@fenixforce/edition-pro 0.1.0

package/dist/infrastructure/pty-agent.d.ts

@@ -0,0 +1,74 @@
+export declare class RingBuffer {
+    private buffer;
+    private head;
+    private count;
+    private readonly capacity;
+    constructor(capacity?: number);
+    /** Append a line. Overwrites oldest when full. */
+    append(line: string): void;
+    /** Get all lines in order. */
+    snapshot(): string[];
+    /** Get last n lines. */
+    tail(n: number): string[];
+    /** Current line count. */
+    get size(): number;
+    /** Clear the buffer. */
+    clear(): void;
+}
+export type PTYAgentStatus = "spawning" | "running" | "idle" | "dead";
+export interface PTYAgent {
+    agentId: string;
+    workspaceId: string;
+    pid: number;
+    status: PTYAgentStatus;
+    ringBuffer: RingBuffer;
+}
+export interface PTYSpawnConfig {
+    agentId: string;
+    workspaceId: string;
+    command: string;
+    args?: string[];
+    cwd?: string;
+    env?: Record<string, string>;
+    /** Ring buffer capacity (default: 500 lines) */
+    bufferCapacity?: number;
+    /** Idle timeout in ms (default: 10000) */
+    idleTimeout?: number;
+    /** SIGTERM → SIGKILL grace period in ms (default: 5000) */
+    killGracePeriod?: number;
+}
+export type PTYEventEmitter = (event: string, payload: Record<string, unknown>) => void;
+/** Callback for real-time line output (WebSocket streaming). */
+export type OnLineFn = (line: string) => void;
+export declare class PTYAgentManager {
+    private agents;
+    private emit;
+    constructor(emit?: PTYEventEmitter);
+    /**
+     * Spawn a new PTY agent. Returns agent info immediately;
+     * actual process runs asynchronously.
+     */
+    spawn(config: PTYSpawnConfig, onLine?: OnLineFn): PTYAgent;
+    /**
+     * Get agent info by ID.
+     */
+    get(agentId: string): PTYAgent | null;
+    /**
+     * Subscribe to real-time output from an agent.
+     * Returns unsubscribe function.
+     */
+    subscribe(agentId: string, listener: OnLineFn): () => void;
+    /**
+     * Kill an agent with SIGTERM → SIGKILL grace period.
+     */
+    kill(agentId: string): Promise<void>;
+    /**
+     * List all agents.
+     */
+    list(): PTYAgent[];
+    /**
+     * Destroy all agents.
+     */
+    destroyAll(): Promise<void>;
+    private spawnProcess;
+}

package/dist/migrations/migrate.d.ts

@@ -0,0 +1,7 @@
+/**
+ * CLI entry point for running migrations.
+ * Usage: bun run migrate        (runs UP)
+ *        bun run migrate down   (runs DOWN / rollback)
+ *        bun run migrate validate (validates without executing)
+ */
+export {};

package/dist/migrations/runner.d.ts

@@ -0,0 +1,49 @@
+/**
+ * Migration Runner — Phase B4
+ *
+ * Reads SQL migration files from the migrations/ directory, parses
+ * UP/DOWN sections, and provides execution against a Postgres client.
+ * Also usable standalone for validation.
+ */
+export interface ParsedMigration {
+    /** File name (e.g. "0001_create_fleet_tables.sql"). */
+    name: string;
+    /** Sequence number parsed from the file name prefix. */
+    sequence: number;
+    /** SQL to execute when applying this migration. */
+    up: string;
+    /** SQL to execute when rolling back this migration. */
+    down: string;
+}
+/** Minimal Postgres client interface (matches pg.Client / pg.PoolClient). */
+export interface PgClientLike {
+    query(sql: string): Promise<unknown>;
+}
+/**
+ * Parse a migration SQL file into UP and DOWN sections.
+ *
+ * File format:
+ *   -- ── UP ──...
+ *   <up SQL>
+ *   -- ── DOWN ──...
+ *   <down SQL — lines may be commented out with --, will be uncommented>
+ */
+export declare function parseMigration(fileName: string, content: string): ParsedMigration;
+/**
+ * Load and parse all migration files from a directory.
+ * Returns them sorted by sequence number.
+ */
+export declare function loadMigrations(migrationsDir?: string): ParsedMigration[];
+/**
+ * Run all UP migrations in order against a Postgres client.
+ */
+export declare function migrateUp(client: PgClientLike, migrationsDir?: string): Promise<string[]>;
+/**
+ * Run all DOWN migrations in reverse order against a Postgres client.
+ */
+export declare function migrateDown(client: PgClientLike, migrationsDir?: string): Promise<string[]>;
+/**
+ * Validate all migration files without executing them.
+ * Returns the parsed migrations or throws on error.
+ */
+export declare function validateMigrations(migrationsDir?: string): ParsedMigration[];

package/dist/workspace/worktree.d.ts

@@ -0,0 +1,69 @@
+export interface WorktreeInfo {
+    taskId: string;
+    branch: string;
+    path: string;
+    baseBranch: string;
+    createdAt: Date;
+    status: "active" | "completed" | "dead";
+}
+export interface WorktreeManagerConfig {
+    /** Root directory for worktrees */
+    worktreeRoot: string;
+    /** Base repo path */
+    repoPath: string;
+    /** Shared directories to symlink (e.g. node_modules) */
+    sharedDirs?: string[];
+    /** Days to preserve unmerged branches before cleanup */
+    preserveDays: number;
+}
+export declare const DEFAULT_WORKTREE_CONFIG: Partial<WorktreeManagerConfig>;
+export interface PRSummary {
+    branch: string;
+    changedFiles: string[];
+    diffStat: string;
+    taskId: string;
+}
+export type WorktreeEventEmitter = (event: string, payload: Record<string, unknown>) => void;
+export type ArtifactStoreFn = (key: string, content: string) => Promise<void>;
+export declare class WorktreeManager {
+    private config;
+    private worktrees;
+    private emit;
+    constructor(config: WorktreeManagerConfig, emit?: WorktreeEventEmitter);
+    /**
+     * Create a worktree for a task with its own branch.
+     */
+    create(taskId: string, baseBranch?: string): Promise<WorktreeInfo>;
+    /**
+     * Inject symlinks for heavy shared directories to keep worktrees lightweight.
+     */
+    symlink(taskId: string, paths: string[]): Promise<void>;
+    /**
+     * Destroy a worktree and optionally clean up the branch.
+     */
+    destroy(taskId: string): Promise<void>;
+    /**
+     * List all active worktrees with task status.
+     */
+    listActive(): WorktreeInfo[];
+    /**
+     * Mark a worktree's task as completed.
+     */
+    markCompleted(taskId: string): void;
+    /**
+     * Mark a worktree's task as dead (agent crashed/timed out).
+     */
+    markDead(taskId: string): void;
+    /**
+     * Cleanup job: destroy worktrees for completed/dead tasks.
+     * Merged branches deleted; unmerged preserved for preserveDays.
+     */
+    cleanup(): Promise<number>;
+    /**
+     * Generate a draft PR summary for a completed task worktree.
+     */
+    generatePRSummary(taskId: string, storeArtifact?: ArtifactStoreFn): Promise<PRSummary>;
+    private git;
+    private isBranchMerged;
+    private exec;
+}

package/package.json

@@ -0,0 +1,37 @@
+{
+  "name": "@fenixforce/edition-pro",
+  "version": "0.1.0",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "publishConfig": {
+    "registry": "https://registry.npmjs.org",
+    "access": "restricted"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/ejiogbevoices/projectfenix.git",
+    "directory": "packages/edition-pro"
+  },
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "files": [
+    "dist",
+    "skills/builtin/*/SKILL.md"
+  ],
+  "scripts": {
+    "build": "esbuild src/index.ts --bundle --format=esm --platform=node --target=es2022 --minify --outfile=dist/index.js --external:@fenixforce/kernel --external:zod && tsc --emitDeclarationOnly --project tsconfig.build.json",
+    "test": "bun test",
+    "typecheck": "tsc --noEmit",
+    "migrate": "bun run src/migrations/migrate.ts"
+  },
+  "dependencies": {
+    "@fenixforce/kernel": "workspace:*",
+    "zod": "^4.3.6"
+  },
+  "devDependencies": {}
+}

package/skills/builtin/academic-researcher/SKILL.md

@@ -0,0 +1,51 @@
+# Academic Researcher
+
+## Literature Review Process
+
+1. Define research question and scope
+2. Search sources (ArXiv, Google Scholar, Semantic Scholar via web search)
+3. Screen by title/abstract for relevance
+4. Full-text review of relevant papers
+5. Extract key findings, methods, limitations
+6. Synthesize across papers: agreements, contradictions, gaps
+
+## Citation Formats
+
+### APA 7th
+Author, A. A., & Author, B. B. (Year). Title of article. *Journal Name*, *Volume*(Issue), pages. https://doi.org/xxx
+
+### MLA 9th
+Author Last, First. "Title of Article." *Journal Name*, vol. X, no. Y, Year, pp. 1-10.
+
+### IEEE
+[1] A. Author, "Title," *Journal*, vol. X, no. Y, pp. 1-10, Month Year.
+
+## Output: Literature Review
+
+```markdown
+## Research Question
+[Specific question being investigated]
+
+## Search Strategy
+Databases searched, keywords used, date range, inclusion/exclusion criteria.
+
+## Findings
+### Theme 1: [Name]
+[Synthesis of 3-5 papers on this theme with citations]
+
+### Theme 2: [Name]
+[Synthesis]
+
+## Research Gaps
+[What hasn't been studied yet]
+
+## References
+[Formatted citation list]
+```
+
+## Rules
+
+- Always note publication year (recency matters in fast-moving fields)
+- Distinguish between peer-reviewed and preprint
+- Note sample sizes and methodology quality
+- Acknowledge limitations of each study

package/skills/builtin/advanced-recon/SKILL.md

@@ -0,0 +1,75 @@
+# Advanced Reconnaissance
+
+## Purpose
+Discover maximum attack surface with minimal detection using a 5-layer methodology.
+
+## Core Philosophy
+Breadth -> Depth -> Exploitation. Wide net -> Focus -> Attack.
+
+**Key Principle**: 80% of bugs come from assets others miss.
+
+## The 5-Layer Approach
+
+### Layer 1: Organization Intelligence
+- Use `whois` and `amass intel` to find ASNs and IP ranges.
+- Map organizational ownership and subsidiary relationships.
+- Feed results into active discovery workflows.
+
+### Layer 2: Passive Subdomain Discovery
+- Certificate Transparency and DNS Aggregators: `subfinder`, `amass`, `crt.sh`.
+- Build seed list for active resolution.
+- Search Engine Dorking: Google/GitHub dorks to find shadow IT and dev environments.
+
+### Layer 3: Active Subdomain Discovery
+- DNS Brute-Forcing: `puredns`, `shuffledns`.
+- Use massive wordlists (Jhaddix/SecLists) + Permutations (`altdns`).
+- Resolve and validate discovered subdomains.
+
+### Layer 4: Asset Discovery
+- Port Scanning and Service Enumeration: `naabu`, `nmap`.
+- Output: `live.txt` (Httpx results).
+- Technology Detection: `nuclei -t technologies`, `whatweb`.
+- Identify WAFs early for bypass planning.
+
+### Layer 5: Deep Content Discovery
+- Crawling and JavaScript Analysis: `katana`, `hakrawler`.
+- Extract API endpoints from JS files.
+- Identify hidden parameters and administrative interfaces.
+
+## Cloud Asset Discovery
+- AWS/Azure/GCP: Bucket enumeration and cloud-specific pattern scanning.
+- Check for misconfigured storage, exposed services, and metadata endpoints.
+
+## Automation
+- Build pipelines using `tmux` or `axiom` for distributed scanning.
+- Continuous Monitoring: Alert on new subdomains (Cron + Subfinder).
+
+## Data Organization
+Maintain a standardized directory structure:
+- `recon/target/subdomains/` — discovered subdomains
+- `recon/target/web/` — web application data
+- `recon/target/ports/` — port scan results
+- `recon/target/content/` — discovered content and endpoints
+
+## Output Contract
+```json
+{
+  "organization_intel": {},
+  "subdomain_inventory": [],
+  "live_assets": [],
+  "technology_stack": [],
+  "content_discovery": [],
+  "cloud_assets": [],
+  "priority_targets": []
+}
+```
+
+## Constraints
+- Minimize target contact during passive phases.
+- Respect scope boundaries strictly.
+- Log all active probing for audit trail.
+
+## Quality Checklist
+- [ ] All 5 layers completed.
+- [ ] Cloud assets included.
+- [ ] Priority targets identified with rationale.

package/skills/builtin/agent-governance/SKILL.md

@@ -0,0 +1,122 @@
+# Agent Governance
+
+## Policy Definition (YAML)
+
+```yaml
+policies:
+  - name: block-destructive
+    actions: [delete_file, drop_table, rm_rf, format_disk]
+    decision: deny
+    reason: "Destructive operations require human approval"
+
+  - name: rate-limit-external
+    actions: [external_api_call, web_fetch, send_email]
+    max_per_minute: 10
+    decision: allow_with_limit
+
+  - name: log-all-writes
+    actions: [write_file, create_file, update_record]
+    decision: allow
+    audit: true
+```
+
+## Tool Interception
+
+Wrap every tool call with a policy check:
+1. Agent requests tool execution
+2. Governance layer checks action against policies
+3. If DENY: block and explain why
+4. If ALLOW_WITH_LIMIT: check rate, execute if under limit
+5. If ALLOW: execute, log if audit flag set
+
+## Audit Trail
+
+Every tool execution logged:
+```typescript
+interface AuditEntry {
+  timestamp: Date;
+  agentId: string;
+  action: string;
+  parameters: Record<string, unknown>;
+  decision: "allow" | "deny" | "rate_limited";
+  policyName: string;
+  result?: unknown;
+}
+```
+
+## Policy Evaluation Order
+
+1. Check explicit DENY rules first (fail-fast)
+2. Check rate limits for ALLOW_WITH_LIMIT rules
+3. Check ALLOW rules with audit flags
+4. Default-deny for unrecognized actions
+
+## Versioned Constitution Governance
+
+Treat policy files as versioned artifacts with integrity guarantees:
+
+### Policy Versioning
+```yaml
+constitution:
+  version: "2.3.0"
+  effective_date: "2026-03-01"
+  hash: "sha256:abc123..."  # integrity check
+  changelog:
+    - version: "2.3.0"
+      change: "Added rate limit for send_email"
+      author: "admin@company.com"
+    - version: "2.2.0"
+      change: "Blocked drop_table action"
+      author: "admin@company.com"
+```
+
+### Diff Linting
+Before applying a policy update:
+1. Compute diff between current and proposed policy
+2. Lint the diff: no policy can remove a DENY rule without explicit override flag
+3. Flag any change that broadens permissions (new ALLOW rules, increased rate limits)
+4. Require signed approval for permission-broadening changes
+
+### Rollback
+```typescript
+async function rollbackPolicy(targetVersion: string): Promise<void> {
+  const history = await loadPolicyHistory();
+  const target = history.find((p) => p.version === targetVersion);
+  if (!target) throw new Error(`Version ${targetVersion} not found`);
+  await applyPolicy(target);
+  await auditLog({ action: "policy_rollback", from: currentVersion, to: targetVersion });
+}
+```
+
+## Canary Rollout for Policy Changes
+
+Staged policy deployment with automatic rollback:
+
+### Rollout Stages
+1. **Shadow mode** (1 hour): new policy evaluates in parallel with current policy, logs disagreements but doesn't enforce
+2. **Canary** (10% of requests, 4 hours): new policy enforced for a subset, monitor for anomalies
+3. **Gradual rollout** (25% → 50% → 100%, each stage 2 hours): expand if metrics are healthy
+4. **Full deployment**: new policy active for all requests
+
+### Metric Guardrails (auto-rollback triggers)
+- Deny rate increases by >20% compared to baseline
+- User escalation rate doubles
+- Any CRITICAL-severity audit event in canary population
+- Error rate in policy evaluation exceeds 1%
+
+### Auto-Rollback
+```typescript
+if (denyRateIncrease > 0.20 || escalationRateDoubled || criticalEvent) {
+  await rollbackPolicy(previousVersion);
+  await notify("Policy canary failed", { reason, metrics });
+}
+```
+
+## Rules
+
+- Policies are declarative YAML, not code (non-developers can write them)
+- Deny decisions always include a human-readable reason
+- Audit log is append-only (never deleted or modified)
+- Default-deny for unrecognized actions
+- Policy changes require versioned changelog entries
+- Permission-broadening changes require signed approval

package/skills/builtin/algorithmic-art/SKILL.md

@@ -0,0 +1,55 @@
+---
+name: algorithmic-art
+description: "Use this skill for generative art, creative coding, p5.js, canvas art, SVG generation, or algorithmic visual design. Triggers: 'generative art', 'creative coding', 'p5.js', 'algorithmic art', 'procedural', 'fractal', 'generative design', or requests for code-generated visual art."
+license: MIT
+---
+
+# Algorithmic Art
+
+## What This Skill Does
+
+Generate visual art through code. p5.js, Canvas API, SVG, shaders. Patterns, fractals, particle systems, noise fields, and generative design.
+
+## p5.js Setup
+
+```html
+<script src="https://cdn.jsdelivr.net/npm/p5@1/lib/p5.min.js"></script>
+<script>
+function setup() {
+  createCanvas(800, 800);
+  background(20);
+  noLoop();  // Draw once, or remove for animation
+}
+
+function draw() {
+  // Art goes here
+}
+</script>
+```
+
+## Common Techniques
+
+| Technique | Tool |
+|-----------|------|
+| Smooth randomness | Perlin noise: `noise(x, y)` |
+| Particle systems | Array of objects with position, velocity, lifetime |
+| Fractals | Recursive functions with depth limit |
+| Flow fields | Vector grid sampled with noise |
+| L-systems | String rewriting rules for organic shapes |
+| Voronoi | Nearest-point tessellation |
+| Color palettes | HSB mode for intuitive color control |
+
+## Tips
+
+- Use HSB color mode for more intuitive color manipulation
+- Add slight randomness to everything (perfect symmetry looks artificial)
+- Layer translucent shapes for depth
+- Export as SVG for print-quality output
+- Use `random()` with seeds for reproducible art
+
+## Rules
+
+- Always set a canvas size appropriate for the output medium
+- Use requestAnimationFrame or p5's draw() for animation (never setInterval)
+- Provide a way to save/export the result (saveCanvas, SVG export)
+- Document the parameters that control the art's appearance

package/skills/builtin/api-attack-surface-mapper/SKILL.md

@@ -0,0 +1,88 @@
+# API Attack Surface Mapper
+
+## Purpose
+Build a full API inventory, trust-boundary map, and prioritized test matrix from specification and observed behavior.
+
+## Required Inputs
+- `target_base_url`
+- `api_spec_source` (OpenAPI URL/file, Postman collection, or captured traffic)
+- `auth_context` (token types, role accounts, session rules)
+- `scope_rules` (in-scope services, forbidden actions)
+
+## Optional Inputs
+- `known_business_flows`
+- `environment_limits` (rate limits, test windows)
+- `seed_ids` (known object identifiers)
+
+## Preflight Checklist
+- [ ] Spec is reachable and parseable.
+- [ ] Base URL and version path are confirmed.
+- [ ] Auth mechanism is known per endpoint family.
+- [ ] Scope exclusions are explicit.
+
+## Execution Workflow
+### Phase 1: Normalize Inputs
+1. Parse spec and resolve path templates, tags, and schema references.
+2. Deduplicate routes by method + canonical path.
+3. Flag undocumented endpoints observed in traffic.
+
+### Phase 2: Build Trust-Boundary Map
+1. Label endpoints as `public`, `user`, `admin`, `internal`, or `unknown`.
+2. Map auth styles: cookie session, bearer token, API key, mTLS.
+3. Capture identity source and role enforcement points.
+
+### Phase 3: Parameter Risk Profiling
+1. Classify parameters by risk type: object references, filter/sort/query operators, file/blob inputs, callback URLs, rich text/template fields.
+2. Mark whether each parameter is attacker-controlled and persisted.
+
+### Phase 4: Test Matrix Generation
+1. Generate baseline tests for each endpoint (auth, method, content type).
+2. Generate abuse tests by class: BOLA/BFLA, mass assignment, injection, SSRF-style URL handling, workflow/state abuse.
+3. Prioritize by business impact and reachable privilege.
+
+### Phase 5: Low-Noise Validation
+1. Confirm route liveness and auth expectations.
+2. Record response fingerprint per endpoint: status bands, auth error shape, validation error shape.
+3. Mark unstable endpoints as low-confidence until retested.
+
+## Coverage Matrix (Minimum)
+| Class | Minimum Check |
+|---|---|
+| BOLA/BFLA | Cross-account object access with role switch |
+| Auth/session | Missing token, expired token, token audience mismatch |
+| Mass assignment | Hidden fields on create/update |
+| Injection | SQL/NoSQL/template/operator contexts |
+| SSRF | URL/file fetchers, webhooks, importers |
+| Data exposure | Over-broad response fields and debug traces |
+| Rate abuse | Lack of throttling on sensitive actions |
+| Workflow abuse | Invalid state transitions, skipped approvals |
+
+## Output Contract
+```json
+{
+  "endpoint_inventory": [],
+  "trust_boundaries": [],
+  "parameter_risk_profile": [],
+  "prioritized_test_matrix": [],
+  "baseline_observations": [],
+  "coverage_gaps": []
+}
+```
+
+## Constraints
+- Do not use as a replacement for exploit confirmation — this is a discovery and planning skill.
+- Treat spec as starting point, not ground truth; verify against runtime.
+
+## Quality Checklist
+- [ ] Inventory covers all observed and documented routes.
+- [ ] Each high-risk endpoint has at least one concrete test case.
+- [ ] Unknowns are explicit and actionable.
+
+## Conditional Decision Matrix
+| Condition | Action | Evidence Requirement |
+|---|---|---|
+| Endpoint undocumented but reachable | Add to inventory and prioritize authz checks | request/response baseline + auth behavior |
+| Auth behavior inconsistent across methods | Split tests by method and content type | per-method status + body signatures |
+| Time-based anomaly only | run matched control timing series | repeated control/test timing traces |
+| Object access differs by role | escalate to cross-tenant/cross-role checks | role-tagged replay proof |
+| Validation differs by parser | run semantic-equivalent content-type tests | parser-path differential evidence |