@khanhcan148/mk 0.1.33 → 0.1.34

package/README.md

@@ -6,7 +6,7 @@
 
 Modular packages that extend Claude Code with specialized knowledge, workflows, and tool integrations.
 
-**Quick Navigation:** [Quick Reference](docs/quick-reference.md) | [Common Workflows](docs/common-workflows.md) | [Skill Index](docs/skill-index.md)
+**Quick Navigation:** [Usage Guides](docs/guides/index.md) | [Quick Reference](docs/quick-reference.md) | [Common Workflows](docs/common-workflows.md) | [Skill Index](docs/skill-index.md)
 
 
 ## Quick Start
@@ -93,8 +93,8 @@ cp -r .claude ~/.claude/
 
 ```
 ├── .claude/
-│   ├── agents/      # 36 agents (5 primary + 31 utility: implementers, quality, docs, specialized, concerns, brainstorm critics)
-│   ├── skills/      # 62 skill packages (SKILL.md + scripts/references/assets)
+│   ├── agents/      # 38 agents (5 primary + 33 utility: implementers, quality, docs, specialized, concerns, brainstorm critics)
+│   ├── skills/      # 61 skill packages (SKILL.md + scripts/references/assets)
 │   │   ├── mk-*/    # 20 workflow commands (/mk-audit, /mk-brainstorm, /mk-log-analysis, /mk-overview, /mk-wiki, etc.)
 │   │   └── ...      # Domain skills (frontend, backend, testing, browser automation, etc.)
 │   └── workflows/   # Development protocols
@@ -231,6 +231,7 @@ python .claude/skills/skill-creator/scripts/package_skill.py <path/to/skill-fold
 
 | Document | Description |
 |----------|-------------|
+| [mk-* Usage Guides](docs/guides/index.md) | Human how-to guides for all 20 /mk-* commands: when to use, flags, phase flow, pitfalls |
 | [Skill Index](docs/skill-index.md) | Categorized list of all skills and workflows |
 | [mk-* Workflows & Agents](docs/mk-workflow-agents.md) | How each /mk-* command works and which agents it uses |
 | [`mk codex` Command Guide](docs/codex/COMMAND.md) | Convert .claude/ to .codex/ for OpenAI Codex CLI; auto-sync on mk update |

package/bin/mk.js

@@ -65,6 +65,7 @@ program.command('env [name]')
   .description('List or describe MK_* environment variables')
   .option('--format <fmt>', 'Output format: text (default) or json')
   .option('--markdown', 'Emit the full env-vars table as markdown (same as .claude/env-vars.md)')
+  .option('--all', 'Include internal/testing variables (hidden by default)')
   .action((name, options) => envAction(name, options));
 
 program.parse();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@khanhcan148/mk",
-  "version": "0.1.33",
+  "version": "0.1.34",
   "description": "CLI to install and manage MyClaudeKit (.claude/) in your projects",
   "type": "module",
   "bin": {

package/scripts/gen-env-docs.js

@@ -59,8 +59,14 @@ export function renderMarkdown(entries) {
     return a.name < b.name ? -1 : a.name > b.name ? 1 : 0;
   });
 
+  // User-facing vars are grouped by scope; internal/testing vars (hook *_TEST
+  // bypasses, *_MAX_STDIN_BYTES caps) are collected into a single trailing
+  // section so the everyday reference stays uncluttered.
+  const userFacing = sorted.filter((e) => !e.internal);
+  const internal = sorted.filter((e) => e.internal);
+
   const groups = new Map();
-  for (const entry of sorted) {
+  for (const entry of userFacing) {
     if (!groups.has(entry.scope)) groups.set(entry.scope, []);
     groups.get(entry.scope).push(entry);
   }
@@ -78,24 +84,37 @@ export function renderMarkdown(entries) {
   );
   lines.push('');
 
-  for (const [scope, scopeEntries] of groups) {
-    lines.push(`## ${scopeLabel(scope)}`);
-    lines.push('');
+  const renderTable = (rows) => {
     lines.push('| Name | Type | Default | Description |');
     lines.push('|------|------|---------|-------------|');
-
-    for (const entry of scopeEntries) {
+    for (const entry of rows) {
       const def = entry.default !== undefined ? `\`${entry.default}\`` : '—';
       const desc = entry.description.replace(/\|/g, '\\|');
       lines.push(`| \`${entry.name}\` | ${entry.type} | ${def} | ${desc} |`);
     }
+    lines.push('');
+  };
 
+  for (const [scope, scopeEntries] of groups) {
+    lines.push(`## ${scopeLabel(scope)}`);
+    lines.push('');
+    renderTable(scopeEntries);
+  }
+
+  if (internal.length > 0) {
+    lines.push('## Internal / testing');
+    lines.push('');
+    lines.push(
+      '> These are plumbing knobs a normal user never sets (hook test bypasses and ' +
+      'defensive stdin caps). `mk env` hides them by default — use `mk env --all`.'
+    );
     lines.push('');
+    renderTable(internal);
   }
 
   lines.push('---');
   lines.push('');
-  lines.push(`_${entries.length} variables documented. Run \`mk env\` for live values._`);
+  lines.push(`_${entries.length} variables documented (${internal.length} internal). Run \`mk env\` for live values._`);
   lines.push('');
 
   return lines.join('\n');

package/src/commands/env.js

@@ -60,16 +60,21 @@ function padRight(str, width) {
 // List mode — grouped by scope
 // ---------------------------------------------------------------------------
 
-function listMode(format) {
+function listMode(format, showInternal = false) {
+  // By default hide internal/testing vars (hook *_TEST bypasses, *_MAX_STDIN_BYTES
+  // caps) — they are plumbing a user never sets. `--all` shows them.
+  const visible = showInternal ? [...ENTRIES] : ENTRIES.filter((e) => !e.internal);
+  const hiddenCount = ENTRIES.length - visible.length;
+
   // Group entries by scope, preserving insertion order of first occurrence
   const groups = new Map();
-  for (const entry of ENTRIES) {
+  for (const entry of visible) {
     if (!groups.has(entry.scope)) groups.set(entry.scope, []);
     groups.get(entry.scope).push(entry);
   }
 
   if (format === 'json') {
-    const enriched = ENTRIES.map((e) => ({ ...e, current: currentValue(e) }));
+    const enriched = visible.map((e) => ({ ...e, current: currentValue(e) }));
     process.stdout.write(JSON.stringify({ entries: enriched }, null, 2) + '\n');
     return;
   }
@@ -99,7 +104,10 @@ function listMode(format) {
 
   const scopeCount = sortedScopes.length;
   process.stdout.write(`Run \`mk env <NAME>\` for full details on a single variable.\n`);
-  process.stdout.write(`${ENTRIES.length} variables across ${scopeCount} scope${scopeCount === 1 ? '' : 's'}.\n`);
+  process.stdout.write(`${visible.length} variables across ${scopeCount} scope${scopeCount === 1 ? '' : 's'}.\n`);
+  if (hiddenCount > 0) {
+    process.stdout.write(`${hiddenCount} internal/testing variable${hiddenCount === 1 ? '' : 's'} hidden — run \`mk env --all\` to show.\n`);
+  }
 }
 
 // ---------------------------------------------------------------------------
@@ -128,6 +136,9 @@ function detailMode(name) {
   if (entry.since) {
     process.stdout.write(`  Since:       ${entry.since}\n`);
   }
+  if (entry.internal) {
+    process.stdout.write(`  Internal:    yes (testing/tuning plumbing — not a user setting)\n`);
+  }
   process.stdout.write(`\n  ${entry.description}\n`);
 }
 
@@ -173,6 +184,6 @@ export function envAction(name, options = {}) {
       detailMode(name);
     }
   } else {
-    listMode(format);
+    listMode(format, options.all === true);
   }
 }

package/src/commands/update.js

@@ -80,9 +80,18 @@ export function redactSecrets(message, ctx = {}) {
     out = out.split(ctx.storedToken).join('[REDACTED-TOKEN]');
   }
 
-  // S3: Redact any GitHub token-shaped substring (belt-and-braces)
+  // S3b: Redact any GitHub token-shaped substring (belt-and-braces)
   out = out.replace(/gh[pousr]_[A-Za-z0-9_]{30,}/g, '[REDACTED-TOKEN]');
 
+  // S5: Redact SQL Server / MSSQL Password= and ODBC Pwd= alias in connection strings
+  out = out.replace(/((?:Password|Pwd)\s*=\s*)([^;]+?)(\s*;|\s*$)/gi, '$1[REDACTED-PASSWORD]$3');
+
+  // S6: Redact PostgreSQL DSN user:pass@ credentials
+  out = out.replace(/(postgres(?:ql)?:\/\/)([^:@/]+):([^@/]+)@/gi, '$1[REDACTED-USER]:[REDACTED-PASSWORD]@');
+
+  // S7: Redact Azure Storage / CosmosDB AccountKey= in connection strings
+  out = out.replace(/(AccountKey\s*=\s*)([^;]+?)(\s*;|\s*$)/gi, '$1[REDACTED-KEY]$3');
+
   return out;
 }
 

package/src/lib/env-registry.js

@@ -14,6 +14,12 @@
  * If a var is secret-like (e.g. MK_*_TOKEN, MK_*_KEY, MK_*_SECRET) it should carry
  * { secret: true } and `mk env` will redact its current value. None of the current
  * vars are secret.
+ *
+ * { internal: true } marks a var as test-only or defensive-tuning plumbing that a
+ * normal user never sets (e.g. hook *_TEST bypasses, *_MAX_STDIN_BYTES caps). These
+ * stay in the registry so drift detection has a complete catalog, but `mk env` hides
+ * them by default (show with `mk env --all`) and the generated doc lists them in a
+ * separate "Internal / testing" section. They remain addressable via `mk env <NAME>`.
  */
 
 const _RAW = [
@@ -28,8 +34,96 @@ const _RAW = [
     applies_to: 'skill',
     since: '0.1.21',
   },
+  {
+    name: 'MK_DAB_AUDIT_DIR',
+    scope: 'data-api-builder',
+    default: 'docs/dab-audit',
+    description:
+      'Override the directory where dab_audit_writer.py appends the data-api-builder ' +
+      'preflight audit log (dab-audit-YYYY-MM-DD.jsonl). Defaults to docs/dab-audit, ' +
+      'relative to invocation cwd. Set to redirect logs to an artefact store in CI. ' +
+      'Mirrors MK_SECURITY_AUDIT_DIR.',
+    type: 'path',
+    applies_to: 'skill',
+    since: '0.1.33',
+  },
+  {
+    name: 'MK_DAB_BASH_GUARD_MAX_STDIN_BYTES',
+    internal: true,
+    scope: 'data-api-builder',
+    default: '1048576',
+    description:
+      'Maximum stdin bytes the dab-bash-guard hook (Gate 4) reads before failing open ' +
+      '(allowing the command to proceed). Default is 1 048 576 bytes (1 MB).',
+    type: 'integer',
+    applies_to: 'hook',
+    since: '0.1.34',
+  },
+  {
+    name: 'MK_DAB_BASH_GUARD_TEST',
+    internal: true,
+    scope: 'data-api-builder',
+    default: undefined,
+    description:
+      'When set to "1", dab-bash-guard.cjs returns early at module load without executing the ' +
+      'stdin pipeline. Used exclusively by hook unit tests; do not set in production.',
+    type: 'boolean',
+    applies_to: 'hook',
+    since: '0.1.34',
+  },
+  {
+    name: 'MK_DAB_BASH_OK',
+    scope: 'data-api-builder',
+    default: undefined,
+    description:
+      'Opt-out override: when set to "1", allows Bash invocations of a DB CLI ' +
+      '(sqlcmd/psql/mysql/mssql-cli/mongosh/bcp/cqlsh) with query intent that the dab-bash-guard ' +
+      'hook (Gate 4) otherwise blocks. Set only for deliberate DB administration; prefer the ' +
+      'data-api-builder MCP tools.',
+    type: 'boolean',
+    applies_to: 'hook',
+    since: '0.1.34',
+  },
+  {
+    name: 'MK_DAB_MCP_GUARD_MAX_STDIN_BYTES',
+    internal: true,
+    scope: 'data-api-builder',
+    default: '1048576',
+    description:
+      'Maximum stdin bytes the dab-mcp-guard hook (Gate 1) reads before failing open ' +
+      '(allowing the call to proceed). Default is 1 048 576 bytes (1 MB).',
+    type: 'integer',
+    applies_to: 'hook',
+    since: '0.1.34',
+  },
+  {
+    name: 'MK_DAB_MCP_GUARD_TEST',
+    internal: true,
+    scope: 'data-api-builder',
+    default: undefined,
+    description:
+      'When set to "1", dab-mcp-guard.cjs skips main() at module load. Used exclusively by hook ' +
+      'unit tests; do not set in production.',
+    type: 'boolean',
+    applies_to: 'hook',
+    since: '0.1.34',
+  },
+  {
+    name: 'MK_DAB_WRITES_OK',
+    scope: 'data-api-builder',
+    default: undefined,
+    description:
+      'Opt-out override: when set to "1", allows the four write-capable data-api-builder MCP ' +
+      'calls (create_record/update_record/delete_record/execute_entity) that the dab-mcp-guard ' +
+      'hook (Gate 1) otherwise blocks. Set only for deliberate writes; DAB role config remains ' +
+      'as defence-in-depth.',
+    type: 'boolean',
+    applies_to: 'hook',
+    since: '0.1.34',
+  },
   {
     name: 'MK_FORCE_NO_TOOL_DIR',
+    internal: true,
     scope: 'codex',
     default: undefined,
     description:
@@ -74,6 +168,7 @@ const _RAW = [
   },
   {
     name: 'MK_SQL_GUARD_MAX_STDIN_BYTES',
+    internal: true,
     scope: 'sql-guard',
     default: '1048576',
     description:
@@ -85,6 +180,7 @@ const _RAW = [
   },
   {
     name: 'MK_SQL_GUARD_TEST',
+    internal: true,
     scope: 'sql-guard',
     default: undefined,
     description: