,7 +54,7 @@ Number every cycle explicitly: "Cycle 1", "Cycle 2", etc.
 
 ## Rules
 
-- Prefer runnable checks over inspection — run tests, don't just read code
+- Prefer runnable checks over inspection — run tests, don't just read code. For web UI flows, exercise the real page with `/qa-browse` rather than inspecting markup.
 - If tests don't exist, write minimal ones that cover the change
 - Route fixes back to `/ralph` or `/ultrawork` if they're substantial
 

package/.github/skills/verify/SKILL.md

@@ -20,7 +20,7 @@ Use `/verify` before saying done.
    - Tests: `npm test`, `pytest`, etc.
    - Build: does it compile/build without errors?
    - Lint: any new warnings?
-   - Behaviour: does the feature work as described?
+   - Behaviour: does the feature work as described? For web UI flows, use `/qa-browse` to drive the live page and capture snapshot/screenshot evidence.
 3. **Read outputs** — don't assume green means pass; read the actual results
 4. **Report honestly** — if there are gaps, say so
 

package/.github/workflows/ci.yml

@@ -0,0 +1,67 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+# Avoid piling up redundant runs on the same ref.
+concurrency:
+  group: ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+env:
+  # Hermetic runs — never auto-load a developer's ~/.omp/.env, never self-update.
+  OMP_SKIP_USER_ENV: "1"
+  OMP_NO_UPDATE_CHECK: "1"
+
+jobs:
+  build-test:
+    name: Build · Test · Lint (Node ${{ matrix.node }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        node: [20, 22]
+    steps:
+      - uses: actions/checkout@v7
+
+      - uses: actions/setup-node@v6
+        with:
+          node-version: ${{ matrix.node }}
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build (tsc)
+        run: npm run build
+
+      - name: Lint (eslint)
+        run: npm run lint
+
+      - name: Unit tests (vitest)
+        run: npm test
+
+  skills:
+    name: Validate skills & catalog
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v7
+      - uses: actions/setup-node@v6
+        with:
+          node-version: 20
+          cache: npm
+      - run: npm ci
+
+      # Project's own validators.
+      - name: Lint skills (omp lint:skills)
+        run: npm run lint:skills
+
+      - name: Validate catalog
+        run: npm run check:catalog

package/.github/workflows/security.yml

@@ -0,0 +1,157 @@
+name: Security
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    # Weekly full scan (Mondays 06:17 UTC) to catch newly disclosed CVEs.
+    - cron: "17 6 * * 1"
+  workflow_dispatch:
+
+concurrency:
+  group: security-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+env:
+  OMP_SKIP_USER_ENV: "1"
+  OMP_NO_UPDATE_CHECK: "1"
+
+jobs:
+  # ── 1. Native, free, zero-secret baseline ─────────────────────────────
+  npm-audit:
+    name: npm audit (prod deps)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v7
+      - uses: actions/setup-node@v6
+        with:
+          node-version: 20
+          cache: npm
+      - run: npm ci
+      # Fail only on HIGH/critical in production dependencies.
+      - name: npm audit (high+, prod only)
+        run: npm run audit:ci
+
+  skills-safety:
+    name: Skills safety scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v7
+      - uses: actions/setup-node@v6
+        with:
+          node-version: 20
+      # No install needed — pure Node script over SKILL.md / agents / catalog.
+      - name: Static safety audit of skills & agents
+        run: node scripts/skills-safety-scan.mjs --root .
+
+  codeql:
+    name: CodeQL (JS/TS)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+      actions: read
+    steps:
+      - uses: actions/checkout@v7
+      - uses: github/codeql-action/init@v4
+        with:
+          languages: javascript-typescript
+          queries: security-and-quality
+      - uses: github/codeql-action/analyze@v4
+        with:
+          category: "/language:javascript-typescript"
+
+  dependency-review:
+    name: Dependency review (PR only)
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v7
+      - uses: actions/dependency-review-action@v5
+        with:
+          fail-on-severity: high
+          comment-summary-in-pr: on-failure
+
+  # ── 2. Socket — supply-chain / malicious package detection ────────────
+  # Requires repo secret SOCKET_SECURITY_API_KEY (free at socket.dev).
+  socket:
+    name: Socket supply-chain scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v7
+      - name: Check for Socket token
+        id: gate
+        run: |
+          if [ -n "${{ secrets.SOCKET_SECURITY_API_KEY }}" ]; then
+            echo "enabled=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "enabled=false" >> "$GITHUB_OUTPUT"
+            echo "::notice title=Socket skipped::Set the SOCKET_SECURITY_API_KEY repo secret to enable Socket scanning."
+          fi
+      - uses: actions/setup-node@v6
+        if: steps.gate.outputs.enabled == 'true'
+        with:
+          node-version: 20
+      - name: Socket CLI scan
+        if: steps.gate.outputs.enabled == 'true'
+        env:
+          SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_SECURITY_API_KEY }}
+        run: npx -y @socketsecurity/cli@latest scan create . --view --no-interactive
+
+  # ── 3. Snyk — dependency + code vulnerability scanning ────────────────
+  # Requires repo secret SNYK_TOKEN (free at snyk.io). Uploads SARIF to the
+  # GitHub Security tab.
+  snyk:
+    name: Snyk (deps + code)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@v7
+      - name: Check for Snyk token
+        id: gate
+        run: |
+          if [ -n "${{ secrets.SNYK_TOKEN }}" ]; then
+            echo "enabled=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "enabled=false" >> "$GITHUB_OUTPUT"
+            echo "::notice title=Snyk skipped::Set the SNYK_TOKEN repo secret to enable Snyk scanning."
+          fi
+      - uses: actions/setup-node@v6
+        if: steps.gate.outputs.enabled == 'true'
+        with:
+          node-version: 20
+          cache: npm
+      - run: npm ci
+        if: steps.gate.outputs.enabled == 'true'
+
+      - name: Snyk Open Source (dependencies)
+        if: steps.gate.outputs.enabled == 'true'
+        continue-on-error: true
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        run: npx -y snyk@latest test --severity-threshold=high --sarif-file-output=snyk-deps.sarif
+
+      - name: Snyk Code (SAST)
+        if: steps.gate.outputs.enabled == 'true'
+        continue-on-error: true
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        run: npx -y snyk@latest code test --severity-threshold=high --sarif-file-output=snyk-code.sarif
+
+      - name: Upload Snyk results to GitHub Security
+        if: steps.gate.outputs.enabled == 'true'
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: .
+          category: snyk
+        continue-on-error: true

package/README.md

@@ -385,6 +385,7 @@ omp grows in vertical slices. Items aren't pinned to specific semver versions
 - [Jira adapter](docs/jira.md) — configuration discovery, safe operations, dry-runs, fallback payloads
 - [Self-evolve](docs/self-evolve.md) — extracting reusable skills from session transcripts
 - [Slack setup](docs/slack-setup.md) — Slack app manifest, scopes, Socket-Mode token, `omp gateway serve`
+- [Skill benchmark](benchmarks/skill-bench/README.md) — agentic benchmark that measures whether a skill actually beats *just telling the model* (baseline / one-line prompt / skill arms), with live Haiku 4.5 findings
 
 ## Layout
 
@@ -394,6 +395,7 @@ omp grows in vertical slices. Items aren't pinned to specific semver versions
 hooks/hooks.json                  # lifecycle hook manifest
 scripts/*.mjs                     # hook implementations
 src/                              # omp CLI, team runtime, gateway/comms, schedule, mode-state loops
+benchmarks/skill-bench/           # agentic benchmark: does a skill beat just telling the model?
 ```
 
 Skills follow the [Copilot agent-skills docs](https://docs.github.com/en/copilot) — project skills live in `.github/skills/` and are invoked with `/skill-name`.

package/dist/src/env/init.js

@@ -182,7 +182,7 @@ export async function runEnvInit(opts) {
     // no chance of stomping a pre-existing temp file with stale perms. The
     // final rename then atomically installs the 0o600 file into place.
     let tmpDir = null;
-    let tmpFile = null;
+    let tmpFile;
     try {
         tmpDir = mkdtempSync(join(dirname(path), ".env-init-"));
         tmpFile = join(tmpDir, "env");

package/dist/src/env/init.js.map

@@ -1 +1 @@
-{"version":3,"file":"init.js","sourceRoot":"","sources":["../../../src/env/init.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,EACL,UAAU,EACV,SAAS,EACT,WAAW,EACX,YAAY,EACZ,UAAU,EACV,MAAM,EACN,QAAQ,EACR,aAAa,GACd,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AA4ChE,MAAM,gBAAgB,GAAG,OAAO,CAAC;AACjC,MAAM,gBAAgB,GAAG,OAAO,CAAC;AAEjC,MAAM,aAAa,GAAG,4BAA4B,CAAC;AAEnD;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;CA2BtC,CAAC;AAEF,MAAM,WAAW,GAAG;IAClB,EAAE;IACF,mCAAmC;IACnC,EAAE;IACF,yEAAyE;IACzE,kEAAkE;IAClE,8DAA8D;IAC9D,EAAE;IACF,wEAAwE;IACxE,wEAAwE;IACxE,wEAAwE;IACxE,YAAY,aAAa,+CAA+C;IACxE,0BAA0B;IAC1B,uFAAuF;IACvF,kFAAkF;IAClF,mFAAmF;IACnF,EAAE;IACF,yDAAyD;IACzD,GAAG,uBAAuB,CAAC,OAAO,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC;IAChD,uBAAuB;IACvB,EAAE;IACF,wEAAwE;IACxE,wCAAwC;IACxC,wEAAwE;IACxE,wEAAwE;IACxE,4DAA4D;IAC5D,wEAAwE;IACxE,iDAAiD;IACjD,EAAE;IACF,oFAAoF;IACpF,EAAE;CACH,CAAC;AAEF;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,IAAiB;IAChD,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;IACpC,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,IAAI,OAAO,EAAE,CAAC;IACvC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,EAAE,eAAe,EAAE,gBAAgB,CAAC,CAAC;IAE3D,wEAAwE;IACxE,qEAAqE;IACrE,MAAM,WAAW,GAAG,CAAC,OAAO,CAAC;IAC7B,IAAI,WAAW,EAAE,CAAC;QAChB,KAAK,MAAM,IAAI,IAAI,WAAW;YAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACjD,CAAC;IAED,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;QAC/B,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,QAAQ,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC;YAC1C,EAAE,CAAC,KAAK,CAAC,sBAAsB,IAAI,GAAG,CAAC,CAAC;YACxC,KAAK,MAAM,IAAI,IAAI,QAAQ;gBAAE,EAAE,CAAC,KAAK,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC;YACnD,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YACb,MAAM,SAAS,GAAG,MAAM,EAAE,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;YACpD,IAAI,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,KAAK,GAAG,EAAE,CAAC;gBACnD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,gCAAgC,EAAE,CAAC;YACvE,CAAC;QACH,CAAC;aAAM,CAAC;YACN,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,IAAI,4CAA4C,EAAE,CAAC;QAC1F,CAAC;IACH,CAAC;IAED,MAAM,SAAS,GAAgB;QAC7B,aAAa,EAAE,EAAE;QACjB,aAAa,EAAE,EAAE;QACjB,kBAAkB,EAAE,EAAE;QACtB,iBAAiB,EAAE,EAAE;QACrB,gBAAgB,EAAE,EAAE;KACrB,CAAC;IAEF,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IACpC,CAAC;SAAM,CAAC;QACN,SAAS,CAAC,aAAa,GAAG,MAAM,cAAc,CAAC,EAAE,EAAE,iBAAiB,EAAE,gBAAgB,CAAC,CAAC;QACxF,SAAS,CAAC,aAAa,GAAG,MAAM,cAAc,CAAC,EAAE,EAAE,uBAAuB,EAAE,gBAAgB,CAAC,CAAC;QAC9F,SAAS,CAAC,kBAAkB,GAAG,CAAC,MAAM,EAAE,CAAC,GAAG,CAC1C,sDAAsD,CACvD,CAAC,IAAI,EAAE,CAAC;QACT,SAAS,CAAC,iBAAiB,GAAG,CAAC,MAAM,EAAE,CAAC,GAAG,CACzC,uEAAuE,CACxE,CAAC,IAAI,EAAE,CAAC;QACT,SAAS,CAAC,gBAAgB,GAAG,CAAC,MAAM,EAAE,CAAC,GAAG,CACxC,kFAAkF,CACnF,CAAC,IAAI,EAAE,CAAC;IACX,CAAC;IAED,uEAAuE;IACvE,yEAAyE;IACzE,sDAAsD;IACtD,MAAM,QAAQ,GAAG,SAAS,CAAC,aAAa,CAAC,IAAI,EAAE,CAAC;IAChD,MAAM,QAAQ,GAAG,SAAS,CAAC,aAAa,CAAC,IAAI,EAAE,CAAC;IAChD,IAAI,CAAC,QAAQ,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACxD,OAAO;YACL,EAAE,EAAE,KAAK;YACT,IAAI;YACJ,MAAM,EAAE,oDAAoD,gBAAgB,IAAI;SACjF,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,QAAQ,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACxD,OAAO;YACL,EAAE,EAAE,KAAK;YACT,IAAI;YACJ,MAAM,EAAE,0DAA0D,gBAAgB,IAAI;SACvF,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,SAAS,CAAC,kBAAkB,CAAC,IAAI,EAAE,CAAC;IACpD,MAAM,KAAK,GAAG,SAAS,CAAC,iBAAiB,CAAC,IAAI,EAAE,CAAC;IACjD,MAAM,WAAW,GAAG,SAAS,CAAC,gBAAgB,CAAC,IAAI,EAAE,CAAC;IAEtD,uEAAuE;IACvE,qDAAqD;IACrD,IAAI,WAAW,EAAE,CAAC;QAChB,MAAM,EAAE,gBAAgB,EAAE,GAAG,MAAM,MAAM,CAAC,6BAA6B,CAAC,CAAC;QACzE,IAAI,CAAC,gBAAgB,CAAC,WAAW,CAAC,EAAE,CAAC;YACnC,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,IAAI;gBACJ,MAAM,EAAE,uBAAuB,WAAW,oFAAoF;aAC/H,CAAC;QACJ,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAG,aAAa,CAAC;QAC5B,QAAQ;QACR,QAAQ;QACR,OAAO,EAAE,OAAO,IAAI,SAAS;QAC7B,KAAK,EAAE,KAAK,IAAI,SAAS;QACzB,WAAW,EAAE,WAAW,IAAI,SAAS;KACtC,CAAC,CAAC;IAEH,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC9C,4EAA4E;IAC5E,2EAA2E;IAC3E,0EAA0E;IAC1E,uEAAuE;IACvE,mEAAmE;IACnE,IAAI,MAAM,GAAkB,IAAI,CAAC;IACjC,IAAI,OAAO,GAAkB,IAAI,CAAC;IAClC,IAAI,CAAC;QACH,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,YAAY,CAAC,CAAC,CAAC;QACxD,OAAO,GAAG,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;QAC9B,aAAa,CAAC,OAAO,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAC;QACnE,mEAAmE;QACnE,+DAA+D;QAC/D,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YACjC,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC,IAAI,GAAG,KAAK,CAAC;YAC5C,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;gBACnB,MAAM,IAAI,KAAK,CAAC,qBAAqB,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC;YACzE,CAAC;QACH,CAAC;QACD,UAAU,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IAC5B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,mBAAmB,IAAI,KAAK,GAAG,EAAE,EAAE,CAAC;IACxE,CAAC;YAAS,CAAC;QACT,IAAI,MAAM,EAAE,CAAC;YACX,IAAI,CAAC;gBACH,MAAM,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;YACnD,CAAC;YAAC,MAAM,CAAC;gBACP,iBAAiB;YACnB,CAAC;QACH,CAAC;IACH,CAAC;IAED,wEAAwE;IACxE,0EAA0E;IAC1E,2EAA2E;IAC3E,oDAAoD;IACpD,MAAM,UAAU,GAAG,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC;IAEhD,IAAI,WAAW,EAAE,CAAC;QAChB,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QACb,EAAE,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,IAAI,eAAe,CAAC,CAAC,CAAC,SAAS,IAAI,GAAG,CAAC,CAAC;QACvE,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QACb,EAAE,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAClB,EAAE,CAAC,KAAK,CAAC,gEAAgE,CAAC,CAAC;QAC3E,EAAE,CAAC,KAAK,CAAC,wEAAwE,CAAC,CAAC;QACnF,EAAE,CAAC,KAAK,CAAC,uDAAuD,CAAC,CAAC;QAClE,EAAE,CAAC,KAAK,CAAC,iDAAiD,CAAC,CAAC;QAC5D,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACf,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;AAC5B,CAAC;AAUD,SAAS,aAAa,CAAC,CAAe;IACpC,MAAM,KAAK,GAAa;QACtB,kEAAkE;QAClE,kEAAkE;QAClE,EAAE;QACF,mBAAmB,CAAC,CAAC,QAAQ,EAAE;QAC/B,mBAAmB,CAAC,CAAC,QAAQ,EAAE;KAChC,CAAC;IACF,IAAI,CAAC,CAAC,OAAO;QAAE,KAAK,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;IAC/D,IAAI,CAAC,CAAC,KAAK;QAAE,KAAK,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC;IAC1D,IAAI,CAAC,CAAC,WAAW;QAAE,KAAK,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;IACrE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,KAAK,UAAU,cAAc,CAAC,EAAU,EAAE,KAAa,EAAE,MAAc;IACrE,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,CAAC,EAAE,OAAO,EAAE,EAAE,CAAC;QAC7C,MAAM,KAAK,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,KAAK,iBAAiB,MAAM,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QAClF,IAAI,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC;YAAE,OAAO,KAAK,CAAC;QAC3C,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,EAAE,CAAC,KAAK,CAAC,KAAK,KAAK,eAAe,CAAC,CAAC;YACpC,SAAS;QACX,CAAC;QACD,EAAE,CAAC,KAAK,CAAC,8BAA8B,KAAK,CAAC,WAAW,EAAE,6BAA6B,MAAM,KAAK,CAAC,CAAC;IACtG,CAAC;IACD,0EAA0E;IAC1E,sCAAsC;IACtC,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,8EAA8E;AAC9E,SAAS,kBAAkB,CAAC,IAAY;IACtC,IAAI,CAAC;QACH,OAAO,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC;aAC9B,KAAK,CAAC,OAAO,CAAC;aACd,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;aACpD,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE;YACZ,MAAM,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YAC5B,IAAI,CAAC,KAAK,CAAC,CAAC;gBAAE,OAAO,IAAI,CAAC;YAC1B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;YAC7B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YAC9B,OAAO,GAAG,GAAG,IAAI,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC;QACpC,CAAC,CAAC,CAAC;IACP,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,CAAC,gCAAgC,CAAC,CAAC;IAC5C,CAAC;AACH,CAAC;AAED,SAAS,SAAS,CAAC,CAAS;IAC1B,MAAM,OAAO,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IACzB,IAAI,OAAO,CAAC,MAAM,IAAI,CAAC;QAAE,OAAO,MAAM,CAAC;IACvC,wEAAwE;IACxE,0CAA0C;IAC1C,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACvC,MAAM,MAAM,GAAG,SAAS,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACrE,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/B,OAAO,GAAG,MAAM,MAAM,IAAI,EAAE,CAAC;AAC/B,CAAC"}
+{"version":3,"file":"init.js","sourceRoot":"","sources":["../../../src/env/init.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,EACL,UAAU,EACV,SAAS,EACT,WAAW,EACX,YAAY,EACZ,UAAU,EACV,MAAM,EACN,QAAQ,EACR,aAAa,GACd,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AA4ChE,MAAM,gBAAgB,GAAG,OAAO,CAAC;AACjC,MAAM,gBAAgB,GAAG,OAAO,CAAC;AAEjC,MAAM,aAAa,GAAG,4BAA4B,CAAC;AAEnD;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;CA2BtC,CAAC;AAEF,MAAM,WAAW,GAAG;IAClB,EAAE;IACF,mCAAmC;IACnC,EAAE;IACF,yEAAyE;IACzE,kEAAkE;IAClE,8DAA8D;IAC9D,EAAE;IACF,wEAAwE;IACxE,wEAAwE;IACxE,wEAAwE;IACxE,YAAY,aAAa,+CAA+C;IACxE,0BAA0B;IAC1B,uFAAuF;IACvF,kFAAkF;IAClF,mFAAmF;IACnF,EAAE;IACF,yDAAyD;IACzD,GAAG,uBAAuB,CAAC,OAAO,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC;IAChD,uBAAuB;IACvB,EAAE;IACF,wEAAwE;IACxE,wCAAwC;IACxC,wEAAwE;IACxE,wEAAwE;IACxE,4DAA4D;IAC5D,wEAAwE;IACxE,iDAAiD;IACjD,EAAE;IACF,oFAAoF;IACpF,EAAE;CACH,CAAC;AAEF;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,IAAiB;IAChD,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;IACpC,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,IAAI,OAAO,EAAE,CAAC;IACvC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,EAAE,eAAe,EAAE,gBAAgB,CAAC,CAAC;IAE3D,wEAAwE;IACxE,qEAAqE;IACrE,MAAM,WAAW,GAAG,CAAC,OAAO,CAAC;IAC7B,IAAI,WAAW,EAAE,CAAC;QAChB,KAAK,MAAM,IAAI,IAAI,WAAW;YAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACjD,CAAC;IAED,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;QAC/B,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,QAAQ,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC;YAC1C,EAAE,CAAC,KAAK,CAAC,sBAAsB,IAAI,GAAG,CAAC,CAAC;YACxC,KAAK,MAAM,IAAI,IAAI,QAAQ;gBAAE,EAAE,CAAC,KAAK,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC;YACnD,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YACb,MAAM,SAAS,GAAG,MAAM,EAAE,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;YACpD,IAAI,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,KAAK,GAAG,EAAE,CAAC;gBACnD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,gCAAgC,EAAE,CAAC;YACvE,CAAC;QACH,CAAC;aAAM,CAAC;YACN,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,IAAI,4CAA4C,EAAE,CAAC;QAC1F,CAAC;IACH,CAAC;IAED,MAAM,SAAS,GAAgB;QAC7B,aAAa,EAAE,EAAE;QACjB,aAAa,EAAE,EAAE;QACjB,kBAAkB,EAAE,EAAE;QACtB,iBAAiB,EAAE,EAAE;QACrB,gBAAgB,EAAE,EAAE;KACrB,CAAC;IAEF,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IACpC,CAAC;SAAM,CAAC;QACN,SAAS,CAAC,aAAa,GAAG,MAAM,cAAc,CAAC,EAAE,EAAE,iBAAiB,EAAE,gBAAgB,CAAC,CAAC;QACxF,SAAS,CAAC,aAAa,GAAG,MAAM,cAAc,CAAC,EAAE,EAAE,uBAAuB,EAAE,gBAAgB,CAAC,CAAC;QAC9F,SAAS,CAAC,kBAAkB,GAAG,CAAC,MAAM,EAAE,CAAC,GAAG,CAC1C,sDAAsD,CACvD,CAAC,IAAI,EAAE,CAAC;QACT,SAAS,CAAC,iBAAiB,GAAG,CAAC,MAAM,EAAE,CAAC,GAAG,CACzC,uEAAuE,CACxE,CAAC,IAAI,EAAE,CAAC;QACT,SAAS,CAAC,gBAAgB,GAAG,CAAC,MAAM,EAAE,CAAC,GAAG,CACxC,kFAAkF,CACnF,CAAC,IAAI,EAAE,CAAC;IACX,CAAC;IAED,uEAAuE;IACvE,yEAAyE;IACzE,sDAAsD;IACtD,MAAM,QAAQ,GAAG,SAAS,CAAC,aAAa,CAAC,IAAI,EAAE,CAAC;IAChD,MAAM,QAAQ,GAAG,SAAS,CAAC,aAAa,CAAC,IAAI,EAAE,CAAC;IAChD,IAAI,CAAC,QAAQ,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACxD,OAAO;YACL,EAAE,EAAE,KAAK;YACT,IAAI;YACJ,MAAM,EAAE,oDAAoD,gBAAgB,IAAI;SACjF,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,QAAQ,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACxD,OAAO;YACL,EAAE,EAAE,KAAK;YACT,IAAI;YACJ,MAAM,EAAE,0DAA0D,gBAAgB,IAAI;SACvF,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,SAAS,CAAC,kBAAkB,CAAC,IAAI,EAAE,CAAC;IACpD,MAAM,KAAK,GAAG,SAAS,CAAC,iBAAiB,CAAC,IAAI,EAAE,CAAC;IACjD,MAAM,WAAW,GAAG,SAAS,CAAC,gBAAgB,CAAC,IAAI,EAAE,CAAC;IAEtD,uEAAuE;IACvE,qDAAqD;IACrD,IAAI,WAAW,EAAE,CAAC;QAChB,MAAM,EAAE,gBAAgB,EAAE,GAAG,MAAM,MAAM,CAAC,6BAA6B,CAAC,CAAC;QACzE,IAAI,CAAC,gBAAgB,CAAC,WAAW,CAAC,EAAE,CAAC;YACnC,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,IAAI;gBACJ,MAAM,EAAE,uBAAuB,WAAW,oFAAoF;aAC/H,CAAC;QACJ,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAG,aAAa,CAAC;QAC5B,QAAQ;QACR,QAAQ;QACR,OAAO,EAAE,OAAO,IAAI,SAAS;QAC7B,KAAK,EAAE,KAAK,IAAI,SAAS;QACzB,WAAW,EAAE,WAAW,IAAI,SAAS;KACtC,CAAC,CAAC;IAEH,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC9C,4EAA4E;IAC5E,2EAA2E;IAC3E,0EAA0E;IAC1E,uEAAuE;IACvE,mEAAmE;IACnE,IAAI,MAAM,GAAkB,IAAI,CAAC;IACjC,IAAI,OAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,YAAY,CAAC,CAAC,CAAC;QACxD,OAAO,GAAG,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;QAC9B,aAAa,CAAC,OAAO,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAC;QACnE,mEAAmE;QACnE,+DAA+D;QAC/D,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YACjC,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC,IAAI,GAAG,KAAK,CAAC;YAC5C,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;gBACnB,MAAM,IAAI,KAAK,CAAC,qBAAqB,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC;YACzE,CAAC;QACH,CAAC;QACD,UAAU,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IAC5B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,mBAAmB,IAAI,KAAK,GAAG,EAAE,EAAE,CAAC;IACxE,CAAC;YAAS,CAAC;QACT,IAAI,MAAM,EAAE,CAAC;YACX,IAAI,CAAC;gBACH,MAAM,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;YACnD,CAAC;YAAC,MAAM,CAAC;gBACP,iBAAiB;YACnB,CAAC;QACH,CAAC;IACH,CAAC;IAED,wEAAwE;IACxE,0EAA0E;IAC1E,2EAA2E;IAC3E,oDAAoD;IACpD,MAAM,UAAU,GAAG,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC;IAEhD,IAAI,WAAW,EAAE,CAAC;QAChB,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QACb,EAAE,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,IAAI,eAAe,CAAC,CAAC,CAAC,SAAS,IAAI,GAAG,CAAC,CAAC;QACvE,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QACb,EAAE,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAClB,EAAE,CAAC,KAAK,CAAC,gEAAgE,CAAC,CAAC;QAC3E,EAAE,CAAC,KAAK,CAAC,wEAAwE,CAAC,CAAC;QACnF,EAAE,CAAC,KAAK,CAAC,uDAAuD,CAAC,CAAC;QAClE,EAAE,CAAC,KAAK,CAAC,iDAAiD,CAAC,CAAC;QAC5D,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACf,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;AAC5B,CAAC;AAUD,SAAS,aAAa,CAAC,CAAe;IACpC,MAAM,KAAK,GAAa;QACtB,kEAAkE;QAClE,kEAAkE;QAClE,EAAE;QACF,mBAAmB,CAAC,CAAC,QAAQ,EAAE;QAC/B,mBAAmB,CAAC,CAAC,QAAQ,EAAE;KAChC,CAAC;IACF,IAAI,CAAC,CAAC,OAAO;QAAE,KAAK,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;IAC/D,IAAI,CAAC,CAAC,KAAK;QAAE,KAAK,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC;IAC1D,IAAI,CAAC,CAAC,WAAW;QAAE,KAAK,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;IACrE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,KAAK,UAAU,cAAc,CAAC,EAAU,EAAE,KAAa,EAAE,MAAc;IACrE,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,CAAC,EAAE,OAAO,EAAE,EAAE,CAAC;QAC7C,MAAM,KAAK,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,KAAK,iBAAiB,MAAM,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QAClF,IAAI,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC;YAAE,OAAO,KAAK,CAAC;QAC3C,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,EAAE,CAAC,KAAK,CAAC,KAAK,KAAK,eAAe,CAAC,CAAC;YACpC,SAAS;QACX,CAAC;QACD,EAAE,CAAC,KAAK,CAAC,8BAA8B,KAAK,CAAC,WAAW,EAAE,6BAA6B,MAAM,KAAK,CAAC,CAAC;IACtG,CAAC;IACD,0EAA0E;IAC1E,sCAAsC;IACtC,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,8EAA8E;AAC9E,SAAS,kBAAkB,CAAC,IAAY;IACtC,IAAI,CAAC;QACH,OAAO,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC;aAC9B,KAAK,CAAC,OAAO,CAAC;aACd,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;aACpD,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE;YACZ,MAAM,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YAC5B,IAAI,CAAC,KAAK,CAAC,CAAC;gBAAE,OAAO,IAAI,CAAC;YAC1B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;YAC7B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YAC9B,OAAO,GAAG,GAAG,IAAI,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC;QACpC,CAAC,CAAC,CAAC;IACP,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,CAAC,gCAAgC,CAAC,CAAC;IAC5C,CAAC;AACH,CAAC;AAED,SAAS,SAAS,CAAC,CAAS;IAC1B,MAAM,OAAO,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IACzB,IAAI,OAAO,CAAC,MAAM,IAAI,CAAC;QAAE,OAAO,MAAM,CAAC;IACvC,wEAAwE;IACxE,0CAA0C;IAC1C,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACvC,MAAM,MAAM,GAAG,SAAS,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACrE,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/B,OAAO,GAAG,MAAM,MAAM,IAAI,EAAE,CAAC;AAC/B,CAAC"}

package/dist/src/memory-review/transcript.js

@@ -197,7 +197,7 @@ export function readSessionTranscript(uuid, options = {}) {
     const path = sessionEventsPath(uuid, options.sessionStateDir);
     if (!existsSync(path))
         return [];
-    let raw = "";
+    let raw;
     try {
         raw = readTail(path, maxBytes);
     }

package/dist/src/memory-review/transcript.js.map

@@ -1 +1 @@
-{"version":3,"file":"transcript.js","sourceRoot":"","sources":["../../../src/memory-review/transcript.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC3F,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AA0BjC,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC;AACjD,gFAAgF;AAChF,gFAAgF;AAChF,+EAA+E;AAC/E,MAAM,CAAC,MAAM,oBAAoB,GAAG,GAAG,CAAC;AAExC,+EAA+E;AAC/E,gFAAgF;AAChF,yCAAyC;AACzC,MAAM,UAAU,gBAAgB,CAAC,IAAY;IAC3C,OAAO,CACL,OAAO,IAAI,KAAK,QAAQ;QACxB,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC;QAC9B,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;QACpB,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,mEAAmE;KAC7F,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,IAAY,EAAE,IAAa;IAC3D,MAAM,IAAI,GAAG,IAAI,IAAI,IAAI,CAAC,OAAO,EAAE,EAAE,UAAU,EAAE,eAAe,CAAC,CAAC;IAClE,OAAO,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,cAAc,CAAC,CAAC;AAC1C,CAAC;AAED;mEACmE;AACnE,MAAM,UAAU,eAAe,CAAC,IAAa;IAC3C,MAAM,IAAI,GAAG,IAAI,IAAI,IAAI,CAAC,OAAO,EAAE,EAAE,UAAU,EAAE,eAAe,CAAC,CAAC;IAClE,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,IAAI,IAAI,GAAkB,IAAI,CAAC;IAC/B,IAAI,SAAS,GAAG,CAAC,CAAC,CAAC;IACnB,KAAK,MAAM,IAAI,IAAI,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC;QACrC,IAAI,CAAC;YACH,MAAM,EAAE,GAAG,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;YACtC,IAAI,EAAE,CAAC,WAAW,EAAE,IAAI,EAAE,CAAC,OAAO,GAAG,SAAS,EAAE,CAAC;gBAC/C,SAAS,GAAG,EAAE,CAAC,OAAO,CAAC;gBACvB,IAAI,GAAG,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,0BAA0B;QAC5B,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,kFAAkF;AAClF,MAAM,UAAU,cAAc,CAAC,IAAa;IAC1C,MAAM,IAAI,GAAG,IAAI,IAAI,IAAI,CAAC,OAAO,EAAE,EAAE,UAAU,EAAE,eAAe,CAAC,CAAC;IAClE,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,EAAE,CAAC;IACjC,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE;QACvC,IAAI,CAAC;YACH,OAAO,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;QAClD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;4DAE4D;AAC5D,MAAM,UAAU,kBAAkB,CAAC,MAAgB,EAAE,IAAa;IAChE,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;IAC7B,MAAM,KAAK,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;IACjE,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACpC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;IACxC,MAAM,IAAI,GAAG,IAAI,IAAI,IAAI,CAAC,OAAO,EAAE,EAAE,UAAU,EAAE,eAAe,CAAC,CAAC;IAClE,IAAI,IAAI,GAAkB,IAAI,CAAC;IAC/B,IAAI,SAAS,GAAG,CAAC,CAAC,CAAC;IACnB,KAAK,MAAM,EAAE,IAAI,KAAK,EAAE,CAAC;QACvB,IAAI,CAAC;YACH,MAAM,CAAC,GAAG,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;YAC3C,IAAI,CAAC,GAAG,SAAS,EAAE,CAAC;gBAClB,SAAS,GAAG,CAAC,CAAC;gBACd,IAAI,GAAG,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,kBAAkB;QACpB,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,QAAQ,CAAC,IAAY,EAAE,QAAgB;IAC9C,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC;IACjC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,GAAG,QAAQ,CAAC,CAAC;IAC3C,MAAM,GAAG,GAAG,IAAI,GAAG,KAAK,CAAC;IACzB,MAAM,EAAE,GAAG,QAAQ,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC/B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC9B,QAAQ,CAAC,EAAE,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;QACjC,OAAO,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAC9B,CAAC;YAAS,CAAC;QACT,SAAS,CAAC,EAAE,CAAC,CAAC;IAChB,CAAC;AACH,CAAC;AAED,2EAA2E;AAC3E,+EAA+E;AAC/E,gFAAgF;AAChF,iFAAiF;AACjF,SAAS,qBAAqB,CAAC,YAAqB;IAClD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IACzE,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,MAAM,CAAC,IAAI,YAAY,EAAE,CAAC;QAC7B,IAAI,CAAC,CAAC,IAAI,OAAO,CAAC,KAAK,QAAQ;YAAE,SAAS;QAC1C,MAAM,EAAE,GAAG,CAAwE,CAAC;QACpF,MAAM,IAAI,GAAG,OAAO,EAAE,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC;QAC5D,MAAM,IAAI,GAAG,EAAE,CAAC,SAAS,IAAI,OAAO,EAAE,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAE,EAAE,CAAC,SAAqC,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/G,MAAM,MAAM,GACV,CAAC,OAAO,EAAE,CAAC,gBAAgB,KAAK,QAAQ,IAAI,EAAE,CAAC,gBAAgB,CAAC,IAAI,EAAE,CAAC;YACvE,CAAC,OAAO,IAAI,CAAC,WAAW,KAAK,QAAQ,IAAI,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC;YACjE,CAAC,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;YACzD,EAAE,CAAC;QACL,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,IAAI,KAAK,MAAM,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IACnD,CAAC;IACD,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,WAAW,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;AAC5D,CAAC;AAED,SAAS,WAAW,CAAC,OAAgB;IACnC,IAAI,OAAO,OAAO,KAAK,QAAQ;QAAE,OAAO,OAAO,CAAC;IAChD,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAC3B,OAAO,OAAO;aACX,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE;YACZ,IAAI,OAAO,IAAI,KAAK,QAAQ;gBAAE,OAAO,IAAI,CAAC;YAC1C,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,OAAQ,IAA2B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC9F,OAAQ,IAAyB,CAAC,IAAI,CAAC;YACzC,CAAC;YACD,OAAO,EAAE,CAAC;QACZ,CAAC,CAAC;aACD,MAAM,CAAC,OAAO,CAAC;aACf,IAAI,CAAC,IAAI,CAAC,CAAC;IAChB,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,GAAW;IACzC,MAAM,QAAQ,GAAwB,EAAE,CAAC;IACzC,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACnC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,OAAO;YAAE,SAAS;QACvB,IAAI,GAAwC,CAAC;QAC7C,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YACnC,GAAG,GAAG,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC;QAClE,CAAC;QAAC,MAAM,CAAC;YACP,SAAS,CAAC,kDAAkD;QAC9D,CAAC;QACD,IAAI,CAAC,GAAG;YAAE,SAAS;QAEnB,iFAAiF;QACjF,0EAA0E;QAC1E,2EAA2E;QAC3E,yEAAyE;QACzE,MAAM,IAAI,GAAG,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1D,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAA4B,CAAC;QAEnG,IAAI,IAAY,CAAC;QACjB,IAAI,OAAgB,CAAC;QACrB,IAAI,WAAW,GAAG,EAAE,CAAC;QACrB,IAAI,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;YAC9B,IAAI,GAAG,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;YACrF,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;YACvB,yEAAyE;YACzE,2EAA2E;YAC3E,IAAI,IAAI,KAAK,WAAW;gBAAE,WAAW,GAAG,qBAAqB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACnF,CAAC;aAAM,IAAI,IAAI,EAAE,CAAC;YAChB,SAAS,CAAC,6DAA6D;QACzE,CAAC;aAAM,CAAC;YACN,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,OAAO,IAAI,EAAE,CAA4B,CAAC;YAC/D,IAAI,GAAG,MAAM,CAAC,GAAG,CAAC,IAAI,IAAI,OAAO,CAAC,IAAI,IAAI,SAAS,CAAC,CAAC;YACrD,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,IAAI,CAAC;QACvD,CAAC;QAED,2EAA2E;QAC3E,IAAI,IAAI,KAAK,QAAQ;YAAE,SAAS;QAEhC,MAAM,IAAI,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QACzC,MAAM,IAAI,GAAG,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC5D,IAAI,IAAI,EAAE,CAAC;YACT,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;QAChC,CAAC;IACH,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,qBAAqB,CACnC,IAAY,EACZ,UAAiC,EAAE;IAEnC,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC;QAAE,OAAO,EAAE,CAAC;IACvC,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,iBAAiB,CAAC;IACvD,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,oBAAoB,CAAC;IAChE,MAAM,IAAI,GAAG,iBAAiB,CAAC,IAAI,EAAE,OAAO,CAAC,eAAe,CAAC,CAAC;IAC9D,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,EAAE,CAAC;IACjC,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,IAAI,CAAC;QACH,GAAG,GAAG,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IACjC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,GAAG,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;IACjC,8EAA8E;IAC9E,8DAA8D;IAC9D,OAAO,GAAG,CAAC,MAAM,GAAG,WAAW,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;AAC9E,CAAC"}
+{"version":3,"file":"transcript.js","sourceRoot":"","sources":["../../../src/memory-review/transcript.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC3F,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AA0BjC,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC;AACjD,gFAAgF;AAChF,gFAAgF;AAChF,+EAA+E;AAC/E,MAAM,CAAC,MAAM,oBAAoB,GAAG,GAAG,CAAC;AAExC,+EAA+E;AAC/E,gFAAgF;AAChF,yCAAyC;AACzC,MAAM,UAAU,gBAAgB,CAAC,IAAY;IAC3C,OAAO,CACL,OAAO,IAAI,KAAK,QAAQ;QACxB,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC;QAC9B,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;QACpB,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,mEAAmE;KAC7F,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,IAAY,EAAE,IAAa;IAC3D,MAAM,IAAI,GAAG,IAAI,IAAI,IAAI,CAAC,OAAO,EAAE,EAAE,UAAU,EAAE,eAAe,CAAC,CAAC;IAClE,OAAO,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,cAAc,CAAC,CAAC;AAC1C,CAAC;AAED;mEACmE;AACnE,MAAM,UAAU,eAAe,CAAC,IAAa;IAC3C,MAAM,IAAI,GAAG,IAAI,IAAI,IAAI,CAAC,OAAO,EAAE,EAAE,UAAU,EAAE,eAAe,CAAC,CAAC;IAClE,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,IAAI,IAAI,GAAkB,IAAI,CAAC;IAC/B,IAAI,SAAS,GAAG,CAAC,CAAC,CAAC;IACnB,KAAK,MAAM,IAAI,IAAI,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC;QACrC,IAAI,CAAC;YACH,MAAM,EAAE,GAAG,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;YACtC,IAAI,EAAE,CAAC,WAAW,EAAE,IAAI,EAAE,CAAC,OAAO,GAAG,SAAS,EAAE,CAAC;gBAC/C,SAAS,GAAG,EAAE,CAAC,OAAO,CAAC;gBACvB,IAAI,GAAG,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,0BAA0B;QAC5B,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,kFAAkF;AAClF,MAAM,UAAU,cAAc,CAAC,IAAa;IAC1C,MAAM,IAAI,GAAG,IAAI,IAAI,IAAI,CAAC,OAAO,EAAE,EAAE,UAAU,EAAE,eAAe,CAAC,CAAC;IAClE,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,EAAE,CAAC;IACjC,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE;QACvC,IAAI,CAAC;YACH,OAAO,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;QAClD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;4DAE4D;AAC5D,MAAM,UAAU,kBAAkB,CAAC,MAAgB,EAAE,IAAa;IAChE,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;IAC7B,MAAM,KAAK,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;IACjE,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACpC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;IACxC,MAAM,IAAI,GAAG,IAAI,IAAI,IAAI,CAAC,OAAO,EAAE,EAAE,UAAU,EAAE,eAAe,CAAC,CAAC;IAClE,IAAI,IAAI,GAAkB,IAAI,CAAC;IAC/B,IAAI,SAAS,GAAG,CAAC,CAAC,CAAC;IACnB,KAAK,MAAM,EAAE,IAAI,KAAK,EAAE,CAAC;QACvB,IAAI,CAAC;YACH,MAAM,CAAC,GAAG,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;YAC3C,IAAI,CAAC,GAAG,SAAS,EAAE,CAAC;gBAClB,SAAS,GAAG,CAAC,CAAC;gBACd,IAAI,GAAG,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,kBAAkB;QACpB,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,QAAQ,CAAC,IAAY,EAAE,QAAgB;IAC9C,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC;IACjC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,GAAG,QAAQ,CAAC,CAAC;IAC3C,MAAM,GAAG,GAAG,IAAI,GAAG,KAAK,CAAC;IACzB,MAAM,EAAE,GAAG,QAAQ,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC/B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC9B,QAAQ,CAAC,EAAE,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;QACjC,OAAO,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAC9B,CAAC;YAAS,CAAC;QACT,SAAS,CAAC,EAAE,CAAC,CAAC;IAChB,CAAC;AACH,CAAC;AAED,2EAA2E;AAC3E,+EAA+E;AAC/E,gFAAgF;AAChF,iFAAiF;AACjF,SAAS,qBAAqB,CAAC,YAAqB;IAClD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IACzE,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,MAAM,CAAC,IAAI,YAAY,EAAE,CAAC;QAC7B,IAAI,CAAC,CAAC,IAAI,OAAO,CAAC,KAAK,QAAQ;YAAE,SAAS;QAC1C,MAAM,EAAE,GAAG,CAAwE,CAAC;QACpF,MAAM,IAAI,GAAG,OAAO,EAAE,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC;QAC5D,MAAM,IAAI,GAAG,EAAE,CAAC,SAAS,IAAI,OAAO,EAAE,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAE,EAAE,CAAC,SAAqC,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/G,MAAM,MAAM,GACV,CAAC,OAAO,EAAE,CAAC,gBAAgB,KAAK,QAAQ,IAAI,EAAE,CAAC,gBAAgB,CAAC,IAAI,EAAE,CAAC;YACvE,CAAC,OAAO,IAAI,CAAC,WAAW,KAAK,QAAQ,IAAI,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC;YACjE,CAAC,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;YACzD,EAAE,CAAC;QACL,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,IAAI,KAAK,MAAM,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IACnD,CAAC;IACD,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,WAAW,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;AAC5D,CAAC;AAED,SAAS,WAAW,CAAC,OAAgB;IACnC,IAAI,OAAO,OAAO,KAAK,QAAQ;QAAE,OAAO,OAAO,CAAC;IAChD,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAC3B,OAAO,OAAO;aACX,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE;YACZ,IAAI,OAAO,IAAI,KAAK,QAAQ;gBAAE,OAAO,IAAI,CAAC;YAC1C,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,OAAQ,IAA2B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC9F,OAAQ,IAAyB,CAAC,IAAI,CAAC;YACzC,CAAC;YACD,OAAO,EAAE,CAAC;QACZ,CAAC,CAAC;aACD,MAAM,CAAC,OAAO,CAAC;aACf,IAAI,CAAC,IAAI,CAAC,CAAC;IAChB,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,GAAW;IACzC,MAAM,QAAQ,GAAwB,EAAE,CAAC;IACzC,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACnC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,OAAO;YAAE,SAAS;QACvB,IAAI,GAAwC,CAAC;QAC7C,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YACnC,GAAG,GAAG,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC;QAClE,CAAC;QAAC,MAAM,CAAC;YACP,SAAS,CAAC,kDAAkD;QAC9D,CAAC;QACD,IAAI,CAAC,GAAG;YAAE,SAAS;QAEnB,iFAAiF;QACjF,0EAA0E;QAC1E,2EAA2E;QAC3E,yEAAyE;QACzE,MAAM,IAAI,GAAG,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1D,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAA4B,CAAC;QAEnG,IAAI,IAAY,CAAC;QACjB,IAAI,OAAgB,CAAC;QACrB,IAAI,WAAW,GAAG,EAAE,CAAC;QACrB,IAAI,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;YAC9B,IAAI,GAAG,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;YACrF,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;YACvB,yEAAyE;YACzE,2EAA2E;YAC3E,IAAI,IAAI,KAAK,WAAW;gBAAE,WAAW,GAAG,qBAAqB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACnF,CAAC;aAAM,IAAI,IAAI,EAAE,CAAC;YAChB,SAAS,CAAC,6DAA6D;QACzE,CAAC;aAAM,CAAC;YACN,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,OAAO,IAAI,EAAE,CAA4B,CAAC;YAC/D,IAAI,GAAG,MAAM,CAAC,GAAG,CAAC,IAAI,IAAI,OAAO,CAAC,IAAI,IAAI,SAAS,CAAC,CAAC;YACrD,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,IAAI,CAAC;QACvD,CAAC;QAED,2EAA2E;QAC3E,IAAI,IAAI,KAAK,QAAQ;YAAE,SAAS;QAEhC,MAAM,IAAI,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QACzC,MAAM,IAAI,GAAG,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC5D,IAAI,IAAI,EAAE,CAAC;YACT,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;QAChC,CAAC;IACH,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,qBAAqB,CACnC,IAAY,EACZ,UAAiC,EAAE;IAEnC,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC;QAAE,OAAO,EAAE,CAAC;IACvC,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,iBAAiB,CAAC;IACvD,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,oBAAoB,CAAC;IAChE,MAAM,IAAI,GAAG,iBAAiB,CAAC,IAAI,EAAE,OAAO,CAAC,eAAe,CAAC,CAAC;IAC9D,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,EAAE,CAAC;IACjC,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IACjC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,GAAG,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;IACjC,8EAA8E;IAC9E,8DAA8D;IAC9D,OAAO,GAAG,CAAC,MAAM,GAAG,WAAW,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;AAC9E,CAAC"}

package/docs/security-pipeline.md

@@ -0,0 +1,101 @@
+# Security & quality pipeline
+
+This repo ships two GitHub Actions workflows plus Dependabot. Together they cover
+dependency vulnerabilities, supply-chain/malicious-package risk, static code
+analysis, and **AI-skill-specific safety** (the same classes of issue that the
+[skills.sh](https://www.skills.sh) audits — Agent Trust Hub, Socket, Snyk —
+flag for Agent Skills).
+
+## Workflows
+
+### `.github/workflows/ci.yml` — build, test, lint, skills validation
+
+| Job | What it runs |
+| --- | --- |
+| `build-test` | `npm ci` → `npm run build` (tsc) → `npm run lint` (eslint) → `npm test` (vitest), on Node 20 & 22 |
+| `skills` | `npm run lint:skills` (omp's own validator) + `npm run check:catalog` |
+
+### `.github/workflows/security.yml` — security scanners
+
+| Job | Tool | Secret required | Gate |
+| --- | --- | --- | --- |
+| `npm-audit` | `npm audit` | none | fails on **high+** in **production** deps |
+| `skills-safety` | `scripts/skills-safety-scan.mjs` | none | fails on any **HIGH** finding |
+| `codeql` | GitHub CodeQL (JS/TS) | none | results in Security tab |
+| `dependency-review` | GitHub Dependency Review | none (PRs only) | fails on **high** severity |
+| `socket` | Socket CLI | `SOCKET_SECURITY_API_KEY` | skipped if secret unset |
+| `snyk` | Snyk Open Source + Snyk Code | `SNYK_TOKEN` | SARIF → Security tab |
+
+Runs on every push/PR to `main`, plus a weekly scheduled full scan (Mondays).
+Socket and Snyk jobs **self-skip with a notice** if their secret isn't set, so
+the pipeline is green out of the box and lights up as you add tokens.
+
+## Required secrets (optional but recommended)
+
+Add these under **Settings → Secrets and variables → Actions → New repository secret**:
+
+| Secret | Where to get it | Free tier |
+| --- | --- | --- |
+| `SNYK_TOKEN` | [snyk.io](https://snyk.io) → Account settings → Auth Token | Yes |
+| `SOCKET_SECURITY_API_KEY` | [socket.dev](https://socket.dev) → Settings → API Tokens | Yes |
+
+`GITHUB_TOKEN` is provided automatically — no setup needed for CodeQL,
+Dependency Review, or SARIF upload.
+
+## GitHub repo settings to flip on (one-time, free)
+
+These complement the workflows and live in **Settings → Code security**:
+
+- **Dependabot alerts** + **security updates** — `.github/dependabot.yml` already
+  schedules weekly version bumps for npm and Actions.
+- **Secret scanning** + **push protection** — blocks committed credentials.
+- **Code scanning** — surfaces CodeQL/Snyk SARIF in the Security tab.
+
+## The skills safety scanner
+
+`scripts/skills-safety-scan.mjs` statically audits `.github/skills/**`,
+`.github/agents/**`, and `catalog/**` — including SKILL.md docs and bundled
+helper scripts (`*.sh`, `*.py`, `*.mjs`, …) — for the risk classes those
+external audits care about. To avoid false positives on documentation, the
+command-style rules (S001–S003, S005–S007) only match inside fenced code blocks
+in markdown (and the full body of script files); only the prompt-injection rule
+(S004) scans prose. Multi-line commands joined with `\` are merged before
+matching so a wrapped `curl … | sh` can't slip through.
+
+| Rule | Severity | Detects |
+| --- | --- | --- |
+| S001 | HIGH | `curl … | sh` remote code execution |
+| S002 | MEDIUM | Unpinned remote install / `npx <pkg> add` |
+| S003 | LOW | Global `-g` installs |
+| S004 | MEDIUM | Indirect prompt-injection surface (fetch + act on untrusted/third-party content — cf. Snyk W011) |
+| S005 | HIGH | Credential/secret exfiltration |
+| S006 | MEDIUM | Obfuscation (`base64 -d | sh`, `eval(`, `Function(`) |
+| S007 | HIGH | Destructive shell (`rm -rf /`, `dd`, `mkfs`, `chmod 777`) |
+| S100/S101 | MEDIUM | SKILL.md missing `name` / `description` frontmatter |
+
+Run locally:
+
+```bash
+npm run scan:skills                              # human-readable, fails on HIGH
+node scripts/skills-safety-scan.mjs --json       # machine-readable
+node scripts/skills-safety-scan.mjs --strict     # also fail on MEDIUM
+node scripts/skills-safety-scan.mjs --allow-empty # don't fail when no skills exist
+```
+
+## Local commands
+
+```bash
+npm run lint          # eslint over src + scripts
+npm run lint:fix      # auto-fix
+npm run lint:skills   # omp's own SKILL.md validator
+npm run check:catalog # catalog schema validation
+npm run scan:skills   # AI-skill safety scan
+npm run audit:ci      # prod-dep vulnerability gate (high+)
+```
+
+## Notes
+
+- ESLint is scoped to `src/**` and `scripts/**`. Tests (`test/**`) are covered
+  by vitest and kept out of the lint gate to avoid a large up-front refactor.
+- `npm audit` gates on **production** dependencies only (`--omit=dev`); dev-only
+  vulns (vitest, vite, etc.) are handled by Dependabot PRs rather than blocking CI.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@damian87/omp",
-  "version": "0.17.0",
+  "version": "0.19.0",
   "description": "Multi-agent orchestration for GitHub Copilot CLI — autonomous loops (Autopilot, Ralph, UltraQA, Ultrawork), parallel tmux agent teams, a weighted-consensus model council, a Slack chat bridge, durable scheduled jobs, and in-session skills + custom agents. Zero learning curve.",
   "type": "module",
   "publishConfig": {
@@ -30,7 +30,11 @@
     "catalog:list": "npm run build && node dist/src/cli.js catalog list",
     "project:inspect": "npm run build && node dist/src/cli.js project inspect",
     "test": "vitest run",
+    "lint": "eslint .",
+    "lint:fix": "eslint . --fix",
     "lint:skills": "npm run build && node dist/src/cli.js lint:skills --root .",
+    "scan:skills": "node scripts/skills-safety-scan.mjs --root .",
+    "audit:ci": "npm audit --audit-level=high --omit=dev",
     "sync:dry-run": "npm run build && node dist/src/cli.js sync:dry-run --root .",
     "jira:dry-run": "npm run build && node dist/src/cli.js jira:dry-run --root .",
     "omp:version": "npm run build && node dist/src/cli.js version",
@@ -57,12 +61,15 @@
     "node": ">=20"
   },
   "devDependencies": {
-    "@types/node": "^22.15.29",
+    "@eslint/js": "^10.0.1",
+    "eslint": "^10.5.0",
+    "typescript-eslint": "^8.11.0",
+    "@types/node": "^26.0.1",
     "@types/node-notifier": "^8.0.5",
-    "@vitest/coverage-v8": "^3.2.4",
-    "tsx": "^4.19.4",
-    "typescript": "^5.8.3",
-    "vitest": "^3.1.4"
+    "@vitest/coverage-v8": "^4.1.9",
+    "tsx": "^4.22.4",
+    "typescript": "^6.0.3",
+    "vitest": "^4.1.9"
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.29.0",

package/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "oh-my-copilot",
   "description": "Multi-agent orchestration skills for GitHub Copilot CLI — autopilot, ralph, ultrawork, ultraqa, team, council, code-review and more as in-session slash skills + custom agents.",
-  "version": "0.17.0",
+  "version": "0.19.0",
   "author": {
     "name": "Damian Borek",
     "email": "borekdamian@yahoo.pl"

package/scripts/skills-safety-scan.mjs

@@ -0,0 +1,231 @@
+#!/usr/bin/env node
+/**
+ * skills-safety-scan — static safety audit for Agent Skills (SKILL.md) and agents.
+ *
+ * Mirrors the kinds of issues that Agent Trust Hub / Socket / Snyk flag for
+ * AI skills (see skills.sh audits), but runs locally with no network and no
+ * secrets so it can gate every PR:
+ *
+ *   - Untrusted install / remote-code execution surfaces (curl | sh, npx <pkg>, -g, npm i remote)
+ *   - Indirect prompt-injection surfaces (fetching + acting on third-party/user content)
+ *   - Credential / secret exfiltration patterns
+ *   - Obfuscation (base64 decode + exec, eval, large encoded blobs)
+ *   - Destructive shell (rm -rf, dd, mkfs, chmod 777)
+ *   - Frontmatter hygiene (missing name/description)
+ *
+ * Exit codes:
+ *   0 = no HIGH findings (warnings allowed)
+ *   1 = at least one HIGH finding, with --strict any MEDIUM finding, or no files
+ *       scanned (target moved) unless --allow-empty is passed
+ *
+ * Usage:
+ *   node scripts/skills-safety-scan.mjs [--root .] [--strict] [--json] [--allow-empty]
+ */
+import { readFileSync, readdirSync, statSync } from "node:fs";
+import { join, relative, sep } from "node:path";
+
+const args = process.argv.slice(2);
+const opt = (flag, def = null) => {
+  const i = args.indexOf(flag);
+  return i >= 0 ? (args[i + 1] && !args[i + 1].startsWith("--") ? args[i + 1] : true) : def;
+};
+const ROOT = typeof opt("--root") === "string" ? opt("--root") : ".";
+const STRICT = !!opt("--strict", false);
+const JSON_OUT = !!opt("--json", false);
+const ALLOW_EMPTY = !!opt("--allow-empty", false);
+
+// Where skills/agents live in this repo.
+const SCAN_DIRS = [".github/skills", ".github/agents", "catalog"];
+// Markdown/JSON docs plus bundled executable helpers — dangerous shell often
+// lives in a skill's `scripts/*.sh`, not just its prose.
+const SCAN_EXT = [".md", ".json", ".sh", ".bash", ".zsh", ".py", ".ps1", ".mjs", ".cjs", ".js"];
+
+/** @type {{severity:'HIGH'|'MEDIUM'|'LOW',rule:string,file:string,line:number,match:string,why:string}[]} */
+const findings = [];
+
+const RULES = [
+  {
+    rule: "S001 remote-code-execution",
+    severity: "HIGH",
+    re: /\b(curl|wget)\b[^\n|]*\|\s*(sudo\s+)?(ba)?sh\b/i,
+    why: "Pipes a downloaded script straight into a shell (untrusted remote code execution).",
+  },
+  {
+    rule: "S002 unpinned-remote-install",
+    severity: "MEDIUM",
+    re: /\bnpx\s+(?:-y\s+|--yes\s+)?(?!tsc\b|vitest\b|eslint\b)[a-z@][\w@/.-]*\s+add\b|\bnpm\s+i(nstall)?\s+(-g\s+)?https?:\/\//i,
+    why: "Installs/executes packages from an external source at runtime (supply-chain + untrusted install surface).",
+  },
+  {
+    rule: "S003 global-install",
+    severity: "LOW",
+    re: /\bnpm\s+i(nstall)?\s+-g\b|\bnpx\b[^\n]*\s-g\b/i,
+    why: "Global install persists tooling at user/system level.",
+  },
+  {
+    rule: "S004 prompt-injection-surface",
+    severity: "MEDIUM",
+    // Natural-language instruction, not a shell command — scan prose, not just code.
+    context: "prose",
+    re: /\b(fetch|read|download|ingest|browse)\b[^\n]*\b(untrusted|third-?party|user-generated|external (registry|source|content|repos?))\b/i,
+    why: "Fetches and may act on third-party/untrusted content — indirect prompt-injection risk (cf. Snyk W011).",
+  },
+  {
+    rule: "S005 credential-exfiltration",
+    severity: "HIGH",
+    // The token keyword may be a suffix/component of the var name
+    // (`$GITHUB_TOKEN`, `$NPM_TOKEN`, `$AWS_SECRET_ACCESS_KEY`), not just a prefix.
+    re: /\b(env|printenv|cat)\b[^\n]*\b(\.env|secret|token|api[_-]?key|password|credential)\b[^\n]*\|\s*(curl|wget|nc)\b|\b(curl|wget)\b[^\n]*\$\{?\s*[A-Z0-9_]*(SECRET|TOKEN|API[_-]?KEY|PASSWORD)/i,
+    why: "Reads secrets/credentials and sends them off the machine.",
+  },
+  {
+    rule: "S006 obfuscation",
+    severity: "MEDIUM",
+    re: /\bbase64\b\s+(-d|--decode)\b[^\n]*\|\s*(ba)?sh|\beval\b\s*\(|\bFunction\s*\(\s*['"`]/i,
+    why: "Decodes/evaluates hidden code at runtime (obfuscation).",
+  },
+  {
+    rule: "S007 destructive-shell",
+    severity: "HIGH",
+    // `chmod 777` and `chmod -R 777` (and `0777`) are all world-writable.
+    re: /\brm\s+-rf\s+[/~]|\bdd\s+if=|\bmkfs\b|\bchmod\s+(-R\s+)?0?777\b|>\s*\/dev\/sd/i,
+    why: "Destructive or overly-permissive filesystem operation.",
+  },
+];
+
+function walk(dir) {
+  let out = [];
+  let entries;
+  try {
+    entries = readdirSync(dir);
+  } catch {
+    return out; // dir may not exist in every repo
+  }
+  for (const name of entries) {
+    const p = join(dir, name);
+    let s;
+    try {
+      s = statSync(p);
+    } catch {
+      continue;
+    }
+    if (s.isDirectory()) out = out.concat(walk(p));
+    else if (SCAN_EXT.some((e) => name.endsWith(e))) out.push(p);
+  }
+  return out;
+}
+
+// Logical "code" lines for command-style rules:
+//   - Markdown (.md): only lines inside fenced code blocks (``` or ~~~), so
+//     documentation that merely *mentions* a dangerous command in prose can't
+//     trip a HIGH rule and block every PR.
+//   - Scripts/JSON: the whole file is code.
+// Backslash line-continuations are merged into one logical line so a command
+// wrapped across multiple lines can't slip past single-line regexes.
+function codeLines(text, file) {
+  const isMarkdown = file.endsWith(".md");
+  const raw = text.split(/\r?\n/);
+  const out = [];
+  let inFence = false;
+  let fenceChar = "";
+  for (let i = 0; i < raw.length; i++) {
+    let line = raw[i];
+    if (isMarkdown) {
+      const fence = line.match(/^\s*(`{3,}|~{3,})/);
+      if (fence) {
+        const ch = fence[1][0];
+        if (!inFence) {
+          inFence = true;
+          fenceChar = ch;
+        } else if (ch === fenceChar) {
+          inFence = false;
+        }
+        continue; // never scan the fence marker line itself
+      }
+      if (!inFence) continue; // skip prose
+    }
+    const startLine = i + 1;
+    while (/\\[ \t]*$/.test(line) && i + 1 < raw.length) {
+      i += 1;
+      line = line.replace(/\\[ \t]*$/, " ") + raw[i];
+    }
+    out.push({ line: startLine, text: line });
+  }
+  return out;
+}
+
+function scanFile(file) {
+  const rel = relative(ROOT, file).split(sep).join("/");
+  const text = readFileSync(file, "utf8");
+
+  // Frontmatter hygiene for SKILL.md
+  if (file.endsWith("SKILL.md")) {
+    const fmEnd = text.indexOf("\n---", 3);
+    const fm = text.startsWith("---") && fmEnd !== -1 ? text.slice(3, fmEnd) : "";
+    if (!/\bname\s*:/.test(fm))
+      findings.push({ severity: "MEDIUM", rule: "S100 missing-name", file: rel, line: 1, match: "frontmatter", why: "SKILL.md is missing a `name` in frontmatter." });
+    if (!/\bdescription\s*:/.test(fm))
+      findings.push({ severity: "MEDIUM", rule: "S101 missing-description", file: rel, line: 1, match: "frontmatter", why: "SKILL.md is missing a `description` in frontmatter." });
+  }
+
+  const push = (r, line, m) =>
+    findings.push({ severity: r.severity, rule: r.rule, file: rel, line, match: m[0].slice(0, 120), why: r.why });
+
+  // Command-style rules over code context (fenced blocks / whole scripts).
+  const cmdRules = RULES.filter((r) => r.context !== "prose");
+  for (const { line, text: lt } of codeLines(text, file)) {
+    for (const r of cmdRules) {
+      const m = r.re.exec(lt);
+      if (m) push(r, line, m);
+    }
+  }
+
+  // Prose rules (e.g. prompt-injection) scan the full natural-language text.
+  const proseRules = RULES.filter((r) => r.context === "prose");
+  if (proseRules.length) {
+    text.split(/\r?\n/).forEach((line, i) => {
+      for (const r of proseRules) {
+        const m = r.re.exec(line);
+        if (m) push(r, i + 1, m);
+      }
+    });
+  }
+}
+
+// Run
+const files = SCAN_DIRS.flatMap((d) => walk(join(ROOT, d)));
+files.forEach(scanFile);
+
+const counts = { HIGH: 0, MEDIUM: 0, LOW: 0 };
+findings.forEach((f) => (counts[f.severity] += 1));
+
+if (JSON_OUT) {
+  console.log(JSON.stringify({ scanned: files.length, counts, findings }, null, 2));
+} else {
+  const C = { HIGH: "\x1b[31m", MEDIUM: "\x1b[33m", LOW: "\x1b[36m", reset: "\x1b[0m" };
+  console.log(`\nskills-safety-scan — scanned ${files.length} file(s) in ${SCAN_DIRS.join(", ")}\n`);
+  if (findings.length === 0) {
+    console.log("  ✓ No issues found.\n");
+  } else {
+    for (const f of findings.sort((a, b) => ("HML".indexOf(a.severity[0]) - "HML".indexOf(b.severity[0])))) {
+      console.log(`  ${C[f.severity]}${f.severity}${C.reset} ${f.rule}`);
+      console.log(`    ${f.file}:${f.line}`);
+      console.log(`    match: ${f.match}`);
+      console.log(`    why:   ${f.why}\n`);
+    }
+  }
+  console.log(`Summary: ${counts.HIGH} high, ${counts.MEDIUM} medium, ${counts.LOW} low\n`);
+}
+
+// Scanning zero files almost always means the target moved (renamed skill dir,
+// wrong --root) rather than a clean repo — fail loudly instead of passing green.
+const emptyScan = files.length === 0 && !ALLOW_EMPTY;
+if (emptyScan) {
+  console.error(
+    `skills-safety-scan: ERROR — scanned 0 files under ${SCAN_DIRS.join(", ")}. ` +
+      `The scan target may have moved. Pass --allow-empty if this is intentional.`,
+  );
+}
+
+const fail = counts.HIGH > 0 || (STRICT && counts.MEDIUM > 0) || emptyScan;
+process.exit(fail ? 1 : 0);