@jaguilar87/gaia-ops 5.0.0-beta.1 → 5.0.0-beta.4

package/.claude-plugin/marketplace.json

@@ -8,7 +8,7 @@
     {
       "name": "gaia-security",
       "description": "Keeps you in the loop only when it matters. Gaia Security analyzes every command and classifies it into risk tiers: read-only queries run freely, simulations and validations pass through, and state-changing operations (create, delete, apply, push) pause for your explicit approval before executing. Irreversible commands like dropping databases or deleting cloud infrastructure are permanently blocked.",
-      "version": "5.0.0-beta.1",
+      "version": "5.0.0-beta.4",
       "source": "./dist/gaia-security"
     }
   ]

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "gaia-ops",
-  "version": "5.0.0-beta.1",
+  "version": "5.0.0-beta.4",
   "description": "Security-first orchestrator with specialized agents, hooks, and governance for AI coding",
   "author": {
     "name": "jaguilar87"

package/bin/gaia-doctor.js

@@ -18,6 +18,7 @@ import fs from 'fs/promises';
 import { existsSync } from 'fs';
 import { exec } from 'child_process';
 import { promisify } from 'util';
+import { findPython } from './python-detect.js';
 import chalk from 'chalk';
 import yargs from 'yargs';
 import { hideBin } from 'yargs/helpers';
@@ -200,8 +201,13 @@ async function checkProjectContext() {
 }
 
 async function checkPython() {
+  const pyCmd = findPython();
+  if (!pyCmd) {
+    return { name: 'Python', ok: false, detail: 'Not found', fix: 'Install Python 3.9+' };
+  }
+
   try {
-    const { stdout } = await execAsync('python3 --version');
+    const { stdout } = await execAsync(`${pyCmd} --version`);
     const version = stdout.trim();
     const match = version.match(/(\d+)\.(\d+)/);
 
@@ -341,12 +347,18 @@ async function autoFix() {
     if (existsSync(packagePath)) {
       const relPath = relative(claudeDir, packagePath);
       const names = ['agents', 'tools', 'hooks', 'commands', 'templates', 'config', 'speckit', 'skills'];
+      // Use junctions on Windows (no admin required), regular symlinks elsewhere
+      const linkType = process.platform === 'win32' ? 'junction' : 'dir';
 
       for (const name of names) {
         const link = join(claudeDir, name);
         if (!existsSync(link)) {
           try {
-            await fs.symlink(join(relPath, name), link);
+            // Junctions on Windows require absolute targets; symlinks on Unix use relative
+            const target = process.platform === 'win32'
+              ? join(packagePath, name)
+              : join(relPath, name);
+            await fs.symlink(target, link, linkType);
             console.log(chalk.green(`    Fixed: .claude/${name} symlink`));
             fixed++;
           } catch {

package/bin/gaia-review.js

@@ -18,6 +18,7 @@
 import { execSync } from 'child_process';
 import { existsSync } from 'fs';
 import { join } from 'path';
+import { findPython } from './python-detect.js';
 import chalk from 'chalk';
 import yargs from 'yargs';
 import { hideBin } from 'yargs/helpers';
@@ -49,7 +50,8 @@ function callReviewEngine(action, opts = {}) {
     process.exit(1);
   }
 
-  let cmd = `python3 "${enginePath}" ${action}`;
+  const pyCmd = findPython() || 'python3';
+  let cmd = `${pyCmd} "${enginePath}" ${action}`;
   if (opts.updateId) cmd += ` --update-id "${opts.updateId}"`;
   if (opts.contextPath) cmd += ` --context-path "${opts.contextPath}"`;
   cmd += ' --json';

package/bin/gaia-scan

@@ -1,14 +1,44 @@
-#!/usr/bin/env bash
-# Shell wrapper for gaia-scan CLI.
-# Invokes the Python scanner with all forwarded arguments.
-# Used as the npm bin entry point for `npx gaia-scan` / `npx gaia scan`.
+#!/usr/bin/env node
 
-set -euo pipefail
+/**
+ * Cross-platform wrapper for gaia-scan CLI.
+ * Invokes the Python scanner with all forwarded arguments.
+ * Used as the npm bin entry point for `npx gaia-scan`.
+ *
+ * Replaces the previous bash wrapper so that it works on Windows
+ * (where /usr/bin/env bash does not exist).
+ */
 
-SCRIPT_DIR="$(cd "$(dirname "$(readlink -f "$0" 2>/dev/null || realpath "$0" 2>/dev/null || echo "$0")")" && pwd)"
-PLUGIN_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"
+import { execFileSync } from 'child_process';
+import { fileURLToPath } from 'url';
+import { dirname, join } from 'path';
+import { requirePython } from './python-detect.js';
 
-# Ensure PYTHONPATH includes the plugin root so `tools.scan` resolves
-export PYTHONPATH="${PLUGIN_ROOT}${PYTHONPATH:+:${PYTHONPATH}}"
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+const pluginRoot = join(__dirname, '..');
+const scanScript = join(__dirname, 'gaia-scan.py');
 
-exec python3 "${SCRIPT_DIR}/gaia-scan.py" "$@"
+// Forward all CLI arguments after the script name
+const args = process.argv.slice(2);
+
+// Set PYTHONPATH so `tools.scan` resolves inside the package
+const sep = process.platform === 'win32' ? ';' : ':';
+const pythonPath = process.env.PYTHONPATH
+  ? `${pluginRoot}${sep}${process.env.PYTHONPATH}`
+  : pluginRoot;
+
+try {
+  const pyCmd = requirePython();
+  execFileSync(pyCmd, [scanScript, ...args], {
+    stdio: 'inherit',
+    env: { ...process.env, PYTHONPATH: pythonPath },
+  });
+} catch (error) {
+  if (error.message && error.message.includes('Python 3 not found')) {
+    console.error(error.message);
+    process.exit(1);
+  }
+  // execFileSync throws on non-zero exit; propagate the exit code
+  process.exit(error.status || 1);
+}

package/bin/gaia-skills-diagnose.js

@@ -18,6 +18,7 @@
 
 import fs from "fs";
 import path from "path";
+import { findPython } from "./python-detect.js";
 import { spawnSync } from "child_process";
 import { fileURLToPath } from "url";
 import chalk from "chalk";
@@ -728,7 +729,8 @@ function runTestProbe(ctx, findings, checks) {
     "Phase1SkillsInjection or load_skills",
   ];
 
-  const res = spawnSync("python3", args, {
+  const pyCmd = findPython() || "python3";
+  const res = spawnSync(pyCmd, args, {
     cwd: ctx.packageRoot,
     encoding: "utf-8",
   });
@@ -741,7 +743,7 @@ function runTestProbe(ctx, findings, checks) {
       code: "PYTEST_PROBE_EXEC_FAILED",
       title: "Unable to execute pytest probe",
       detail: res.error.message,
-      evidence: `python3 ${args.join(" ")}`,
+      evidence: `${pyCmd} ${args.join(" ")}`,
       remediation: "Install pytest and Python dependencies to run the probe.",
     });
     checks.push({ name: "test-probe", ok: false, detail: "execution failed" });

package/bin/gaia-update.js

@@ -37,6 +37,7 @@ import { exec } from 'child_process';
 import { promisify } from 'util';
 import chalk from 'chalk';
 import ora from 'ora';
+import { findPython } from './python-detect.js';
 
 const execAsync = promisify(exec);
 const __filename = fileURLToPath(import.meta.url);
@@ -44,6 +45,9 @@ const __dirname = dirname(__filename);
 const CWD = process.env.INIT_CWD || process.cwd();
 const VERBOSE = process.argv.includes('--verbose') || process.argv.includes('-v');
 
+// Use junctions on Windows (no admin required), regular symlinks elsewhere
+const LINK_TYPE = process.platform === 'win32' ? 'junction' : 'dir';
+
 // ============================================================================
 // Version Detection
 // ============================================================================
@@ -123,8 +127,9 @@ async function updateLocalPermissions() {
     let gaiaPerms;
     try {
       const setupPath = join(__dirname, '..', 'hooks', 'modules', 'core', 'plugin_setup.py');
+      const pythonCmd = findPython() || 'python3';
       const { stdout } = await execAsync(
-        `python3 -c "
+        `${pythonCmd} -c "
 import ast, json, re
 
 source = open('${setupPath.replace(/'/g, "\\'")}').read()
@@ -376,11 +381,14 @@ async function updateSymlinks() {
 
     for (const name of symlinks) {
       const link = join(claudeDir, name);
-      const target = join(relativePath, name);
+      // Junctions on Windows require absolute targets; symlinks on Unix use relative
+      const target = process.platform === 'win32'
+        ? join(packagePath, name)
+        : join(relativePath, name);
 
       if (!existsSync(link)) {
         try {
-          await fs.symlink(target, link);
+          await fs.symlink(target, link, LINK_TYPE);
           fixed++;
         } catch { /* skip */ }
       } else {
@@ -391,7 +399,7 @@ async function updateSymlinks() {
           // Broken symlink — remove and recreate
           try {
             await fs.unlink(link);
-            await fs.symlink(target, link);
+            await fs.symlink(target, link, LINK_TYPE);
             fixed++;
           } catch { /* skip */ }
         }
@@ -402,7 +410,12 @@ async function updateSymlinks() {
     const changelogLink = join(claudeDir, 'CHANGELOG.md');
     if (!existsSync(changelogLink)) {
       try {
-        await fs.symlink(join(relativePath, 'CHANGELOG.md'), changelogLink);
+        if (process.platform === 'win32') {
+          // Junctions only work for directories; copy the file on Windows
+          await fs.copyFile(join(packagePath, 'CHANGELOG.md'), changelogLink);
+        } else {
+          await fs.symlink(join(relativePath, 'CHANGELOG.md'), changelogLink);
+        }
         fixed++;
       } catch { /* skip */ }
     }
@@ -442,13 +455,16 @@ async function runVerification() {
     }
   }
 
-  // 2. Python available
-  try {
-    const { stdout } = await execAsync('python3 --version', { timeout: 5000 });
-    checks.push({ name: 'python3', ok: true, detail: stdout.trim() });
-  } catch {
-    checks.push({ name: 'python3', ok: false });
-    issues.push('Python 3 not found (required for hooks)');
+  // 2. Python available (try python3 first, fall back to python on Windows)
+  {
+    const pyCmd = findPython();
+    if (pyCmd) {
+      const { stdout } = await execAsync(`${pyCmd} --version`, { timeout: 5000 });
+      checks.push({ name: 'python3', ok: true, detail: stdout.trim() });
+    } else {
+      checks.push({ name: 'python3', ok: false });
+      issues.push('Python 3 not found (required for hooks)');
+    }
   }
 
   // 3. project-context.json exists and is valid
@@ -529,12 +545,12 @@ async function runFreshInstall() {
 
   console.log(chalk.cyan(`\n  gaia-ops ${chalk.green(current)} — fresh install\n`));
 
-  // 1. Check Python 3 is available
+  // 1. Check Python 3 is available (try python3, then python)
   const spinner = ora('Checking Python 3...').start();
-  try {
-    await execAsync('python3 --version', { timeout: 5000 });
-    spinner.succeed('Python 3 found');
-  } catch {
+  const pyCmd = findPython();
+  if (pyCmd) {
+    spinner.succeed(`Python 3 found (${pyCmd})`);
+  } else {
     spinner.warn('Python 3 not found — skipping project setup');
     console.log(chalk.gray('  Install Python 3.9+ and run: npx gaia-scan\n'));
     return;
@@ -544,7 +560,7 @@ async function runFreshInstall() {
   const scanSpinner = ora('Running gaia-scan...').start();
   try {
     const { stdout, stderr } = await execAsync(
-      `python3 "${scanScript}" --npm-postinstall --root "${CWD}"`,
+      `${pyCmd} "${scanScript}" --npm-postinstall --root "${CWD}"`,
       { timeout: 60000 }
     );
     scanSpinner.succeed('Project scanned and configured');

package/bin/pre-publish-validate.js

@@ -21,6 +21,7 @@ import path from 'path';
 import { execSync } from 'child_process';
 import chalk from 'chalk';
 import { fileURLToPath } from 'url';
+import { findPython } from './python-detect.js';
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
@@ -371,15 +372,17 @@ class PrePublishValidator {
           'tools/context/context_provider.py'
         ];
 
+        const pyCmd = findPython();
+        if (!pyCmd) throw new Error('Python not available');
         pythonFiles.forEach(file => {
           const filePath = path.join(baseDir, file);
           if (fs.existsSync(filePath)) {
-            this.execute(`python3 -m py_compile "${filePath}"`, GAIA_OPS_ROOT, true);
+            this.execute(`${pyCmd} -m py_compile "${filePath}"`, GAIA_OPS_ROOT, true);
             this.log(`  ✓ ${file}`, 'success');
           }
         });
       } catch (error) {
-        this.log(`  ⚠️  Python validation skipped (python3 not available or syntax error)`, 'warning');
+        this.log(`  ⚠️  Python validation skipped (python3/python not available or syntax error)`, 'warning');
       }
 
       // Test 3: Check if bin scripts are executable

package/bin/python-detect.js

@@ -0,0 +1,60 @@
+/**
+ * Cross-platform Python 3 detection.
+ *
+ * On Linux/macOS the binary is typically `python3`.
+ * On Windows it is often just `python` (the Microsoft Store alias
+ * or the official installer both register `python`).
+ *
+ * This module tries each candidate in order and returns the first
+ * one that reports Python 3.x.  The result is cached for the
+ * lifetime of the process so repeated calls are free.
+ */
+
+import { execSync, execFileSync } from 'child_process';
+
+/** @type {string | null | undefined} */
+let _cached;
+
+/**
+ * Detect a working Python 3 command.
+ *
+ * @returns {string | null} The command name ('python3' or 'python'),
+ *   or null if no Python 3 was found.
+ */
+export function findPython() {
+  if (_cached !== undefined) return _cached;
+
+  for (const cmd of ['python3', 'python']) {
+    try {
+      const version = execFileSync(cmd, ['--version'], {
+        encoding: 'utf8',
+        stdio: ['pipe', 'pipe', 'pipe'],
+        timeout: 5000,
+      }).trim();
+      if (version.startsWith('Python 3.')) {
+        _cached = cmd;
+        return _cached;
+      }
+    } catch {
+      // Not found or not Python 3 -- try next candidate
+    }
+  }
+
+  _cached = null;
+  return null;
+}
+
+/**
+ * Return the Python command or throw with a helpful message.
+ *
+ * @returns {string}
+ */
+export function requirePython() {
+  const cmd = findPython();
+  if (!cmd) {
+    throw new Error(
+      'Python 3 not found. Install Python 3.9+ and ensure "python3" or "python" is on PATH.'
+    );
+  }
+  return cmd;
+}

package/dist/gaia-ops/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "gaia-ops",
-  "version": "5.0.0-beta.1",
+  "version": "5.0.0-beta.4",
   "description": "Full DevOps orchestration for Claude Code. Six specialized agents handle the complete development lifecycle \u2014 analysis, planning, execution, and deployment. Gaia-Ops scans your codebase to understand it and injects the right context into each sub-agent. Every command is classified by risk: read-only runs freely, state changes pause for your approval, and irreversible operations are permanently blocked.",
   "author": {
     "name": "jaguilar87"

package/dist/gaia-ops/hooks/modules/context/context_injector.py

@@ -10,7 +10,9 @@ Handles:
 import json
 import logging
 import os
+import shutil
 import subprocess
+import sys
 from datetime import datetime
 from pathlib import Path
 
@@ -22,6 +24,20 @@ from .contracts_loader import build_context_update_reminder
 logger = logging.getLogger(__name__)
 
 
+def _find_python() -> str:
+    """Return the Python 3 command name for this platform.
+
+    Tries ``python3`` first (Linux/macOS), then ``python`` (Windows).
+    Falls back to ``sys.executable`` (the current interpreter) as a
+    last resort -- this always works since hooks are already running
+    under Python.
+    """
+    for cmd in ("python3", "python"):
+        if shutil.which(cmd):
+            return cmd
+    return sys.executable
+
+
 def _prune_empty_values(data: dict) -> dict:
     """Drop keys with empty telemetry values while preserving False/0."""
     pruned = {}
@@ -288,7 +304,7 @@ def build_project_context(
         # Execute context_provider.py to get filtered context
         logger.info(f"Building context for {subagent_type}...")
         result = subprocess.run(
-            ["python3", str(context_provider), subagent_type, prompt],
+            [_find_python(), str(context_provider), subagent_type, prompt],
             capture_output=True,
             text=True,
             timeout=15,

package/dist/gaia-ops/hooks/modules/security/mutative_verbs.py

@@ -86,7 +86,11 @@ MUTATIVE_VERBS: FrozenSet[str] = frozenset({
     "update", "patch", "set", "modify", "edit", "configure",
     "replace", "overwrite", "write",
     # Deployment / packaging
-    "deploy", "install", "upgrade", "downgrade", "publish", "release", "promote",
+    # NOTE: "release" removed -- it is a CLI subcommand group noun in `gh release`,
+    # `glab release`, etc. The actual mutative actions (create, delete, edit, upload)
+    # are already in MUTATIVE_VERBS. Keeping "release" here causes false positives on
+    # `gh release view` and any command with "release" as an argument string.
+    "deploy", "install", "upgrade", "downgrade", "publish", "promote",
     # Scaling
     "scale", "resize", "autoscale",
     # Lifecycle

package/dist/gaia-ops/skills/skill-creation/SKILL.md

@@ -60,6 +60,8 @@ The test: for each rule or step you write, ask — if the agent saw enough real
 
 This is why the investigation skill doesn't say "INVESTIGATE FIRST. ALWAYS. NO EXCEPTIONS." It says: *"Every codebase is a record of accumulated decisions... The first 2-3 files you read define whether your solution fits or fights the project."* The agent understands the stakes. The behavior follows.
 
+Every line in a skill competes for weight in the LLM's reasoning. A rule without context carries almost no weight — the model has no reason to prioritize it over competing signals. An explanation with consequences carries enough weight to influence decisions even under pressure. This is why conciseness matters: a verbose skill dilutes its own weight. Every line should earn its place by adding reasoning the model can use.
+
 ### Tone by type
 
 **Discipline** works best when the Iron Law is blunt and a reasoned paragraph follows explaining what breaks when you violate it. Command-execution's mental model ("When you reach for a pipe, you have not looked for the flag yet") does more work than a dozen capitalized warnings because it reframes the decision point itself.

package/dist/gaia-ops/tools/scan/scanners/environment.py

@@ -35,6 +35,12 @@ _RUNTIME_DEFINITIONS: List[Tuple[str, str]] = [
     ("java", "--version"),
 ]
 
+# On Windows, python3 may not exist -- fall back to "python" if it reports 3.x.
+# Maps (fallback_binary, version_flag) -> canonical_name
+_RUNTIME_FALLBACKS: Dict[str, List[Tuple[str, str]]] = {
+    "python3": [("python", "--version")],
+}
+
 # Env file names to check for (presence ONLY -- never read contents)
 _ENV_FILE_NAMES: List[str] = [
     ".env",
@@ -182,14 +188,32 @@ class EnvironmentScanner(BaseScanner):
         """Detect installed language runtimes via --version commands.
 
         Uses shutil.which() to find binaries, then subprocess with 2s timeout
-        to get version strings.
+        to get version strings.  For runtimes with fallbacks (e.g. python3 ->
+        python on Windows), the fallback is tried when the primary is missing
+        and the result is reported under the canonical name.
         """
         runtimes: List[Dict[str, str]] = []
+        detected_canonical: set = set()
 
         for binary_name, version_flag in _RUNTIME_DEFINITIONS:
             try:
                 binary_path = shutil.which(binary_name)
                 if binary_path is None:
+                    # Try fallbacks (e.g. python -> python3 on Windows)
+                    fallbacks = _RUNTIME_FALLBACKS.get(binary_name, [])
+                    for fb_binary, fb_flag in fallbacks:
+                        fb_path = shutil.which(fb_binary)
+                        if fb_path is None:
+                            continue
+                        version = self._get_version(fb_binary, fb_flag, warnings)
+                        if version is not None and version.startswith("3."):
+                            runtimes.append({
+                                "name": binary_name,  # canonical name
+                                "version": version,
+                                "path": fb_path,
+                            })
+                            detected_canonical.add(binary_name)
+                            break
                     continue
 
                 version = self._get_version(binary_name, version_flag, warnings)
@@ -199,6 +223,7 @@ class EnvironmentScanner(BaseScanner):
                         "version": version,
                         "path": binary_path,
                     })
+                    detected_canonical.add(binary_name)
 
             except Exception as exc:
                 warnings.append(f"Runtime detection failed for {binary_name}: {exc}")

package/dist/gaia-ops/tools/scan/setup.py

@@ -19,6 +19,7 @@ Functions:
 import json
 import logging
 import os
+import platform
 import shutil
 import subprocess
 from datetime import datetime, timezone
@@ -27,6 +28,23 @@ from typing import Any, Dict, List, Optional
 
 logger = logging.getLogger(__name__)
 
+# Windows detection: junctions don't require admin privileges
+_IS_WINDOWS = platform.system() == "Windows"
+
+
+def _create_dir_link(target: str, link: str) -> None:
+    """Create a directory link: junction on Windows, symlink on Unix.
+
+    Windows junctions don't require admin/developer-mode privileges,
+    unlike directory symlinks.  The target must be an absolute path
+    on Windows (junctions don't support relative targets).
+    """
+    if _IS_WINDOWS:
+        import _winapi  # stdlib on Windows, unavailable elsewhere
+        _winapi.CreateJunction(target, link)
+    else:
+        os.symlink(target, link)
+
 
 def _find_package_root() -> Path:
     """Find the gaia-ops plugin root directory.
@@ -191,23 +209,31 @@ def create_claude_directory(project_root: Path) -> List[str]:
 
     for name in symlink_names:
         link_path = claude_dir / name
-        target = os.path.join(rel_path, name)
+        # Junctions on Windows require absolute targets; symlinks on Unix use relative
+        if _IS_WINDOWS:
+            target = str(package_path / name)
+        else:
+            target = os.path.join(rel_path, name)
 
         if link_path.exists() or link_path.is_symlink():
             link_path.unlink()
 
         try:
-            os.symlink(target, str(link_path))
+            _create_dir_link(target, str(link_path))
             created.append(name)
         except OSError as exc:
             logger.warning("Failed to create symlink %s: %s", name, exc)
 
-    # CHANGELOG.md symlink
+    # CHANGELOG.md symlink (file, not directory — junctions only work for dirs)
     changelog_link = claude_dir / "CHANGELOG.md"
     if changelog_link.exists() or changelog_link.is_symlink():
         changelog_link.unlink()
     try:
-        os.symlink(os.path.join(rel_path, "CHANGELOG.md"), str(changelog_link))
+        if _IS_WINDOWS:
+            # File symlinks need admin on Windows; copy instead
+            shutil.copy2(str(package_path / "CHANGELOG.md"), str(changelog_link))
+        else:
+            os.symlink(os.path.join(rel_path, "CHANGELOG.md"), str(changelog_link))
         created.append("CHANGELOG.md")
     except OSError as exc:
         logger.warning("Failed to create CHANGELOG.md symlink: %s", exc)

package/dist/gaia-ops/tools/scan/verify.py

@@ -159,23 +159,27 @@ def check_project_context(project_root: Path) -> CheckResult:
 
 
 def check_python() -> CheckResult:
-    """Verify that python3 is available.
+    """Verify that python3 (or python on Windows) is available.
+
+    Tries ``python3`` first, then ``python`` for Windows compatibility.
 
     Returns:
         CheckResult with Python version.
     """
-    try:
-        result = subprocess.run(
-            ["python3", "--version"],
-            capture_output=True,
-            text=True,
-            timeout=5,
-        )
-        if result.returncode == 0:
-            version = result.stdout.strip()
-            return CheckResult(name="Python", ok=True, detail=version)
-    except (subprocess.TimeoutExpired, FileNotFoundError, OSError):
-        pass
+    for cmd in ("python3", "python"):
+        try:
+            result = subprocess.run(
+                [cmd, "--version"],
+                capture_output=True,
+                text=True,
+                timeout=5,
+            )
+            if result.returncode == 0:
+                version = result.stdout.strip()
+                if version.startswith("Python 3."):
+                    return CheckResult(name="Python", ok=True, detail=version)
+        except (subprocess.TimeoutExpired, FileNotFoundError, OSError):
+            pass
 
     return CheckResult(
         name="Python",

package/dist/gaia-security/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "gaia-security",
-  "version": "5.0.0-beta.1",
+  "version": "5.0.0-beta.4",
   "description": "Keeps you in the loop only when it matters. Gaia Security analyzes every command and classifies it into risk tiers: read-only queries run freely, simulations and validations pass through, and state-changing operations (create, delete, apply, push) pause for your explicit approval before executing. Irreversible commands like dropping databases or deleting cloud infrastructure are permanently blocked.",
   "author": {
     "name": "jaguilar87"

package/dist/gaia-security/hooks/modules/context/context_injector.py

@@ -10,7 +10,9 @@ Handles:
 import json
 import logging
 import os
+import shutil
 import subprocess
+import sys
 from datetime import datetime
 from pathlib import Path
 
@@ -22,6 +24,20 @@ from .contracts_loader import build_context_update_reminder
 logger = logging.getLogger(__name__)
 
 
+def _find_python() -> str:
+    """Return the Python 3 command name for this platform.
+
+    Tries ``python3`` first (Linux/macOS), then ``python`` (Windows).
+    Falls back to ``sys.executable`` (the current interpreter) as a
+    last resort -- this always works since hooks are already running
+    under Python.
+    """
+    for cmd in ("python3", "python"):
+        if shutil.which(cmd):
+            return cmd
+    return sys.executable
+
+
 def _prune_empty_values(data: dict) -> dict:
     """Drop keys with empty telemetry values while preserving False/0."""
     pruned = {}
@@ -288,7 +304,7 @@ def build_project_context(
         # Execute context_provider.py to get filtered context
         logger.info(f"Building context for {subagent_type}...")
         result = subprocess.run(
-            ["python3", str(context_provider), subagent_type, prompt],
+            [_find_python(), str(context_provider), subagent_type, prompt],
             capture_output=True,
             text=True,
             timeout=15,

package/dist/gaia-security/hooks/modules/security/mutative_verbs.py

@@ -86,7 +86,11 @@ MUTATIVE_VERBS: FrozenSet[str] = frozenset({
     "update", "patch", "set", "modify", "edit", "configure",
     "replace", "overwrite", "write",
     # Deployment / packaging
-    "deploy", "install", "upgrade", "downgrade", "publish", "release", "promote",
+    # NOTE: "release" removed -- it is a CLI subcommand group noun in `gh release`,
+    # `glab release`, etc. The actual mutative actions (create, delete, edit, upload)
+    # are already in MUTATIVE_VERBS. Keeping "release" here causes false positives on
+    # `gh release view` and any command with "release" as an argument string.
+    "deploy", "install", "upgrade", "downgrade", "publish", "promote",
     # Scaling
     "scale", "resize", "autoscale",
     # Lifecycle

package/hooks/modules/context/context_injector.py

@@ -10,7 +10,9 @@ Handles:
 import json
 import logging
 import os
+import shutil
 import subprocess
+import sys
 from datetime import datetime
 from pathlib import Path
 
@@ -22,6 +24,20 @@ from .contracts_loader import build_context_update_reminder
 logger = logging.getLogger(__name__)
 
 
+def _find_python() -> str:
+    """Return the Python 3 command name for this platform.
+
+    Tries ``python3`` first (Linux/macOS), then ``python`` (Windows).
+    Falls back to ``sys.executable`` (the current interpreter) as a
+    last resort -- this always works since hooks are already running
+    under Python.
+    """
+    for cmd in ("python3", "python"):
+        if shutil.which(cmd):
+            return cmd
+    return sys.executable
+
+
 def _prune_empty_values(data: dict) -> dict:
     """Drop keys with empty telemetry values while preserving False/0."""
     pruned = {}
@@ -288,7 +304,7 @@ def build_project_context(
         # Execute context_provider.py to get filtered context
         logger.info(f"Building context for {subagent_type}...")
         result = subprocess.run(
-            ["python3", str(context_provider), subagent_type, prompt],
+            [_find_python(), str(context_provider), subagent_type, prompt],
             capture_output=True,
             text=True,
             timeout=15,

package/hooks/modules/security/mutative_verbs.py

@@ -86,7 +86,11 @@ MUTATIVE_VERBS: FrozenSet[str] = frozenset({
     "update", "patch", "set", "modify", "edit", "configure",
     "replace", "overwrite", "write",
     # Deployment / packaging
-    "deploy", "install", "upgrade", "downgrade", "publish", "release", "promote",
+    # NOTE: "release" removed -- it is a CLI subcommand group noun in `gh release`,
+    # `glab release`, etc. The actual mutative actions (create, delete, edit, upload)
+    # are already in MUTATIVE_VERBS. Keeping "release" here causes false positives on
+    # `gh release view` and any command with "release" as an argument string.
+    "deploy", "install", "upgrade", "downgrade", "publish", "promote",
     # Scaling
     "scale", "resize", "autoscale",
     # Lifecycle

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jaguilar87/gaia-ops",
-  "version": "5.0.0-beta.1",
+  "version": "5.0.0-beta.4",
   "description": "Multi-agent orchestration system for Claude Code - DevOps automation toolkit",
   "main": "index.js",
   "type": "module",

package/skills/skill-creation/SKILL.md

@@ -60,6 +60,8 @@ The test: for each rule or step you write, ask — if the agent saw enough real
 
 This is why the investigation skill doesn't say "INVESTIGATE FIRST. ALWAYS. NO EXCEPTIONS." It says: *"Every codebase is a record of accumulated decisions... The first 2-3 files you read define whether your solution fits or fights the project."* The agent understands the stakes. The behavior follows.
 
+Every line in a skill competes for weight in the LLM's reasoning. A rule without context carries almost no weight — the model has no reason to prioritize it over competing signals. An explanation with consequences carries enough weight to influence decisions even under pressure. This is why conciseness matters: a verbose skill dilutes its own weight. Every line should earn its place by adding reasoning the model can use.
+
 ### Tone by type
 
 **Discipline** works best when the Iron Law is blunt and a reasoned paragraph follows explaining what breaks when you violate it. Command-execution's mental model ("When you reach for a pipe, you have not looked for the flag yet") does more work than a dozen capitalized warnings because it reframes the decision point itself.

package/tools/scan/scanners/environment.py

@@ -35,6 +35,12 @@ _RUNTIME_DEFINITIONS: List[Tuple[str, str]] = [
     ("java", "--version"),
 ]
 
+# On Windows, python3 may not exist -- fall back to "python" if it reports 3.x.
+# Maps (fallback_binary, version_flag) -> canonical_name
+_RUNTIME_FALLBACKS: Dict[str, List[Tuple[str, str]]] = {
+    "python3": [("python", "--version")],
+}
+
 # Env file names to check for (presence ONLY -- never read contents)
 _ENV_FILE_NAMES: List[str] = [
     ".env",
@@ -182,14 +188,32 @@ class EnvironmentScanner(BaseScanner):
         """Detect installed language runtimes via --version commands.
 
         Uses shutil.which() to find binaries, then subprocess with 2s timeout
-        to get version strings.
+        to get version strings.  For runtimes with fallbacks (e.g. python3 ->
+        python on Windows), the fallback is tried when the primary is missing
+        and the result is reported under the canonical name.
         """
         runtimes: List[Dict[str, str]] = []
+        detected_canonical: set = set()
 
         for binary_name, version_flag in _RUNTIME_DEFINITIONS:
             try:
                 binary_path = shutil.which(binary_name)
                 if binary_path is None:
+                    # Try fallbacks (e.g. python -> python3 on Windows)
+                    fallbacks = _RUNTIME_FALLBACKS.get(binary_name, [])
+                    for fb_binary, fb_flag in fallbacks:
+                        fb_path = shutil.which(fb_binary)
+                        if fb_path is None:
+                            continue
+                        version = self._get_version(fb_binary, fb_flag, warnings)
+                        if version is not None and version.startswith("3."):
+                            runtimes.append({
+                                "name": binary_name,  # canonical name
+                                "version": version,
+                                "path": fb_path,
+                            })
+                            detected_canonical.add(binary_name)
+                            break
                     continue
 
                 version = self._get_version(binary_name, version_flag, warnings)
@@ -199,6 +223,7 @@ class EnvironmentScanner(BaseScanner):
                         "version": version,
                         "path": binary_path,
                     })
+                    detected_canonical.add(binary_name)
 
             except Exception as exc:
                 warnings.append(f"Runtime detection failed for {binary_name}: {exc}")

package/tools/scan/setup.py

@@ -19,6 +19,7 @@ Functions:
 import json
 import logging
 import os
+import platform
 import shutil
 import subprocess
 from datetime import datetime, timezone
@@ -27,6 +28,23 @@ from typing import Any, Dict, List, Optional
 
 logger = logging.getLogger(__name__)
 
+# Windows detection: junctions don't require admin privileges
+_IS_WINDOWS = platform.system() == "Windows"
+
+
+def _create_dir_link(target: str, link: str) -> None:
+    """Create a directory link: junction on Windows, symlink on Unix.
+
+    Windows junctions don't require admin/developer-mode privileges,
+    unlike directory symlinks.  The target must be an absolute path
+    on Windows (junctions don't support relative targets).
+    """
+    if _IS_WINDOWS:
+        import _winapi  # stdlib on Windows, unavailable elsewhere
+        _winapi.CreateJunction(target, link)
+    else:
+        os.symlink(target, link)
+
 
 def _find_package_root() -> Path:
     """Find the gaia-ops plugin root directory.
@@ -191,23 +209,31 @@ def create_claude_directory(project_root: Path) -> List[str]:
 
     for name in symlink_names:
         link_path = claude_dir / name
-        target = os.path.join(rel_path, name)
+        # Junctions on Windows require absolute targets; symlinks on Unix use relative
+        if _IS_WINDOWS:
+            target = str(package_path / name)
+        else:
+            target = os.path.join(rel_path, name)
 
         if link_path.exists() or link_path.is_symlink():
             link_path.unlink()
 
         try:
-            os.symlink(target, str(link_path))
+            _create_dir_link(target, str(link_path))
             created.append(name)
         except OSError as exc:
             logger.warning("Failed to create symlink %s: %s", name, exc)
 
-    # CHANGELOG.md symlink
+    # CHANGELOG.md symlink (file, not directory — junctions only work for dirs)
     changelog_link = claude_dir / "CHANGELOG.md"
     if changelog_link.exists() or changelog_link.is_symlink():
         changelog_link.unlink()
     try:
-        os.symlink(os.path.join(rel_path, "CHANGELOG.md"), str(changelog_link))
+        if _IS_WINDOWS:
+            # File symlinks need admin on Windows; copy instead
+            shutil.copy2(str(package_path / "CHANGELOG.md"), str(changelog_link))
+        else:
+            os.symlink(os.path.join(rel_path, "CHANGELOG.md"), str(changelog_link))
         created.append("CHANGELOG.md")
     except OSError as exc:
         logger.warning("Failed to create CHANGELOG.md symlink: %s", exc)

package/tools/scan/verify.py

@@ -159,23 +159,27 @@ def check_project_context(project_root: Path) -> CheckResult:
 
 
 def check_python() -> CheckResult:
-    """Verify that python3 is available.
+    """Verify that python3 (or python on Windows) is available.
+
+    Tries ``python3`` first, then ``python`` for Windows compatibility.
 
     Returns:
         CheckResult with Python version.
     """
-    try:
-        result = subprocess.run(
-            ["python3", "--version"],
-            capture_output=True,
-            text=True,
-            timeout=5,
-        )
-        if result.returncode == 0:
-            version = result.stdout.strip()
-            return CheckResult(name="Python", ok=True, detail=version)
-    except (subprocess.TimeoutExpired, FileNotFoundError, OSError):
-        pass
+    for cmd in ("python3", "python"):
+        try:
+            result = subprocess.run(
+                [cmd, "--version"],
+                capture_output=True,
+                text=True,
+                timeout=5,
+            )
+            if result.returncode == 0:
+                version = result.stdout.strip()
+                if version.startswith("Python 3."):
+                    return CheckResult(name="Python", ok=True, detail=version)
+        except (subprocess.TimeoutExpired, FileNotFoundError, OSError):
+            pass
 
     return CheckResult(
         name="Python",