@ijfw/install 1.3.1 → 1.3.2

package/CHANGELOG.md

@@ -1,5 +1,23 @@
 # Changelog
 
+## [1.3.2] -- 2026-05-15
+
+**Project-agnostic swarm orchestration + live visual workflow + richer Codex native surface.** Adds first-class Team Assembly, blackboard coordination, swarm task lifecycle, conservative git worktrees, recovery checkpoints, Superpowers-style live design previews, and Claude-parity Codex command aliases.
+
+- `ijfw design start/open/status/stop/push/clear` now runs a localhost visual companion with live reload, placeholder preview, and multi-file HTML support under `/design`.
+- `ijfw team init/status` creates project-specific agent charters and workflow manifests across software, design, content, book, research, business, and mixed projects.
+- `.ijfw/blackboard/` now provides runtime coordination: artifact claims, notes/findings/decisions/blockers, handoffs, prepared tasks, and append-only events.
+- `ijfw swarm plan/prepare/tasks/start/complete/block/ready/status` turns team workflows into artifact-aware parallel waves with explicit dependencies and review tasks.
+- `ijfw swarm prompt <task-id>` renders a scoped worker prompt for subagents, including artifact scope, dependencies, blockers, checks, blackboard commands, and non-revert rules.
+- Codex-native dispatch now covers `ijfw codex doctor`, `ijfw codex sync-agents`, `.codex/agents/*.toml` generation from Team Assembly, and `ijfw swarm prompt <task-id> --codex` for pasteable Codex worker/explorer dispatch.
+- `ijfw swarm worktree create/list/integrate/cleanup` adds conservative isolated git worktrees for in-progress code-heavy tasks, with no automatic conflict resolution.
+- `ijfw memory checkpoint <label>` and `ijfw recover status/latest` create durable workflow snapshots so project state can be recovered after context loss.
+- Workflow and team skills now include SWARM/PREPARE lifecycle guidance, review gates, worktree safety rules, and checkpoint expectations at stage transitions.
+- Codex now ships the same 22 IJFW command aliases as Claude, installs them to `~/.codex/commands` and project `.codex/commands` when applicable, and advertises `commands_dir` in the Codex plugin manifest.
+- The terminal CLI exposes the same command vocabulary as the agent surfaces: `ijfw cross audit <target>`, `ijfw cross-audit`, `ijfw workflow`, `ijfw memory-audit`, `ijfw ijfw-verify`, and related aliases all route through the shared IJFW command dispatcher.
+
+Files: `mcp-server/src/blackboard.js`, `mcp-server/src/team/`, `mcp-server/src/swarm/`, `mcp-server/src/recovery/`, `mcp-server/src/dashboard-server.js`, `mcp-server/src/cross-orchestrator-cli.js`, `installer/src/ijfw.js`, `shared/skills/ijfw-workflow/SKILL.md`, platform workflow/team/design skill mirrors, and related fixtures/tests.
+
 ## [1.3.1] -- 2026-05-12
 
 **Codex hook cleanup + release cadence hardening.** Tightens IJFW's Codex integration for Codex 0.130+, reduces the default dependency footprint, and moves more release drift into automated gates before it reaches users.
@@ -659,7 +677,7 @@ Platform count: **8 install targets -> 13 MCP-integrated + 1 rules-only**. Same
 
 - `ijfw preflight` -- 11-gate quality pipeline covering shell lint, JS lint, security scan, secret detection, npm audit, dead-code detection, license check, pack-smoke, and upgrade-smoke.
 - Blocking vs advisory distinction: exit 0 when all blocking gates pass even if advisory warnings exist. Exit 1 on any blocking failure.
-- Each gate uses `npx --yes <tool>@<pinned-version>`. Pinned versions in `preflight-versions.json`. Missing tools report "skipped" with a positive install hint, not a failure.
+- Tool-backed gates use `npx --yes <tool>@<pinned-version>`. The dependency-audit gate uses `npm audit --json` directly against the package lockfiles. Pinned versions live in `preflight-versions.json`; missing tools report "skipped" with a positive install hint, not a failure.
 - Warm-cache SLO: <=90s. Cold-cache: <=240s. Both printed in the summary line.
 - `prepublishOnly` in `installer/package.json` now runs preflight before every publish so no tag can ship with a blocking gate open.
 

package/dist/ijfw.js

@@ -267,6 +267,17 @@ import { spawnSync as spawnSync3 } from "node:child_process";
 import { mkdtempSync, rmSync, writeFileSync } from "node:fs";
 import { join as join2 } from "node:path";
 import { tmpdir } from "node:os";
+function formatMessages(results, severity12) {
+  const out = [];
+  for (const file of results) {
+    for (const msg of file.messages || []) {
+      if (severity12 === "error" && msg.severity !== 2) continue;
+      if (severity12 === "warning" && msg.severity !== 1) continue;
+      out.push(`${file.filePath}:${msg.line}:${msg.column} ${msg.severity === 2 ? "error" : "warning"} ${msg.ruleId} -- ${msg.message}`);
+    }
+  }
+  return out;
+}
 async function run3(ctx) {
   const t0 = Date.now();
   const eslintVer = ctx.versions["eslint"] || "latest";
@@ -292,6 +303,7 @@ async function run3(ctx) {
 import security from '${join2(tmpDir, "node_modules", "eslint-plugin-security", "index.js").replace(/\\/g, "/")}';
 export default [
   {
+    linterOptions: { reportUnusedDisableDirectives: 'off' },
     files: ['installer/src/**/*.js', 'mcp-server/src/**/*.js'],
     plugins: { security },
     rules: ${JSON.stringify(RULES)},
@@ -303,13 +315,20 @@ export default [
     const eslintBin = join2(tmpDir, "node_modules", ".bin", "eslint");
     const res = spawnSync3(
       eslintBin,
-      ["--config", configPath, "installer/src/**/*.js", "mcp-server/src/**/*.js"],
+      ["--no-config-lookup", "--config", configPath, "--format", "json", "installer/src/**/*.js", "mcp-server/src/**/*.js"],
       { encoding: "utf8", cwd: ctx.repoRoot, timeout: 6e4 }
     );
     const durationMs = Date.now() - t0;
     const output = (res.stdout || "") + (res.stderr || "");
-    const lines = output.split("\n").filter(Boolean);
-    if (res.status === 0) {
+    let results = [];
+    try {
+      results = JSON.parse(res.stdout || "[]");
+    } catch {
+      results = [];
+    }
+    const errorCount = results.reduce((sum, file) => sum + (file.errorCount || 0), 0);
+    const warningCount = results.reduce((sum, file) => sum + (file.warningCount || 0), 0);
+    if (res.status === 0 && errorCount === 0 && warningCount === 0) {
       return {
         name: "eslint-security",
         status: "PASS",
@@ -318,20 +337,20 @@ export default [
         durationMs
       };
     }
-    if (res.status === 1) {
+    if (errorCount > 0 || res.status === 2) {
       return {
         name: "eslint-security",
-        status: "WARN",
-        message: "eslint-security: advisory warnings (review above)",
-        details: lines.slice(0, 30),
+        status: "FAIL",
+        message: `eslint-security: ${errorCount || "unknown"} security error(s) found`,
+        details: (formatMessages(results, "error").length ? formatMessages(results, "error") : output.split("\n").filter(Boolean)).slice(0, 30),
         durationMs
       };
     }
     return {
       name: "eslint-security",
-      status: "FAIL",
-      message: "eslint-security: security errors found (exit code 2)",
-      details: lines.slice(0, 30),
+      status: "WARN",
+      message: `eslint-security: ${warningCount} advisory warning(s)`,
+      details: (formatMessages(results, "warning").length ? formatMessages(results, "warning") : output.split("\n").filter(Boolean)).slice(0, 30),
       durationMs
     };
   } finally {
@@ -350,11 +369,7 @@ var init_eslint_security = __esm({
   "src/preflight/gates/eslint-security.js"() {
     RULES = {
       "security/detect-eval-with-expression": "error",
-      "security/detect-non-literal-fs-filename": "warn",
-      "security/detect-non-literal-regexp": "warn",
       "security/detect-non-literal-require": "warn",
-      "security/detect-object-injection": "warn",
-      "security/detect-possible-timing-attacks": "warn",
       "security/detect-pseudoRandomBytes": "error",
       "security/detect-unsafe-regex": "error"
     };
@@ -367,15 +382,15 @@ var init_eslint_security = __esm({
 // src/preflight/gates/psscriptanalyzer.js
 var psscriptanalyzer_exports = {};
 __export(psscriptanalyzer_exports, {
+  fallbackAnalyzePowerShellText: () => fallbackAnalyzePowerShellText,
   name: () => name4,
   parallel: () => parallel4,
   run: () => run4,
   severity: () => severity4
 });
 import { spawnSync as spawnSync4 } from "node:child_process";
-import { readdirSync as readdirSync2, statSync as statSync2 } from "node:fs";
+import { readFileSync, readdirSync as readdirSync2, statSync as statSync2 } from "node:fs";
 import { join as join3 } from "node:path";
-import { platform } from "node:os";
 function findPs1Files(dir, acc = []) {
   let entries;
   try {
@@ -397,6 +412,109 @@ function findPs1Files(dir, acc = []) {
   }
   return acc;
 }
+function stripPowerShellComments(source) {
+  let out = "";
+  let i = 0;
+  let inSingle = false;
+  let inDouble = false;
+  let inBlockComment = false;
+  while (i < source.length) {
+    const ch = source[i];
+    const next = source[i + 1];
+    if (inBlockComment) {
+      if (ch === "#" && next === ">") {
+        inBlockComment = false;
+        i += 2;
+      } else {
+        if (ch === "\n") out += "\n";
+        i += 1;
+      }
+      continue;
+    }
+    if (!inSingle && !inDouble && ch === "<" && next === "#") {
+      inBlockComment = true;
+      i += 2;
+      continue;
+    }
+    if (!inSingle && !inDouble && ch === "#") {
+      while (i < source.length && source[i] !== "\n") i += 1;
+      out += "\n";
+      continue;
+    }
+    out += ch;
+    if (!inDouble && ch === "'") inSingle = !inSingle;
+    else if (!inSingle && ch === '"' && source[i - 1] !== "`") inDouble = !inDouble;
+    i += 1;
+  }
+  return out;
+}
+function bracketIssues(source, file) {
+  const pairs = { "(": ")", "[": "]", "{": "}" };
+  const closers = new Set(Object.values(pairs));
+  const stack = [];
+  let inSingle = false;
+  let inDouble = false;
+  for (let i = 0; i < source.length; i++) {
+    const ch = source[i];
+    if (!inDouble && ch === "'") {
+      inSingle = !inSingle;
+      continue;
+    }
+    if (!inSingle && ch === '"' && source[i - 1] !== "`") {
+      inDouble = !inDouble;
+      continue;
+    }
+    if (inSingle || inDouble) continue;
+    if (pairs[ch]) stack.push({ ch, index: i });
+    else if (closers.has(ch)) {
+      const open = stack.pop();
+      if (!open || pairs[open.ch] !== ch) return [`${file}: unbalanced bracket near offset ${i}`];
+    }
+  }
+  if (inSingle || inDouble) return [`${file}: unterminated string literal`];
+  if (stack.length > 0) return [`${file}: unclosed bracket near offset ${stack[stack.length - 1].index}`];
+  return [];
+}
+function fallbackAnalyzePowerShellText(source, file = "<inline>") {
+  const stripped = stripPowerShellComments(source);
+  const issues = bracketIssues(stripped, file);
+  const banned = [
+    [/\bInvoke-Expression\b|\biex\b/i, "Invoke-Expression/iex dynamic execution"],
+    [/\bSet-ExecutionPolicy\b[\s\S]{0,80}\bBypass\b/i, "Set-ExecutionPolicy Bypass"],
+    [/\bStart-Process\b[\s\S]{0,160}\b-Verb\s+RunAs\b/i, "Start-Process -Verb RunAs elevation"],
+    [/\bNew-Object\s+Net\.WebClient\b|\bDownloadString\s*\(/i, "legacy WebClient/DownloadString network execution"]
+  ];
+  for (const [re2, label] of banned) {
+    if (re2.test(stripped)) issues.push(`${file}: banned PowerShell pattern: ${label}`);
+  }
+  return issues;
+}
+function runFallback(files, t0, reason) {
+  const issues = [];
+  for (const file of files) {
+    try {
+      issues.push(...fallbackAnalyzePowerShellText(readFileSync(file, "utf8"), file));
+    } catch (e) {
+      issues.push(`${file}: could not read script (${e.message || e})`);
+    }
+  }
+  if (issues.length > 0) {
+    return {
+      name: "psscriptanalyzer",
+      status: "FAIL",
+      message: `PowerShell fallback found issues in ${files.length} script(s)`,
+      details: [reason, ...issues].slice(0, 20),
+      durationMs: Date.now() - t0
+    };
+  }
+  return {
+    name: "psscriptanalyzer",
+    status: "PASS",
+    message: `${files.length} PowerShell script(s) clean (static fallback; ${reason})`,
+    details: [],
+    durationMs: Date.now() - t0
+  };
+}
 async function run4(ctx) {
   const t0 = Date.now();
   const files = findPs1Files(ctx.repoRoot);
@@ -411,14 +529,15 @@ async function run4(ctx) {
   }
   const which = spawnSync4("pwsh", ["--version"], { encoding: "utf8" });
   if (which.status === null || which.error) {
-    const isWin2 = platform() === "win32";
-    return {
-      name: "psscriptanalyzer",
-      status: isWin2 ? "FAIL" : "WARN",
-      message: isWin2 ? `pwsh not found -- ${files.length} .ps1 file(s) unchecked (install PowerShell)` : `pwsh not installed -- PSScriptAnalyzer skipped on non-Windows (runs in CI on windows-latest)`,
-      details: [`Files that would be checked: ${files.join(", ")}`],
-      durationMs: Date.now() - t0
-    };
+    return runFallback(files, t0, "pwsh unavailable");
+  }
+  const moduleCheck = spawnSync4(
+    "pwsh",
+    ["-NoProfile", "-NonInteractive", "-Command", "if (Get-Module -ListAvailable -Name PSScriptAnalyzer) { exit 0 } else { exit 3 }"],
+    { encoding: "utf8", cwd: ctx.repoRoot, timeout: 1e4 }
+  );
+  if (moduleCheck.status !== 0) {
+    return runFallback(files, t0, "PSScriptAnalyzer module unavailable");
   }
   const script = `
 $files = @(${files.map((f) => `'${f.replace(/'/g, "''")}'`).join(",")})
@@ -450,10 +569,9 @@ if ($found) { exit 1 } else { exit 0 }
     };
   }
   const lines = ((res.stdout || "") + (res.stderr || "")).split("\n").filter(Boolean);
-  const isWin = platform() === "win32";
   return {
     name: "psscriptanalyzer",
-    status: isWin ? "FAIL" : "WARN",
+    status: "FAIL",
     message: `PSScriptAnalyzer found issues in ${files.length} script(s)`,
     details: lines.slice(0, 20),
     durationMs
@@ -578,25 +696,47 @@ __export(audit_ci_exports, {
 });
 import { spawnSync as spawnSync7 } from "node:child_process";
 import { join as join4 } from "node:path";
+function parseAuditReport(output) {
+  const start = output.indexOf("{");
+  if (start === -1) return null;
+  try {
+    return JSON.parse(output.slice(start));
+  } catch {
+    return null;
+  }
+}
+function highCriticalCount(report) {
+  const vulns = report?.metadata?.vulnerabilities || {};
+  return Number(vulns.high || 0) + Number(vulns.critical || 0);
+}
+function vulnerableNames(report) {
+  const out = [];
+  for (const [name12, vuln] of Object.entries(report?.vulnerabilities || {})) {
+    const severity12 = String(vuln?.severity || "").toLowerCase();
+    if (severity12 === "high" || severity12 === "critical") out.push(`${name12}: ${severity12}`);
+  }
+  return out;
+}
 async function run7(ctx) {
   const t0 = Date.now();
-  const ver = ctx.versions["audit-ci"] || "latest";
-  const configPath = join4(ctx.repoRoot, ".audit-ci.jsonc");
   const packageDirs = ["installer", "mcp-server"];
   const runs = packageDirs.map((dir) => {
     const res = spawnSync7(
-      "npx",
-      ["--yes", `audit-ci@${ver}`, "--config", configPath],
+      "npm",
+      ["audit", "--audit-level=high", "--json"],
       {
         encoding: "utf8",
         cwd: join4(ctx.repoRoot, dir),
         timeout: 6e4
       }
     );
-    return { dir, status: res.status, output: (res.stdout || "") + (res.stderr || "") };
+    const output = (res.stdout || "") + (res.stderr || "");
+    const report = parseAuditReport(output);
+    const highCritical = highCriticalCount(report);
+    return { dir, status: res.status, output, report, highCritical };
   });
   const durationMs = Date.now() - t0;
-  const failed = runs.filter((r) => r.status !== 0);
+  const failed = runs.filter((r) => !r.report || r.highCritical > 0);
   if (failed.length === 0) {
     return {
       name: "audit-ci",
@@ -608,8 +748,13 @@ async function run7(ctx) {
   }
   const lines = [];
   for (const r of failed) {
-    lines.push(`${r.dir}: audit failed`);
-    lines.push(...r.output.split("\n").filter(Boolean).slice(0, 10));
+    if (!r.report) {
+      lines.push(`${r.dir}: audit report unavailable`);
+      lines.push(...r.output.split("\n").filter(Boolean).slice(0, 10));
+      continue;
+    }
+    lines.push(`${r.dir}: ${r.highCritical} high/critical advisory item(s)`);
+    lines.push(...vulnerableNames(r.report).slice(0, 10));
   }
   return {
     name: "audit-ci",
@@ -887,7 +1032,7 @@ __export(upgrade_smoke_exports, {
   severity: () => severity11
 });
 import { spawnSync as spawnSync11 } from "node:child_process";
-import { mkdtempSync as mkdtempSync3, rmSync as rmSync3, mkdirSync as mkdirSync2, writeFileSync as writeFileSync3, readFileSync, existsSync as existsSync2 } from "node:fs";
+import { mkdtempSync as mkdtempSync3, rmSync as rmSync3, mkdirSync as mkdirSync2, writeFileSync as writeFileSync3, readFileSync as readFileSync2, existsSync as existsSync2 } from "node:fs";
 import { join as join7, resolve as resolve2 } from "node:path";
 import { tmpdir as tmpdir3 } from "node:os";
 async function run11(ctx) {
@@ -974,7 +1119,7 @@ async function run11(ctx) {
     if (existsSync2(settingsPath)) {
       let settings;
       try {
-        settings = JSON.parse(readFileSync(settingsPath, "utf8"));
+        settings = JSON.parse(readFileSync2(settingsPath, "utf8"));
       } catch (e) {
         return {
           name: "upgrade-smoke",
@@ -997,7 +1142,7 @@ async function run11(ctx) {
     }
     const marketplaceSrc = join7(installerDir, "src", "marketplace.js");
     if (existsSync2(marketplaceSrc)) {
-      const src = readFileSync(marketplaceSrc, "utf8");
+      const src = readFileSync2(marketplaceSrc, "utf8");
       const registersCorrectKey = src.includes("'ijfw@ijfw'") || src.includes('"ijfw@ijfw"');
       const registersWrongKey = /enabledPlugins\[['"]ijfw-core@ijfw['"]\]\s*=\s*true/.test(src);
       if (!registersCorrectKey) {
@@ -1052,7 +1197,7 @@ var preflight_exports = {};
 __export(preflight_exports, {
   runPreflightCommand: () => runPreflightCommand
 });
-import { readFileSync as readFileSync2, existsSync as existsSync3 } from "node:fs";
+import { readFileSync as readFileSync3, existsSync as existsSync3 } from "node:fs";
 import { join as join8, dirname, resolve as resolve3 } from "node:path";
 import { fileURLToPath } from "node:url";
 function printHelp() {
@@ -1096,7 +1241,7 @@ function loadVersions(repoRoot2) {
   for (const f of candidates) {
     if (existsSync3(f)) {
       try {
-        return JSON.parse(readFileSync2(f, "utf8"));
+        return JSON.parse(readFileSync3(f, "utf8"));
       } catch {
       }
     }
@@ -2435,8 +2580,8 @@ Please report this to https://github.com/markedjs/marked.`, e) {
 // src/ijfw.js
 import { dirname as dirname2, join as join9, resolve as resolve4, basename } from "node:path";
 import { fileURLToPath as fileURLToPath2 } from "node:url";
-import { existsSync as existsSync4, mkdirSync as mkdirSync3, copyFileSync, readdirSync as readdirSync4, rmSync as rmSync4, readFileSync as readFileSync3, writeFileSync as writeFileSync4 } from "node:fs";
-import { homedir, platform as platform2 } from "node:os";
+import { existsSync as existsSync4, mkdirSync as mkdirSync3, copyFileSync, readdirSync as readdirSync4, rmSync as rmSync4, readFileSync as readFileSync4, writeFileSync as writeFileSync4 } from "node:fs";
+import { homedir, platform } from "node:os";
 import { spawnSync as spawnSync12 } from "node:child_process";
 var __dirname2 = dirname2(fileURLToPath2(import.meta.url));
 function repoRoot() {
@@ -2447,6 +2592,62 @@ function repoRoot() {
   }
   return process.cwd();
 }
+function findInternalAsset(...rel) {
+  const root = repoRoot();
+  const ijfwHome = join9(homedir(), ".ijfw");
+  const candidates = [join9(root, ...rel), join9(ijfwHome, ...rel)];
+  return candidates.find((p) => existsSync4(p)) || null;
+}
+function readDashboardPort() {
+  const portFile = join9(homedir(), ".ijfw", "dashboard.port");
+  try {
+    const port = Number.parseInt(readFileSync4(portFile, "utf8").trim(), 10);
+    return Number.isFinite(port) ? port : 37891;
+  } catch {
+    return 37891;
+  }
+}
+function openBrowser(url) {
+  if (process.env.CI || process.env.NO_OPEN) return;
+  const r = platform() === "darwin" ? spawnSync12("open", [url], { stdio: "ignore" }) : platform() === "win32" ? spawnSync12("cmd", ["/c", "start", "", url], { stdio: "ignore", shell: false }) : spawnSync12("xdg-open", [url], { stdio: "ignore" });
+  return r.status ?? 0;
+}
+var ORCHESTRATOR_COMMANDS = /* @__PURE__ */ new Set([
+  "update",
+  "statusline",
+  "config",
+  "insight",
+  "blackboard",
+  "team",
+  "swarm",
+  "codex",
+  "recover",
+  "memory",
+  "cross",
+  "status",
+  "demo",
+  "import",
+  "receipt",
+  "--purge-receipts",
+  "workflow",
+  "handoff",
+  "compress",
+  "consolidate",
+  "cross-audit",
+  "cross-critique",
+  "cross-research",
+  "ijfw-audit",
+  "ijfw-execute",
+  "ijfw-help",
+  "ijfw-plan",
+  "ijfw-ship",
+  "ijfw-verify",
+  "memory-audit",
+  "memory-consent",
+  "memory-why",
+  "metrics",
+  "mode"
+]);
 function printHelp2() {
   console.log(`
 ijfw -- the AI efficiency layer
@@ -2460,7 +2661,13 @@ COMMANDS
   help        Open the full IJFW guide (terminal, or --browser for rendered)
   preflight   Run 11-gate quality pipeline before publishing
   dashboard   Start / stop / check the local observability dashboard
-  design      Manage the visual design companion
+  design      Manage live previews and durable design intelligence
+  blackboard  Coordinate project-local swarm state and artifact claims
+  codex       Check and sync Codex-native IJFW surfaces
+  team        Assemble project agents, charter, and workflow manifest
+  swarm       Plan, prepare, and track artifact-aware parallel work
+  recover     Show latest checkpoint and next recovery step
+  cross       Run Trident audit/research/critique, e.g. ijfw cross audit README.md
   doctor      Diagnose IJFW installation health
 
   --help, -h  Show this help
@@ -2498,7 +2705,7 @@ async function main() {
     if (delegateToCli(argv.slice(2))) return;
     try {
       const pkgPath = join9(__dirname2, "..", "package.json");
-      const pkg = JSON.parse(readFileSync3(pkgPath, "utf8"));
+      const pkg = JSON.parse(readFileSync4(pkgPath, "utf8"));
       console.log(`@ijfw/install@${pkg.version || "unknown"}`);
       if (verbose) {
         console.log("  (full --verbose details require a completed install: run ijfw install)");
@@ -2508,11 +2715,14 @@ async function main() {
     }
     process.exit(0);
   }
-  if (sub === "update" || sub === "statusline" || sub === "config" || sub === "insight") {
+  if (ORCHESTRATOR_COMMANDS.has(sub)) {
     if (delegateToCli(argv.slice(2))) return;
     console.error(`'ijfw ${sub}' requires a completed IJFW install. Run: ijfw install`);
     process.exit(1);
   }
+  if (sub === "doctor" && findCli()) {
+    if (delegateToCli(argv.slice(2))) return;
+  }
   switch (sub) {
     case "install": {
       const installBin = resolve4(__dirname2, "..", "dist", "install.js");
@@ -2533,19 +2743,13 @@ async function main() {
     }
     case "dashboard": {
       const dashSub = argv[3];
-      const root = repoRoot();
-      const ijfwHome = join9(homedir(), ".ijfw");
-      const findInTree = (...rel) => {
-        const candidates = [join9(root, ...rel), join9(ijfwHome, ...rel)];
-        return candidates.find((p) => existsSync4(p)) || null;
-      };
       if (dashSub === "start" || dashSub === "stop" || dashSub === "status") {
-        const dashBin = findInTree("mcp-server", "bin", "ijfw-dashboard");
+        const dashBin = findInternalAsset("mcp-server", "bin", "ijfw-dashboard");
         if (dashBin) {
           const r = spawnSync12("node", [dashBin, dashSub, ...argv.slice(4)], { stdio: "inherit" });
           process.exit(r.status ?? 0);
         } else {
-          const serverJs = findInTree("mcp-server", "src", "dashboard-server.js");
+          const serverJs = findInternalAsset("mcp-server", "src", "dashboard-server.js");
           if (dashSub === "start" && serverJs) {
             const { spawn } = await import("node:child_process");
             const child = spawn(process.execPath, [serverJs, "start", "--daemon"], {
@@ -2560,7 +2764,7 @@ async function main() {
           process.exit(1);
         }
       } else if (dashSub === "render" || !dashSub) {
-        const binJs = findInTree("scripts", "dashboard", "bin.js");
+        const binJs = findInternalAsset("scripts", "dashboard", "bin.js");
         if (binJs) {
           const r = spawnSync12("node", [binJs, ...argv.slice(dashSub ? 4 : 3)], { stdio: "inherit" });
           process.exit(r.status ?? 0);
@@ -2576,30 +2780,72 @@ async function main() {
     }
     case "design": {
       const designSub = argv[3];
+      const durableDesign = ["init", "plan", "audit", "critique", "polish", "normalize", "bolder", "quieter", "handoff"];
+      if (durableDesign.includes(designSub)) {
+        if (delegateToCli(argv.slice(2))) return;
+        console.error(`'ijfw design ${designSub}' requires a completed IJFW install. Run: ijfw install`);
+        process.exit(1);
+      }
       const contentDir = join9(homedir(), ".ijfw", "design-companion", "content");
       mkdirSync3(contentDir, { recursive: true });
-      if (designSub === "push") {
-        const filePath = argv[4];
-        if (!filePath) {
-          console.error("Usage: ijfw design push <file.html>");
+      if (designSub === "start" || designSub === "open") {
+        const dashBin = findInternalAsset("mcp-server", "bin", "ijfw-dashboard");
+        if (!dashBin) {
+          console.error("[ijfw] Design companion server not found. Run `ijfw-install` to deploy ~/.ijfw/, or run from the IJFW repo root.");
+          process.exit(1);
+        }
+        const noOpen = argv.slice(4).includes("--no-open");
+        const r = spawnSync12("node", [dashBin, "start", "--no-open"], { stdio: designSub === "start" ? "inherit" : "ignore" });
+        if ((r.status ?? 1) !== 0) process.exit(r.status ?? 1);
+        const url = `http://localhost:${readDashboardPort()}/design`;
+        if (!noOpen) openBrowser(url);
+        console.log(`Design companion running at ${url}`);
+      } else if (designSub === "status") {
+        const dashBin = findInternalAsset("mcp-server", "bin", "ijfw-dashboard");
+        if (!dashBin) {
+          console.error("[ijfw] Design companion server not found. Run `ijfw-install` to deploy ~/.ijfw/, or run from the IJFW repo root.");
           process.exit(1);
         }
-        const abs = resolve4(filePath);
-        if (!existsSync4(abs)) {
-          console.error(`File not found: ${abs}`);
+        const r = spawnSync12("node", [dashBin, "status"], { stdio: "inherit" });
+        if ((r.status ?? 1) === 0) console.log(`Design companion URL: http://localhost:${readDashboardPort()}/design`);
+        process.exit(r.status ?? 0);
+      } else if (designSub === "stop") {
+        const dashBin = findInternalAsset("mcp-server", "bin", "ijfw-dashboard");
+        if (!dashBin) {
+          console.error("[ijfw] Design companion server not found. Run `ijfw-install` to deploy ~/.ijfw/, or run from the IJFW repo root.");
           process.exit(1);
         }
-        const dest = join9(contentDir, basename(abs));
-        copyFileSync(abs, dest);
-        console.log(`Design pushed: ${dest}`);
+        const r = spawnSync12("node", [dashBin, "stop"], { stdio: "inherit" });
+        process.exit(r.status ?? 0);
+      } else if (designSub === "push") {
+        const filePaths = argv.slice(4);
+        if (filePaths.length === 0) {
+          console.error("Usage: ijfw design push <file.html> [more.html ...]");
+          process.exit(1);
+        }
+        for (const filePath of filePaths) {
+          const abs = resolve4(filePath);
+          if (!abs.toLowerCase().endsWith(".html")) {
+            console.error("Design companion accepts standalone .html files.");
+            process.exit(1);
+          }
+          if (!existsSync4(abs)) {
+            console.error(`File not found: ${abs}`);
+            process.exit(1);
+          }
+          const dest = join9(contentDir, basename(abs));
+          copyFileSync(abs, dest);
+          console.log(`Design pushed: ${dest}`);
+        }
+        console.log(`Preview: http://localhost:${readDashboardPort()}/design`);
       } else if (designSub === "clear") {
         const files = readdirSync4(contentDir);
         for (const f of files) rmSync4(join9(contentDir, f), { force: true });
         console.log("Design companion content cleared.");
       } else {
-        console.log("ijfw design -- Manage the visual design companion. Push HTML mockups for live preview.");
+        console.log("ijfw design -- Manage live preview and durable design intelligence.");
         console.log("");
-        console.log("Usage: ijfw design push <file.html> | ijfw design clear");
+        console.log("Usage: ijfw design start [--no-open] | open | status | stop | push <file.html> [more.html ...] | clear | init|plan|audit|critique|polish|normalize|bolder|quieter|handoff");
         process.exit(1);
       }
       break;
@@ -2626,7 +2872,7 @@ async function main() {
             copyFileSync(join9(assetsSrc, f), join9(outDir, "assets", f));
           }
         }
-        const md = readFileSync3(guidePath, "utf8").replace(/\(guide\/assets\//g, "(assets/");
+        const md = readFileSync4(guidePath, "utf8").replace(/\(guide\/assets\//g, "(assets/");
         const rendered = marked.parse(md, { gfm: true, breaks: false });
         const html = `<!doctype html>
 <html lang="en"><head>
@@ -2645,7 +2891,7 @@ async function main() {
 </head><body><div class="wrap markdown-body">${rendered}</div></body></html>`;
         const outHtml = join9(outDir, "index.html");
         writeFileSync4(outHtml, html);
-        const opener = platform2() === "darwin" ? "open" : platform2() === "win32" ? "start" : "xdg-open";
+        const opener = platform() === "darwin" ? "open" : platform() === "win32" ? "start" : "xdg-open";
         spawnSync12(opener, [outHtml], { stdio: "ignore", detached: true });
         console.log(`[ijfw] Guide opened in your browser.`);
         console.log(`       Local copy: ${outHtml}`);
@@ -2655,10 +2901,10 @@ async function main() {
       if (hasLess) {
         const lessRes = spawnSync12("less", ["-R", guidePath], { stdio: "inherit" });
         if (lessRes.status !== 0 && lessRes.status !== null) {
-          process.stdout.write(readFileSync3(guidePath, "utf8"));
+          process.stdout.write(readFileSync4(guidePath, "utf8"));
         }
       } else {
-        process.stdout.write(readFileSync3(guidePath, "utf8"));
+        process.stdout.write(readFileSync4(guidePath, "utf8"));
       }
       process.exit(0);
       break;

package/dist/install.js

@@ -385,7 +385,7 @@ function mergeYamlPluginsEnabled(dst, pluginName, ts) {
     if (inPluginsBlock) {
       if (/^\S/.test(line) && line.trim() !== "") {
         inPluginsBlock = false;
-      } else if (/^\s+enabled:\s*(\[\s*\])?\s*$/.test(line) || /^\s+enabled:\s*\[.*\]\s*$/.test(line)) {
+      } else if (isIndentedEnabledLine(line)) {
         enabledLineIdx = i;
       } else if (enabledLineIdx >= 0 && itemRe.test(line)) {
         alreadyListed = true;
@@ -423,6 +423,11 @@ function mergeYamlPluginsEnabled(dst, pluginName, ts) {
   outText += "# IJFW-PLUGINS-END\n";
   writeAtomic(dst, outText, { mode: 384 });
 }
+function isIndentedEnabledLine(line) {
+  if (!line || !/\s/.test(line[0])) return false;
+  const trimmed = line.trim();
+  return trimmed === "enabled:" || trimmed === "enabled: []" || trimmed.startsWith("enabled: [") && trimmed.endsWith("]");
+}
 function opencodeMerge(dst, serverJs, ts) {
   mkdirSync2(dirname3(dst), { recursive: true });
   if (ts) backup(dst, ts);
@@ -759,6 +764,12 @@ async function installCodex(ctx) {
   for (const sd of listSubdirs(repoSkills)) {
     copyDirIfAbsent(sd.path, join4(userSkills, sd.name));
   }
+  const userCommands = join4(ctx.home, ".codex", "commands");
+  ensureDir(userCommands);
+  const repoCommands = join4(ctx.repoRoot, "codex", "commands");
+  for (const f of listFiles(repoCommands, ".md")) {
+    copyIfAbsent(f.path, join4(userCommands, f.name));
+  }
   const cwd = ctx.cwd || process.cwd();
   if (existsSync4(join4(cwd, ".codex", "config.toml")) || existsSync4(join4(cwd, ".ijfw"))) {
     const projSkills = join4(cwd, ".codex", "skills");
@@ -766,8 +777,13 @@ async function installCodex(ctx) {
     for (const sd of listSubdirs(repoSkills)) {
       copyDirIfAbsent(sd.path, join4(projSkills, sd.name));
     }
+    const projCommands = join4(cwd, ".codex", "commands");
+    ensureDir(projCommands);
+    for (const f of listFiles(repoCommands, ".md")) {
+      copyIfAbsent(f.path, join4(projCommands, f.name));
+    }
   }
-  ctx.log.ok("Installed Codex bundle: MCP + hooks + 19 skills + context");
+  ctx.log.ok("Installed Codex bundle: MCP + hooks + 19 skills + 22 command aliases + context");
   return { status: "ok" };
 }
 async function installGemini(ctx) {

package/dist/uninstall.js

@@ -241,9 +241,11 @@ import os; os.replace(p + ".tmp", p)
     return true;
   }
   const stripped = raw.replace(
+    // eslint-disable-next-line security/detect-unsafe-regex -- raw is a small local YAML config file; pattern is line-anchored to the IJFW-owned block.
     /^  ijfw-memory:\n(?:    .*\n)*(?:# IJFW-MCP-END ijfw-memory\n)?/m,
     ""
   ).replace(
+    // eslint-disable-next-line security/detect-unsafe-regex -- raw is a small local YAML config file; pattern is bounded by exact IJFW sentinel markers.
     /# IJFW-MCP-BEGIN ijfw-memory\n(?:.*\n)*?# IJFW-MCP-END ijfw-memory\n/,
     ""
   );
@@ -263,6 +265,42 @@ function removeIjfwSkills(dir) {
   }
   return count;
 }
+var CODEX_COMMAND_FILES = [
+  "compress.md",
+  "consolidate.md",
+  "cross-audit.md",
+  "cross-critique.md",
+  "cross-research.md",
+  "doctor.md",
+  "handoff.md",
+  "ijfw-audit.md",
+  "ijfw-execute.md",
+  "ijfw-help.md",
+  "ijfw-plan.md",
+  "ijfw-ship.md",
+  "ijfw-verify.md",
+  "ijfw.md",
+  "memory-audit.md",
+  "memory-consent.md",
+  "memory-why.md",
+  "metrics.md",
+  "mode.md",
+  "status.md",
+  "team.md",
+  "workflow.md"
+];
+function removeCodexCommands(dir) {
+  if (!existsSync2(dir)) return 0;
+  let count = 0;
+  for (const name of CODEX_COMMAND_FILES) {
+    const path = join2(dir, name);
+    if (existsSync2(path)) {
+      rmSync(path, { force: true });
+      count++;
+    }
+  }
+  return count;
+}
 function cleanPlatforms() {
   const removed = [];
   if (removeTomlSection(join2(HOME, ".codex", "config.toml"))) {
@@ -273,6 +311,8 @@ function cleanPlatforms() {
   }
   const codexSkills = removeIjfwSkills(join2(HOME, ".codex", "skills"));
   if (codexSkills > 0) removed.push(`~/.codex/skills/ijfw-*  (removed ${codexSkills} skill dirs)`);
+  const codexCommands = removeCodexCommands(join2(HOME, ".codex", "commands"));
+  if (codexCommands > 0) removed.push(`~/.codex/commands  (removed ${codexCommands} IJFW command aliases)`);
   const codexMd = join2(HOME, ".codex", "IJFW.md");
   if (existsSync2(codexMd)) {
     rmSync(codexMd, { force: true });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ijfw/install",
-  "version": "1.3.1",
+  "version": "1.3.2",
   "description": "One-command installer for IJFW -- the AI efficiency layer. One install, every AI coding agent, zero config.",
   "type": "module",
   "bin": {