@omnidev-ai/cli 0.17.0 → 0.18.0

package/dist/index.js

@@ -1287,85 +1287,6 @@ var init_dist = __esm(() => {
   dist_default = { parse, stringify, TomlDate, TomlError };
 });
 
-// ../core/src/providers.ts
-function normalizeProviderId(provider) {
-  if (provider in PROVIDER_ALIAS_MAP) {
-    return PROVIDER_ALIAS_MAP[provider];
-  }
-  throw new Error(`Unknown provider: ${provider}`);
-}
-function normalizeProviderApplicability(value, fieldName) {
-  if (typeof value !== "object" || value === null || Array.isArray(value)) {
-    throw new Error(`${fieldName} must be a table of provider = boolean entries`);
-  }
-  const normalized = {};
-  for (const [rawProvider, rawEnabled] of Object.entries(value)) {
-    if (typeof rawEnabled !== "boolean") {
-      throw new Error(`${fieldName}.${rawProvider} must be a boolean`);
-    }
-    const canonicalProvider = normalizeProviderId(rawProvider);
-    const existing = normalized[canonicalProvider];
-    if (existing !== undefined && existing !== rawEnabled) {
-      throw new Error(`Conflicting provider entries in ${fieldName}: ${rawProvider} maps to ${canonicalProvider}`);
-    }
-    normalized[canonicalProvider] = rawEnabled;
-  }
-  return normalized;
-}
-var PROVIDER_ALIAS_MAP;
-var init_providers = __esm(() => {
-  PROVIDER_ALIAS_MAP = {
-    claude: "claude-code",
-    "claude-code": "claude-code",
-    codex: "codex",
-    cursor: "cursor",
-    opencode: "opencode"
-  };
-});
-
-// ../core/src/config/parser.ts
-function parseOmniConfig(tomlContent) {
-  try {
-    return parse(tomlContent);
-  } catch (error) {
-    const message = error instanceof Error ? error.message : String(error);
-    throw new Error(`Invalid TOML in config: ${message}`);
-  }
-}
-function validateCapabilityConfig(parsed) {
-  const cap = parsed["capability"];
-  if (typeof cap !== "object" || cap === null) {
-    throw new Error("capability.id is required in capability.toml");
-  }
-  const capability = cap;
-  if (typeof capability["id"] !== "string") {
-    throw new Error("capability.id is required in capability.toml");
-  }
-  if (typeof capability["name"] !== "string") {
-    throw new Error("capability.name is required in capability.toml");
-  }
-  if (typeof capability["version"] !== "string") {
-    throw new Error("capability.version is required in capability.toml");
-  }
-  if (capability["providers"] !== undefined) {
-    capability["providers"] = normalizeProviderApplicability(capability["providers"], "capability.providers");
-  }
-}
-function parseCapabilityConfig(tomlContent) {
-  try {
-    const parsed = parse(tomlContent);
-    validateCapabilityConfig(parsed);
-    return parsed;
-  } catch (error) {
-    const message = error instanceof Error ? error.message : String(error);
-    throw new Error(`Invalid capability.toml: ${message}`);
-  }
-}
-var init_parser = __esm(() => {
-  init_dist();
-  init_providers();
-});
-
 // ../core/src/hooks/constants.ts
 var HOOK_EVENTS, MATCHER_EVENTS, PROMPT_HOOK_EVENTS, HOOK_TYPES, COMMON_TOOL_MATCHERS, NOTIFICATION_MATCHERS, SESSION_START_MATCHERS, PRE_COMPACT_MATCHERS, DEFAULT_COMMAND_TIMEOUT = 60, DEFAULT_PROMPT_TIMEOUT = 30, VARIABLE_MAPPINGS, HOOKS_CONFIG_FILENAME = "hooks.toml", CLAUDE_HOOKS_CONFIG_FILENAME = "hooks.json", HOOKS_DIRECTORY = "hooks";
 var init_constants = __esm(() => {
@@ -2451,14 +2372,90 @@ var init_loader = __esm(() => {
   init_constants();
 });
 
-// ../core/src/capability/mcp-env.ts
+// ../core/src/providers.ts
+function normalizeProviderId(provider) {
+  if (provider in PROVIDER_ALIAS_MAP) {
+    return PROVIDER_ALIAS_MAP[provider];
+  }
+  throw new Error(`Unknown provider: ${provider}`);
+}
+function normalizeProviderApplicability(value, fieldName) {
+  if (typeof value !== "object" || value === null || Array.isArray(value)) {
+    throw new Error(`${fieldName} must be a table of provider = boolean entries`);
+  }
+  const normalized = {};
+  for (const [rawProvider, rawEnabled] of Object.entries(value)) {
+    if (typeof rawEnabled !== "boolean") {
+      throw new Error(`${fieldName}.${rawProvider} must be a boolean`);
+    }
+    const canonicalProvider = normalizeProviderId(rawProvider);
+    const existing = normalized[canonicalProvider];
+    if (existing !== undefined && existing !== rawEnabled) {
+      throw new Error(`Conflicting provider entries in ${fieldName}: ${rawProvider} maps to ${canonicalProvider}`);
+    }
+    normalized[canonicalProvider] = rawEnabled;
+  }
+  return normalized;
+}
+var PROVIDER_ALIAS_MAP;
+var init_providers = __esm(() => {
+  PROVIDER_ALIAS_MAP = {
+    claude: "claude-code",
+    "claude-code": "claude-code",
+    codex: "codex",
+    cursor: "cursor",
+    opencode: "opencode"
+  };
+});
+
+// ../core/src/config/parser.ts
+function parseOmniConfig(tomlContent) {
+  try {
+    return parse(tomlContent);
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    throw new Error(`Invalid TOML in config: ${message}`);
+  }
+}
+function validateCapabilityConfig(parsed) {
+  const cap = parsed["capability"];
+  if (typeof cap !== "object" || cap === null) {
+    throw new Error("capability.id is required in capability.toml");
+  }
+  const capability = cap;
+  if (typeof capability["id"] !== "string") {
+    throw new Error("capability.id is required in capability.toml");
+  }
+  if (typeof capability["name"] !== "string") {
+    throw new Error("capability.name is required in capability.toml");
+  }
+  if (typeof capability["version"] !== "string") {
+    throw new Error("capability.version is required in capability.toml");
+  }
+  if (capability["providers"] !== undefined) {
+    capability["providers"] = normalizeProviderApplicability(capability["providers"], "capability.providers");
+  }
+}
+function parseCapabilityConfig(tomlContent) {
+  try {
+    const parsed = parse(tomlContent);
+    validateCapabilityConfig(parsed);
+    return parsed;
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    throw new Error(`Invalid capability.toml: ${message}`);
+  }
+}
+var init_parser = __esm(() => {
+  init_dist();
+  init_providers();
+});
+
+// ../core/src/capability/env.ts
 import { existsSync as existsSync6 } from "node:fs";
 import { readFile as readFile3 } from "node:fs/promises";
 import { join as join4 } from "node:path";
 import { parseEnv } from "node:util";
-function hasEnvPlaceholder(value) {
-  return ENV_PLACEHOLDER_DETECTOR.test(value);
-}
 function mergeEnvSources(capabilityEnv) {
   const merged = { ...capabilityEnv };
   for (const [key, value] of Object.entries(process.env)) {
@@ -2468,13 +2465,21 @@ function mergeEnvSources(capabilityEnv) {
   }
   return merged;
 }
-async function loadCapabilityEnv(capabilityPath) {
+async function loadCapabilityEnvVariables(capabilityPath) {
   const envPath = join4(capabilityPath, CAPABILITY_ENV_FILE);
   if (!existsSync6(envPath)) {
-    return {};
+    return mergeEnvSources({});
   }
   const envContent = await readFile3(envPath, "utf-8");
-  return Object.fromEntries(Object.entries(parseEnv(envContent)).filter((entry) => typeof entry[1] === "string"));
+  const capabilityEnv = Object.fromEntries(Object.entries(parseEnv(envContent)).filter((entry) => typeof entry[1] === "string"));
+  return mergeEnvSources(capabilityEnv);
+}
+var CAPABILITY_ENV_FILE = ".env";
+var init_env = () => {};
+
+// ../core/src/capability/mcp-env.ts
+function hasEnvPlaceholder(value) {
+  return ENV_PLACEHOLDER_DETECTOR.test(value);
 }
 function resolveString(value, variables, capabilityId, fieldPath) {
   if (!hasEnvPlaceholder(value)) {
@@ -2510,35 +2515,35 @@ function mcpHasPlaceholders(mcp) {
   }
   return strings.some((value) => hasEnvPlaceholder(value));
 }
-async function resolveCapabilityMcpEnv(config, capabilityPath) {
+async function resolveCapabilityMcpEnv(config, capabilityPath, variables) {
   if (!config.mcp || !mcpHasPlaceholders(config.mcp)) {
     return config;
   }
-  const variables = mergeEnvSources(await loadCapabilityEnv(capabilityPath));
+  const resolvedVariables = variables ?? await loadCapabilityEnvVariables(capabilityPath);
   const resolvedMcp = { ...config.mcp };
   const capabilityId = config.capability.id;
   if (resolvedMcp.command) {
-    resolvedMcp.command = resolveString(resolvedMcp.command, variables, capabilityId, "mcp.command");
+    resolvedMcp.command = resolveString(resolvedMcp.command, resolvedVariables, capabilityId, "mcp.command");
   }
   if (resolvedMcp.cwd) {
-    resolvedMcp.cwd = resolveString(resolvedMcp.cwd, variables, capabilityId, "mcp.cwd");
+    resolvedMcp.cwd = resolveString(resolvedMcp.cwd, resolvedVariables, capabilityId, "mcp.cwd");
   }
   if (resolvedMcp.url) {
-    resolvedMcp.url = resolveString(resolvedMcp.url, variables, capabilityId, "mcp.url");
+    resolvedMcp.url = resolveString(resolvedMcp.url, resolvedVariables, capabilityId, "mcp.url");
   }
   if (resolvedMcp.args) {
-    resolvedMcp.args = resolvedMcp.args.map((arg, index) => resolveString(arg, variables, capabilityId, `mcp.args[${index}]`));
+    resolvedMcp.args = resolvedMcp.args.map((arg, index) => resolveString(arg, resolvedVariables, capabilityId, `mcp.args[${index}]`));
   }
   if (resolvedMcp.env) {
     resolvedMcp.env = Object.fromEntries(Object.entries(resolvedMcp.env).map(([key, value]) => [
       key,
-      resolveString(value, variables, capabilityId, `mcp.env.${key}`)
+      resolveString(value, resolvedVariables, capabilityId, `mcp.env.${key}`)
     ]));
   }
   if (resolvedMcp.headers) {
     resolvedMcp.headers = Object.fromEntries(Object.entries(resolvedMcp.headers).map(([key, value]) => [
       key,
-      resolveString(value, variables, capabilityId, `mcp.headers.${key}`)
+      resolveString(value, resolvedVariables, capabilityId, `mcp.headers.${key}`)
     ]));
   }
   return {
@@ -2546,8 +2551,9 @@ async function resolveCapabilityMcpEnv(config, capabilityPath) {
     mcp: resolvedMcp
   };
 }
-var CAPABILITY_ENV_FILE = ".env", ENV_PLACEHOLDER, ENV_PLACEHOLDER_DETECTOR;
+var ENV_PLACEHOLDER, ENV_PLACEHOLDER_DETECTOR;
 var init_mcp_env = __esm(() => {
+  init_env();
   ENV_PLACEHOLDER = /\$\{([A-Za-z_][A-Za-z0-9_]*)\}/g;
   ENV_PLACEHOLDER_DETECTOR = /\$\{([A-Za-z_][A-Za-z0-9_]*)\}/;
 });
@@ -2582,9 +2588,45 @@ var init_rules = () => {};
 import { existsSync as existsSync8, readdirSync as readdirSync4 } from "node:fs";
 import { readFile as readFile5 } from "node:fs/promises";
 import { join as join6 } from "node:path";
-async function loadSkills(capabilityPath, capabilityId) {
+function hasSkillPlaceholder(value) {
+  return SKILL_PLACEHOLDER_DETECTOR.test(value);
+}
+function resolveSkillPlaceholders(content, variables, capabilityId, sourceLabel) {
+  if (!hasSkillPlaceholder(content)) {
+    return content;
+  }
+  return content.replace(SKILL_PLACEHOLDER, (match, variableName) => {
+    const resolved = variables[variableName];
+    if (resolved === undefined) {
+      throw new Error(`Missing environment variable "${variableName}" required by capability "${capabilityId}" in ${sourceLabel} (placeholder "${match}")`);
+    }
+    return resolved;
+  });
+}
+function parseSkillMarkdown(content, capabilityId, options) {
+  const resolvedContent = options?.variables && options.sourceLabel ? resolveSkillPlaceholders(content, options.variables, capabilityId, options.sourceLabel) : content;
+  const parsed = parseFrontmatterWithMarkdown(resolvedContent);
+  if (!parsed) {
+    const sourceLabel = options?.sourceLabel ?? "skill content";
+    throw new Error(`Invalid SKILL.md format at ${sourceLabel}: missing YAML frontmatter`);
+  }
+  const frontmatter = parsed.frontmatter;
+  const instructions = parsed.markdown;
+  if (!frontmatter.name || !frontmatter.description) {
+    const sourceLabel = options?.sourceLabel ?? "skill content";
+    throw new Error(`Invalid SKILL.md at ${sourceLabel}: name and description required in frontmatter`);
+  }
+  return {
+    name: frontmatter.name,
+    description: frontmatter.description,
+    instructions: instructions.trim(),
+    capabilityId
+  };
+}
+async function loadSkills(capabilityPath, capabilityId, variables) {
   const skills = [];
   const possibleDirNames = ["skills", "skill"];
+  const resolvedVariables = variables ?? await loadCapabilityEnvVariables(capabilityPath);
   for (const dirName of possibleDirNames) {
     const dir = join6(capabilityPath, dirName);
     if (!existsSync8(dir)) {
@@ -2595,7 +2637,7 @@ async function loadSkills(capabilityPath, capabilityId) {
       if (entry.isDirectory()) {
         const skillPath = join6(dir, entry.name, "SKILL.md");
         if (existsSync8(skillPath)) {
-          const skill = await parseSkillFile(skillPath, capabilityId);
+          const skill = await parseSkillFile(skillPath, capabilityId, resolvedVariables, `skill file ${skillPath}`);
           skills.push(skill);
         }
       }
@@ -2603,25 +2645,19 @@ async function loadSkills(capabilityPath, capabilityId) {
   }
   return skills;
 }
-async function parseSkillFile(filePath, capabilityId) {
+async function parseSkillFile(filePath, capabilityId, variables, sourceLabel) {
   const content = await readFile5(filePath, "utf-8");
-  const parsed = parseFrontmatterWithMarkdown(content);
-  if (!parsed) {
-    throw new Error(`Invalid SKILL.md format at ${filePath}: missing YAML frontmatter`);
-  }
-  const frontmatter = parsed.frontmatter;
-  const instructions = parsed.markdown;
-  if (!frontmatter.name || !frontmatter.description) {
-    throw new Error(`Invalid SKILL.md at ${filePath}: name and description required in frontmatter`);
-  }
-  return {
-    name: frontmatter.name,
-    description: frontmatter.description,
-    instructions: instructions.trim(),
-    capabilityId
-  };
+  return parseSkillMarkdown(content, capabilityId, {
+    variables,
+    sourceLabel
+  });
 }
-var init_skills = () => {};
+var SKILL_PLACEHOLDER, SKILL_PLACEHOLDER_DETECTOR;
+var init_skills = __esm(() => {
+  init_env();
+  SKILL_PLACEHOLDER = /\{OMNIDEV_([A-Za-z_][A-Za-z0-9_]*)\}/g;
+  SKILL_PLACEHOLDER_DETECTOR = /\{OMNIDEV_([A-Za-z_][A-Za-z0-9_]*)\}/;
+});
 
 // ../core/src/capability/subagents.ts
 import { existsSync as existsSync9, readdirSync as readdirSync5 } from "node:fs";
@@ -2767,40 +2803,13 @@ async function loadTypeDefinitions(capabilityPath) {
   }
   return readFile7(typesPath, "utf-8");
 }
-function convertSkillExports(skillExports, capabilityId) {
-  return skillExports.map((skillExport) => {
+function convertSkillExports(skillExports, capabilityId, variables) {
+  return skillExports.map((skillExport, index) => {
     const exportObj = skillExport;
-    const lines = exportObj.skillMd.split(`
-`);
-    let name = "unnamed";
-    let description = "";
-    let instructions = exportObj.skillMd;
-    if (lines[0]?.trim() === "---") {
-      const endIndex = lines.findIndex((line, i) => i > 0 && line.trim() === "---");
-      if (endIndex > 0) {
-        const frontmatter = lines.slice(1, endIndex);
-        instructions = lines.slice(endIndex + 1).join(`
-`).trim();
-        for (const line of frontmatter) {
-          const match = line.match(/^(\w+):\s*(.+)$/);
-          if (match?.[1] && match[2]) {
-            const key = match[1];
-            const value = match[2];
-            if (key === "name") {
-              name = value.replace(/^["']|["']$/g, "");
-            } else if (key === "description") {
-              description = value.replace(/^["']|["']$/g, "");
-            }
-          }
-        }
-      }
-    }
-    return {
-      name,
-      description,
-      instructions,
-      capabilityId
-    };
+    return parseSkillMarkdown(exportObj.skillMd, capabilityId, {
+      variables,
+      sourceLabel: `programmatic skill export[${index}]`
+    });
   });
 }
 function convertRuleExports(ruleExports, capabilityId) {
@@ -2953,8 +2962,9 @@ function mergeByName(fileBased, programmatic) {
   return Array.from(byName.values());
 }
 async function loadCapability(capabilityPath) {
+  const capabilityEnvVariables = await loadCapabilityEnvVariables(capabilityPath);
   const rawConfig = await loadCapabilityConfig(capabilityPath);
-  const config = await resolveCapabilityMcpEnv(rawConfig, capabilityPath);
+  const config = await resolveCapabilityMcpEnv(rawConfig, capabilityPath, capabilityEnvVariables);
   const id = config.capability.id;
   const exports = await importCapabilityExports(capabilityPath);
   const exportsAny = exports;
@@ -2969,8 +2979,8 @@ async function loadCapability(capabilityPath) {
     return;
   };
   const skillsExport = getExportValue("skills");
-  const programmaticSkills = Array.isArray(skillsExport) ? convertSkillExports(skillsExport, id) : [];
-  const fileSkills = await loadSkills(capabilityPath, id);
+  const programmaticSkills = Array.isArray(skillsExport) ? convertSkillExports(skillsExport, id, capabilityEnvVariables) : [];
+  const fileSkills = await loadSkills(capabilityPath, id, capabilityEnvVariables);
   const skills = mergeByName(fileSkills, programmaticSkills);
   const rulesExport = getExportValue("rules");
   const programmaticRules = Array.isArray(rulesExport) ? convertRuleExports(rulesExport, id) : [];
@@ -3018,11 +3028,12 @@ async function loadCapability(capabilityPath) {
 }
 var CAPABILITIES_DIR = ".omni/capabilities";
 var init_loader2 = __esm(() => {
-  init_parser();
   init_loader();
-  init_mcp_env();
+  init_parser();
   init_commands();
   init_docs();
+  init_env();
+  init_mcp_env();
   init_rules();
   init_skills();
   init_subagents();
@@ -5370,10 +5381,36 @@ var init_state = __esm(() => {
 
 // ../core/src/sync.ts
 import { spawn as spawn2 } from "node:child_process";
-import { mkdirSync as mkdirSync5 } from "node:fs";
+import { existsSync as existsSync20, mkdirSync as mkdirSync5, readFileSync as readFileSync3 } from "node:fs";
+import { join as join10 } from "node:path";
+function getDeclaredPackageManager(packageManager) {
+  if (typeof packageManager !== "string" || packageManager.trim().length === 0) {
+    return;
+  }
+  const atIndex = packageManager.indexOf("@");
+  return atIndex === -1 ? packageManager : packageManager.slice(0, atIndex);
+}
+function resolveCapabilityInstallCommand(capabilityPath, options) {
+  const packageJsonPath = join10(capabilityPath, "package.json");
+  const packageLockPath = join10(capabilityPath, "package-lock.json");
+  let packageManager;
+  try {
+    const pkgJson = JSON.parse(readFileSync3(packageJsonPath, "utf-8"));
+    packageManager = getDeclaredPackageManager(pkgJson.packageManager);
+  } catch {}
+  if (!options.hasNpm) {
+    throw new Error("npm is not installed. Install npm to install capability dependencies.");
+  }
+  if (packageManager && packageManager !== "npm") {
+    throw new Error(`Capability at ${capabilityPath} declares packageManager=${packageManager}, but OmniDev only supports npm for capability dependencies.`);
+  }
+  return {
+    cmd: "npm",
+    args: [existsSync20(packageLockPath) ? "ci" : "install"]
+  };
+}
 async function installCapabilityDependencies(silent) {
-  const { existsSync: existsSync20, readdirSync: readdirSync7, readFileSync: readFileSync3 } = await import("node:fs");
-  const { join: join10 } = await import("node:path");
+  const { readdirSync: readdirSync7 } = await import("node:fs");
   const { parse: parse2 } = await Promise.resolve().then(() => (init_dist(), exports_dist));
   const capabilitiesDir = ".omni/capabilities";
   if (!existsSync20(capabilitiesDir)) {
@@ -5387,10 +5424,9 @@ async function installCapabilityDependencies(silent) {
       proc.on("close", (code) => resolve2(code === 0));
     });
   }
-  const hasBun = await commandExists("bun");
-  const hasNpm = hasBun ? false : await commandExists("npm");
-  if (!hasBun && !hasNpm) {
-    throw new Error("Neither Bun nor npm is installed. Install one of them to install capability dependencies.");
+  const hasNpm = await commandExists("npm");
+  if (!hasNpm) {
+    throw new Error("npm is not installed. Install npm to install capability dependencies.");
   }
   for (const entry of entries) {
     if (!entry.isDirectory()) {
@@ -5413,9 +5449,9 @@ async function installCapabilityDependencies(silent) {
     }
     try {
       await new Promise((resolve2, reject) => {
-        const useNpmCi = hasNpm && existsSync20(join10(capabilityPath, "package-lock.json"));
-        const cmd = hasBun ? "bun" : "npm";
-        const args = hasBun ? ["install"] : useNpmCi ? ["ci"] : ["install"];
+        const { cmd, args } = resolveCapabilityInstallCommand(capabilityPath, {
+          hasNpm
+        });
         const proc = spawn2(cmd, args, {
           cwd: capabilityPath,
           stdio: "pipe"
@@ -5444,9 +5480,7 @@ ${stderr}`));
       } catch {}
       if (hasBuildScript) {
         await new Promise((resolve2, reject) => {
-          const cmd = hasBun ? "bun" : "npm";
-          const args = ["run", "build"];
-          const proc = spawn2(cmd, args, {
+          const proc = spawn2("npm", ["run", "build"], {
             cwd: capabilityPath,
             stdio: "pipe"
           });
@@ -5598,21 +5632,23 @@ var init_types3 = __esm(() => {
       unicode: true,
       symlinks: true,
       scripts: true,
-      binaries: false
+      binaries: false,
+      hiddenCommands: true
     }
   };
   DEFAULT_SCAN_SETTINGS = {
     unicode: true,
     symlinks: true,
     scripts: true,
-    binaries: false
+    binaries: false,
+    hiddenCommands: true
   };
 });
 
 // ../core/src/security/scanner.ts
-import { existsSync as existsSync20 } from "node:fs";
+import { existsSync as existsSync21 } from "node:fs";
 import { lstat, readdir as readdir2, readFile as readFile17, readlink, realpath } from "node:fs/promises";
-import { join as join10, relative, resolve as resolve2 } from "node:path";
+import { join as join11, relative, resolve as resolve2 } from "node:path";
 async function scanFileForUnicode(filePath, relativePath) {
   const findings = [];
   try {
@@ -5693,10 +5729,113 @@ async function scanFileForScripts(filePath, relativePath) {
   } catch {}
   return findings;
 }
+function extractHiddenRegions(fileContent) {
+  const regions = [];
+  HTML_COMMENT_RE.lastIndex = 0;
+  for (let match = HTML_COMMENT_RE.exec(fileContent);match !== null; match = HTML_COMMENT_RE.exec(fileContent)) {
+    const captured = match[1];
+    if (captured === undefined)
+      continue;
+    const beforeMatch = fileContent.substring(0, match.index);
+    const startLine = beforeMatch.split(`
+`).length;
+    regions.push({ content: captured, startLine });
+  }
+  HIDDEN_REFERENCE_RE.lastIndex = 0;
+  for (let match = HIDDEN_REFERENCE_RE.exec(fileContent);match !== null; match = HIDDEN_REFERENCE_RE.exec(fileContent)) {
+    const captured = match[1];
+    if (captured === undefined)
+      continue;
+    const beforeMatch = fileContent.substring(0, match.index);
+    const startLine = beforeMatch.split(`
+`).length;
+    regions.push({ content: captured, startLine });
+  }
+  return regions;
+}
+async function scanFileForHiddenCommands(filePath, relativePath) {
+  const findings = [];
+  try {
+    const content = await readFile17(filePath, "utf-8");
+    const hiddenRegions = extractHiddenRegions(content);
+    for (const region of hiddenRegions) {
+      const regionLines = region.content.split(`
+`);
+      for (let i = 0;i < regionLines.length; i++) {
+        const line = regionLines[i] ?? "";
+        if (!line.trim())
+          continue;
+        for (const { pattern, message, severity } of HIDDEN_COMMAND_PATTERNS) {
+          if (pattern.test(line)) {
+            findings.push({
+              type: "hidden_command",
+              severity,
+              file: relativePath,
+              line: region.startLine + i,
+              message: `Hidden in comment: ${message}`,
+              details: line.trim().substring(0, 100)
+            });
+          }
+        }
+        for (const { pattern, message, severity } of NETWORK_REQUEST_PATTERNS) {
+          if (pattern.test(line)) {
+            findings.push({
+              type: "network_request",
+              severity: severity === "medium" ? "high" : severity,
+              file: relativePath,
+              line: region.startLine + i,
+              message: `Hidden in comment: ${message}`,
+              details: line.trim().substring(0, 100)
+            });
+          }
+        }
+        for (const { pattern, message, severity } of SUSPICIOUS_SCRIPT_PATTERNS) {
+          if (pattern.test(line)) {
+            findings.push({
+              type: "hidden_command",
+              severity: severity === "medium" ? "high" : severity,
+              file: relativePath,
+              line: region.startLine + i,
+              message: `Hidden in comment: ${message}`,
+              details: line.trim().substring(0, 100)
+            });
+          }
+        }
+      }
+    }
+  } catch {}
+  return findings;
+}
+async function scanFileForNetworkRequests(filePath, relativePath) {
+  const findings = [];
+  try {
+    const content = await readFile17(filePath, "utf-8");
+    const lines = content.split(`
+`);
+    for (let lineNum = 0;lineNum < lines.length; lineNum++) {
+      const line = lines[lineNum];
+      if (!line)
+        continue;
+      for (const { pattern, message, severity } of NETWORK_REQUEST_PATTERNS) {
+        if (pattern.test(line)) {
+          findings.push({
+            type: "network_request",
+            severity,
+            file: relativePath,
+            line: lineNum + 1,
+            message,
+            details: line.trim().substring(0, 100)
+          });
+        }
+      }
+    }
+  } catch {}
+  return findings;
+}
 async function checkSymlink(symlinkPath, relativePath, capabilityRoot) {
   try {
     const linkTarget = await readlink(symlinkPath);
-    const resolvedTarget = resolve2(join10(symlinkPath, "..", linkTarget));
+    const resolvedTarget = resolve2(join11(symlinkPath, "..", linkTarget));
     const normalizedRoot = await realpath(capabilityRoot);
     if (linkTarget.startsWith("/")) {
       return {
@@ -5731,7 +5870,7 @@ function isTextFile(filePath) {
 async function scanCapability(capabilityId, capabilityPath, settings = DEFAULT_SCAN_SETTINGS) {
   const startTime = Date.now();
   const findings = [];
-  if (!existsSync20(capabilityPath)) {
+  if (!existsSync21(capabilityPath)) {
     return {
       capabilityId,
       path: capabilityPath,
@@ -5743,7 +5882,7 @@ async function scanCapability(capabilityId, capabilityPath, settings = DEFAULT_S
   async function scanDirectory(dirPath) {
     const entries = await readdir2(dirPath, { withFileTypes: true });
     for (const entry of entries) {
-      const fullPath = join10(dirPath, entry.name);
+      const fullPath = join11(dirPath, entry.name);
       const relativePath = relative(capabilityPath, fullPath);
       if (entry.name.startsWith(".") || entry.name === "node_modules" || entry.name === "__pycache__") {
         continue;
@@ -5770,17 +5909,27 @@ async function scanCapability(capabilityId, capabilityPath, settings = DEFAULT_S
           });
         }
         if (isTextFile(fullPath)) {
+          const ext = fullPath.toLowerCase().substring(fullPath.lastIndexOf("."));
           if (settings.unicode) {
             const unicodeFindings = await scanFileForUnicode(fullPath, relativePath);
             findings.push(...unicodeFindings);
           }
           if (settings.scripts) {
-            const ext = fullPath.toLowerCase().substring(fullPath.lastIndexOf("."));
             if ([".sh", ".bash", ".zsh", ".fish", ".py", ".rb", ".js", ".ts"].includes(ext)) {
               const scriptFindings = await scanFileForScripts(fullPath, relativePath);
               findings.push(...scriptFindings);
             }
           }
+          if (settings.hiddenCommands) {
+            if ([".md", ".txt", ".yaml", ".yml", ".toml"].includes(ext)) {
+              const hiddenFindings = await scanFileForHiddenCommands(fullPath, relativePath);
+              findings.push(...hiddenFindings);
+            }
+          }
+          if (settings.hiddenCommands) {
+            const networkFindings = await scanFileForNetworkRequests(fullPath, relativePath);
+            findings.push(...networkFindings);
+          }
         }
       }
     }
@@ -5812,7 +5961,9 @@ async function scanCapabilities(capabilities2, config2 = {}) {
     symlink_escape: 0,
     symlink_absolute: 0,
     suspicious_script: 0,
-    binary_file: 0
+    binary_file: 0,
+    hidden_command: 0,
+    network_request: 0
   };
   const findingsBySeverity = {
     low: 0,
@@ -5887,7 +6038,7 @@ function formatScanResults(summary, verbose = false) {
   return lines.join(`
 `);
 }
-var UNICODE_PATTERNS, SUSPICIOUS_SCRIPT_PATTERNS, BINARY_EXTENSIONS, TEXT_EXTENSIONS;
+var UNICODE_PATTERNS, SUSPICIOUS_SCRIPT_PATTERNS, NETWORK_REQUEST_PATTERNS, HIDDEN_COMMAND_PATTERNS, BINARY_EXTENSIONS, TEXT_EXTENSIONS, HTML_COMMENT_RE, HIDDEN_REFERENCE_RE;
 var init_scanner = __esm(() => {
   init_types3();
   UNICODE_PATTERNS = {
@@ -5979,6 +6130,75 @@ var init_scanner = __esm(() => {
       severity: "high"
     }
   ];
+  NETWORK_REQUEST_PATTERNS = [
+    {
+      pattern: /\bcurl\s+.*https?:\/\//i,
+      message: "Outbound curl request detected",
+      severity: "medium"
+    },
+    {
+      pattern: /\bwget\s+.*https?:\/\//i,
+      message: "Outbound wget request detected",
+      severity: "medium"
+    },
+    {
+      pattern: /\bfetch\s*\(\s*["'`]https?:\/\//i,
+      message: "Outbound fetch() request detected",
+      severity: "medium"
+    },
+    {
+      pattern: /\b(?:http|https)\.(?:get|request|post|put)\s*\(/i,
+      message: "Outbound HTTP request via Node.js http module",
+      severity: "medium"
+    },
+    {
+      pattern: /\brequests\.(?:get|post|put|delete|patch)\s*\(/i,
+      message: "Outbound HTTP request via Python requests",
+      severity: "medium"
+    },
+    {
+      pattern: /\bnc\b.*\s\d{2,5}\b/i,
+      message: "Netcat connection detected",
+      severity: "high"
+    },
+    {
+      pattern: /\b(?:Invoke-WebRequest|Invoke-RestMethod|iwr|irm)\b/i,
+      message: "Outbound PowerShell web request detected",
+      severity: "medium"
+    }
+  ];
+  HIDDEN_COMMAND_PATTERNS = [
+    {
+      pattern: /`[^`]*(?:curl|wget|bash|sh|python|ruby|node|exec|eval|system)\s[^`]*`/i,
+      message: "Executable command in backtick-wrapped code",
+      severity: "critical"
+    },
+    {
+      pattern: /\|\s*(?:ba)?sh\b/i,
+      message: "Pipe to shell execution",
+      severity: "critical"
+    },
+    {
+      pattern: /(?:^|\s)(?:bash|sh|zsh)\s+-c\s+/i,
+      message: "Shell invocation with -c flag",
+      severity: "high"
+    },
+    {
+      pattern: /\b(?:curl|wget)\s+.*https?:\/\//i,
+      message: "Network fetch command detected",
+      severity: "high"
+    },
+    {
+      pattern: /\b(?:python|ruby|node)\s+-e\s+/i,
+      message: "Inline script execution",
+      severity: "high"
+    },
+    {
+      pattern: /\beval\s*\(.*\)/i,
+      message: "eval() call detected",
+      severity: "high"
+    }
+  ];
   BINARY_EXTENSIONS = new Set([
     ".exe",
     ".dll",
@@ -6013,6 +6233,8 @@ var init_scanner = __esm(() => {
     ".py",
     ".rb"
   ]);
+  HTML_COMMENT_RE = /<!--([\s\S]*?)-->/g;
+  HIDDEN_REFERENCE_RE = /^\[.*?\]:\s*\S+\s+"(.+)"/gm;
 });
 
 // ../core/src/security/index.ts
@@ -6222,6 +6444,7 @@ __export(exports_src, {
   resolveEnabledCapabilities: () => resolveEnabledCapabilities,
   resolveCapabilityRootInConfig: () => resolveCapabilityRootInConfig,
   resolveCapabilityRoot: () => resolveCapabilityRoot,
+  resolveCapabilityInstallCommand: () => resolveCapabilityInstallCommand,
   removeSecurityAllow: () => removeSecurityAllow,
   readSecurityAllows: () => readSecurityAllows,
   readMcpJson: () => readMcpJson,
@@ -6353,13 +6576,13 @@ var init_src = __esm(() => {
 import { run } from "@stricli/core";
 
 // src/lib/dynamic-app.ts
-import { existsSync as existsSync30 } from "node:fs";
+import { existsSync as existsSync31 } from "node:fs";
 import { createRequire as createRequire2 } from "node:module";
-import { join as join27 } from "node:path";
+import { join as join28 } from "node:path";
 import { buildApplication, buildRouteMap as buildRouteMap7 } from "@stricli/core";
 
 // src/commands/add.ts
-import { existsSync as existsSync23 } from "node:fs";
+import { existsSync as existsSync24 } from "node:fs";
 import { basename as basename5, resolve as resolve3 } from "node:path";
 
 // ../adapters/src/writers/generic/executor.ts
@@ -6392,21 +6615,21 @@ async function executeWriters(writerConfigs, bundle, projectRoot, providerId) {
 }
 // ../adapters/src/writers/generic/hooks.ts
 init_src();
-import { existsSync as existsSync21 } from "node:fs";
+import { existsSync as existsSync22 } from "node:fs";
 import { mkdir as mkdir2, readFile as readFile18, writeFile as writeFile10 } from "node:fs/promises";
-import { dirname, join as join11 } from "node:path";
+import { dirname, join as join12 } from "node:path";
 var HooksWriter = {
   id: "hooks",
   async write(bundle, ctx) {
     if (!bundle.hooks) {
       return { filesWritten: [] };
     }
-    const settingsPath = join11(ctx.projectRoot, ctx.outputPath);
+    const settingsPath = join12(ctx.projectRoot, ctx.outputPath);
     const parentDir = dirname(settingsPath);
     await mkdir2(parentDir, { recursive: true });
     const claudeHooks = transformHooksConfig(bundle.hooks, "toClaude");
     let existingSettings = {};
-    if (existsSync21(settingsPath)) {
+    if (existsSync22(settingsPath)) {
       try {
         const content = await readFile18(settingsPath, "utf-8");
         existingSettings = JSON.parse(content);
@@ -6426,9 +6649,9 @@ var HooksWriter = {
   }
 };
 // ../adapters/src/writers/generic/instructions-md.ts
-import { existsSync as existsSync22 } from "node:fs";
+import { existsSync as existsSync23 } from "node:fs";
 import { mkdir as mkdir3, readFile as readFile19, writeFile as writeFile11 } from "node:fs/promises";
-import { dirname as dirname2, join as join12 } from "node:path";
+import { dirname as dirname2, join as join13 } from "node:path";
 
 // ../adapters/src/writers/generic/omni-md.ts
 init_src();
@@ -6453,14 +6676,14 @@ function renderOmniMdForProvider(content, providerId) {
 var InstructionsMdWriter = {
   id: "instructions-md",
   async write(bundle, ctx) {
-    const outputFullPath = join12(ctx.projectRoot, ctx.outputPath);
+    const outputFullPath = join13(ctx.projectRoot, ctx.outputPath);
     const parentDir = dirname2(outputFullPath);
     if (parentDir !== ctx.projectRoot) {
       await mkdir3(parentDir, { recursive: true });
     }
-    const omniMdPath = join12(ctx.projectRoot, "OMNI.md");
+    const omniMdPath = join13(ctx.projectRoot, "OMNI.md");
     let omniMdContent = "";
-    if (existsSync22(omniMdPath)) {
+    if (existsSync23(omniMdPath)) {
       omniMdContent = renderOmniMdForProvider(await readFile19(omniMdPath, "utf-8"), ctx.providerId);
     }
     let content = omniMdContent;
@@ -6478,17 +6701,17 @@ ${bundle.instructionsContent}
 };
 // ../adapters/src/writers/generic/skills.ts
 import { mkdir as mkdir4, writeFile as writeFile12 } from "node:fs/promises";
-import { join as join13 } from "node:path";
+import { join as join14 } from "node:path";
 var SkillsWriter = {
   id: "skills",
   async write(bundle, ctx) {
-    const skillsDir = join13(ctx.projectRoot, ctx.outputPath);
+    const skillsDir = join14(ctx.projectRoot, ctx.outputPath);
     await mkdir4(skillsDir, { recursive: true });
     const filesWritten = [];
     for (const skill of bundle.skills) {
-      const skillDir = join13(skillsDir, skill.name);
+      const skillDir = join14(skillsDir, skill.name);
       await mkdir4(skillDir, { recursive: true });
-      const skillPath = join13(skillDir, "SKILL.md");
+      const skillPath = join14(skillDir, "SKILL.md");
       const content = `---
 name: ${skill.name}
 description: "${skill.description}"
@@ -6496,7 +6719,7 @@ description: "${skill.description}"
 
 ${skill.instructions}`;
       await writeFile12(skillPath, content, "utf-8");
-      filesWritten.push(join13(ctx.outputPath, skill.name, "SKILL.md"));
+      filesWritten.push(join14(ctx.outputPath, skill.name, "SKILL.md"));
     }
     return {
       filesWritten
@@ -6505,7 +6728,7 @@ ${skill.instructions}`;
 };
 // ../adapters/src/writers/generic/commands-as-skills.ts
 import { mkdir as mkdir5, writeFile as writeFile13 } from "node:fs/promises";
-import { join as join14 } from "node:path";
+import { join as join15 } from "node:path";
 function generateSkillFrontmatter(command) {
   const lines = ["---"];
   lines.push(`name: ${command.name}`);
@@ -6520,19 +6743,19 @@ function generateSkillFrontmatter(command) {
 var CommandsAsSkillsWriter = {
   id: "commands-as-skills",
   async write(bundle, ctx) {
-    const skillsDir = join14(ctx.projectRoot, ctx.outputPath);
+    const skillsDir = join15(ctx.projectRoot, ctx.outputPath);
     await mkdir5(skillsDir, { recursive: true });
     const filesWritten = [];
     for (const command of bundle.commands) {
-      const commandSkillDir = join14(skillsDir, command.name);
+      const commandSkillDir = join15(skillsDir, command.name);
       await mkdir5(commandSkillDir, { recursive: true });
       const frontmatter = generateSkillFrontmatter(command);
       const content = `${frontmatter}
 
 ${command.prompt}`;
-      const skillPath = join14(commandSkillDir, "SKILL.md");
+      const skillPath = join15(commandSkillDir, "SKILL.md");
       await writeFile13(skillPath, content, "utf-8");
-      filesWritten.push(join14(ctx.outputPath, command.name, "SKILL.md"));
+      filesWritten.push(join15(ctx.outputPath, command.name, "SKILL.md"));
     }
     return {
       filesWritten
@@ -6588,7 +6811,7 @@ function createProviderScopedBundle(bundle, providerId) {
 
 // ../adapters/src/writers/claude/agents.ts
 import { mkdir as mkdir6, writeFile as writeFile14 } from "node:fs/promises";
-import { join as join15 } from "node:path";
+import { join as join16 } from "node:path";
 function generateFrontmatter(agent) {
   const lines = ["---"];
   lines.push(`name: ${agent.name}`);
@@ -6615,7 +6838,7 @@ function generateFrontmatter(agent) {
 var ClaudeAgentsWriter = {
   id: "claude-agents",
   async write(bundle, ctx) {
-    const agentsDir = join15(ctx.projectRoot, ctx.outputPath);
+    const agentsDir = join16(ctx.projectRoot, ctx.outputPath);
     await mkdir6(agentsDir, { recursive: true });
     const filesWritten = [];
     for (const agent of bundle.subagents) {
@@ -6623,9 +6846,9 @@ var ClaudeAgentsWriter = {
       const content = `${frontmatter}
 
 ${agent.systemPrompt}`;
-      const agentPath = join15(agentsDir, `${agent.name}.md`);
+      const agentPath = join16(agentsDir, `${agent.name}.md`);
       await writeFile14(agentPath, content, "utf-8");
-      filesWritten.push(join15(ctx.outputPath, `${agent.name}.md`));
+      filesWritten.push(join16(ctx.outputPath, `${agent.name}.md`));
     }
     return {
       filesWritten
@@ -6661,12 +6884,12 @@ var claudeCodeAdapter = {
 };
 // ../adapters/src/codex/index.ts
 import { mkdirSync as mkdirSync6 } from "node:fs";
-import { join as join17 } from "node:path";
+import { join as join18 } from "node:path";
 
 // ../adapters/src/writers/codex/toml.ts
 init_dist();
 import { mkdir as mkdir7, writeFile as writeFile15 } from "node:fs/promises";
-import { dirname as dirname3, join as join16 } from "node:path";
+import { dirname as dirname3, join as join17 } from "node:path";
 var FILE_HEADER = `# Generated by OmniDev - DO NOT EDIT
 # Run \`omnidev sync\` to regenerate
 
@@ -6717,7 +6940,7 @@ var CodexTomlWriter = {
     if (mcps.size === 0) {
       return { filesWritten: [] };
     }
-    const configPath = join16(ctx.projectRoot, ctx.outputPath);
+    const configPath = join17(ctx.projectRoot, ctx.outputPath);
     const parentDir = dirname3(configPath);
     await mkdir7(parentDir, { recursive: true });
     const mcpServers = {};
@@ -6751,7 +6974,7 @@ var codexAdapter = {
     { writer: CodexTomlWriter, outputPath: ".codex/config.toml" }
   ],
   async init(ctx) {
-    const codexDir = join17(ctx.projectRoot, ".codex");
+    const codexDir = join18(ctx.projectRoot, ".codex");
     mkdirSync6(codexDir, { recursive: true });
     return {
       filesCreated: [".codex/"],
@@ -6770,11 +6993,11 @@ var codexAdapter = {
 };
 // ../adapters/src/cursor/index.ts
 import { mkdirSync as mkdirSync7 } from "node:fs";
-import { join as join22 } from "node:path";
+import { join as join23 } from "node:path";
 
 // ../adapters/src/writers/cursor/agents.ts
 import { mkdir as mkdir8, writeFile as writeFile16 } from "node:fs/promises";
-import { join as join18 } from "node:path";
+import { join as join19 } from "node:path";
 function mapModelToCursor(model) {
   if (!model || model === "inherit")
     return "inherit";
@@ -6806,7 +7029,7 @@ function generateFrontmatter2(agent) {
 var CursorAgentsWriter = {
   id: "cursor-agents",
   async write(bundle, ctx) {
-    const agentsDir = join18(ctx.projectRoot, ctx.outputPath);
+    const agentsDir = join19(ctx.projectRoot, ctx.outputPath);
     await mkdir8(agentsDir, { recursive: true });
     const filesWritten = [];
     for (const agent of bundle.subagents) {
@@ -6814,9 +7037,9 @@ var CursorAgentsWriter = {
       const content = `${frontmatter}
 
 ${agent.systemPrompt}`;
-      const agentPath = join18(agentsDir, `${agent.name}.md`);
+      const agentPath = join19(agentsDir, `${agent.name}.md`);
       await writeFile16(agentPath, content, "utf-8");
-      filesWritten.push(join18(ctx.outputPath, `${agent.name}.md`));
+      filesWritten.push(join19(ctx.outputPath, `${agent.name}.md`));
     }
     return {
       filesWritten
@@ -6825,11 +7048,11 @@ ${agent.systemPrompt}`;
 };
 // ../adapters/src/writers/cursor/commands.ts
 import { mkdir as mkdir9, writeFile as writeFile17 } from "node:fs/promises";
-import { join as join19 } from "node:path";
+import { join as join20 } from "node:path";
 var CursorCommandsWriter = {
   id: "cursor-commands",
   async write(bundle, ctx) {
-    const commandsDir = join19(ctx.projectRoot, ctx.outputPath);
+    const commandsDir = join20(ctx.projectRoot, ctx.outputPath);
     await mkdir9(commandsDir, { recursive: true });
     const filesWritten = [];
     for (const command of bundle.commands) {
@@ -6838,9 +7061,9 @@ var CursorCommandsWriter = {
 ${command.description}
 
 ${command.prompt}`;
-      const commandPath = join19(commandsDir, `${command.name}.md`);
+      const commandPath = join20(commandsDir, `${command.name}.md`);
       await writeFile17(commandPath, content, "utf-8");
-      filesWritten.push(join19(ctx.outputPath, `${command.name}.md`));
+      filesWritten.push(join20(ctx.outputPath, `${command.name}.md`));
     }
     return {
       filesWritten
@@ -6849,7 +7072,7 @@ ${command.prompt}`;
 };
 // ../adapters/src/writers/cursor/mcp-json.ts
 import { mkdir as mkdir10, writeFile as writeFile18 } from "node:fs/promises";
-import { dirname as dirname4, join as join20 } from "node:path";
+import { dirname as dirname4, join as join21 } from "node:path";
 function buildCursorMcpConfig(mcp) {
   const transport = mcp.transport ?? "stdio";
   if (transport === "http" || transport === "sse") {
@@ -6894,7 +7117,7 @@ var CursorMcpJsonWriter = {
     if (mcps.size === 0) {
       return { filesWritten: [] };
     }
-    const configPath = join20(ctx.projectRoot, ctx.outputPath);
+    const configPath = join21(ctx.projectRoot, ctx.outputPath);
     const parentDir = dirname4(configPath);
     await mkdir10(parentDir, { recursive: true });
     const mcpServers = {};
@@ -6919,17 +7142,17 @@ var CursorMcpJsonWriter = {
 };
 // ../adapters/src/writers/cursor/rules.ts
 import { mkdir as mkdir11, writeFile as writeFile19 } from "node:fs/promises";
-import { join as join21 } from "node:path";
+import { join as join22 } from "node:path";
 var CursorRulesWriter = {
   id: "cursor-rules",
   async write(bundle, ctx) {
-    const rulesDir = join21(ctx.projectRoot, ctx.outputPath);
+    const rulesDir = join22(ctx.projectRoot, ctx.outputPath);
     await mkdir11(rulesDir, { recursive: true });
     const filesWritten = [];
     for (const rule of bundle.rules) {
-      const rulePath = join21(rulesDir, `omnidev-${rule.name}.mdc`);
+      const rulePath = join22(rulesDir, `omnidev-${rule.name}.mdc`);
       await writeFile19(rulePath, rule.content, "utf-8");
-      filesWritten.push(join21(ctx.outputPath, `omnidev-${rule.name}.mdc`));
+      filesWritten.push(join22(ctx.outputPath, `omnidev-${rule.name}.mdc`));
     }
     return {
       filesWritten
@@ -6949,7 +7172,7 @@ var cursorAdapter = {
     { writer: CursorMcpJsonWriter, outputPath: ".cursor/mcp.json" }
   ],
   async init(ctx) {
-    const rulesDir = join22(ctx.projectRoot, ".cursor", "rules");
+    const rulesDir = join23(ctx.projectRoot, ".cursor", "rules");
     mkdirSync7(rulesDir, { recursive: true });
     return {
       filesCreated: [".cursor/rules/"],
@@ -6975,11 +7198,11 @@ var cursorAdapter = {
 };
 // ../adapters/src/opencode/index.ts
 import { mkdirSync as mkdirSync8 } from "node:fs";
-import { join as join25 } from "node:path";
+import { join as join26 } from "node:path";
 
 // ../adapters/src/writers/opencode/agents.ts
 import { mkdir as mkdir12, writeFile as writeFile20 } from "node:fs/promises";
-import { join as join23 } from "node:path";
+import { join as join24 } from "node:path";
 function mapModelToOpenCode(model) {
   if (!model || model === "inherit")
     return;
@@ -7057,7 +7280,7 @@ function generateFrontmatter3(agent) {
 var OpenCodeAgentsWriter = {
   id: "opencode-agents",
   async write(bundle, ctx) {
-    const agentsDir = join23(ctx.projectRoot, ctx.outputPath);
+    const agentsDir = join24(ctx.projectRoot, ctx.outputPath);
     await mkdir12(agentsDir, { recursive: true });
     const filesWritten = [];
     for (const agent of bundle.subagents) {
@@ -7065,9 +7288,9 @@ var OpenCodeAgentsWriter = {
       const content = `${frontmatter}
 
 ${agent.systemPrompt}`;
-      const agentPath = join23(agentsDir, `${agent.name}.md`);
+      const agentPath = join24(agentsDir, `${agent.name}.md`);
       await writeFile20(agentPath, content, "utf-8");
-      filesWritten.push(join23(ctx.outputPath, `${agent.name}.md`));
+      filesWritten.push(join24(ctx.outputPath, `${agent.name}.md`));
     }
     return {
       filesWritten
@@ -7076,7 +7299,7 @@ ${agent.systemPrompt}`;
 };
 // ../adapters/src/writers/opencode/commands.ts
 import { mkdir as mkdir13, writeFile as writeFile21 } from "node:fs/promises";
-import { join as join24 } from "node:path";
+import { join as join25 } from "node:path";
 function generateFrontmatter4(command) {
   const lines = ["---"];
   lines.push(`description: "${command.description.replace(/"/g, "\\\"")}"`);
@@ -7093,7 +7316,7 @@ function generateFrontmatter4(command) {
 var OpenCodeCommandsWriter = {
   id: "opencode-commands",
   async write(bundle, ctx) {
-    const commandsDir = join24(ctx.projectRoot, ctx.outputPath);
+    const commandsDir = join25(ctx.projectRoot, ctx.outputPath);
     await mkdir13(commandsDir, { recursive: true });
     const filesWritten = [];
     for (const command of bundle.commands) {
@@ -7101,9 +7324,9 @@ var OpenCodeCommandsWriter = {
       const content = `${frontmatter}
 
 ${command.prompt}`;
-      const commandPath = join24(commandsDir, `${command.name}.md`);
+      const commandPath = join25(commandsDir, `${command.name}.md`);
       await writeFile21(commandPath, content, "utf-8");
-      filesWritten.push(join24(ctx.outputPath, `${command.name}.md`));
+      filesWritten.push(join25(ctx.outputPath, `${command.name}.md`));
     }
     return {
       filesWritten
@@ -7121,7 +7344,7 @@ var opencodeAdapter = {
     { writer: OpenCodeCommandsWriter, outputPath: ".opencode/commands/" }
   ],
   async init(ctx) {
-    const opencodeDir = join25(ctx.projectRoot, ".opencode");
+    const opencodeDir = join26(ctx.projectRoot, ".opencode");
     mkdirSync8(opencodeDir, { recursive: true });
     return {
       filesCreated: [".opencode/"],
@@ -7175,7 +7398,7 @@ async function inferCapabilityId(source, sourceType) {
 }
 async function runAddCap(flags, name) {
   try {
-    if (!existsSync23("omni.toml")) {
+    if (!existsSync24("omni.toml")) {
       console.log("✗ No config file found");
       console.log("  Run: omnidev init");
       process.exit(1);
@@ -7198,7 +7421,7 @@ async function runAddCap(flags, name) {
       sourceType = "local";
       const localPath = flags.local.startsWith("file://") ? flags.local.slice(7) : flags.local;
       source = `file://${localPath}`;
-      if (!existsSync23(localPath)) {
+      if (!existsSync24(localPath)) {
         console.error(`✗ Local path not found: ${localPath}`);
         process.exit(1);
       }
@@ -7290,7 +7513,7 @@ async function runAddCap(flags, name) {
 }
 async function runAddMcp(flags, name) {
   try {
-    if (!existsSync23("omni.toml")) {
+    if (!existsSync24("omni.toml")) {
       console.log("✗ No config file found");
       console.log("  Run: omnidev init");
       process.exit(1);
@@ -7577,9 +7800,9 @@ var addRoutes = buildRouteMap({
 });
 
 // src/commands/capability.ts
-import { existsSync as existsSync24, mkdirSync as mkdirSync9 } from "node:fs";
+import { existsSync as existsSync25, mkdirSync as mkdirSync9 } from "node:fs";
 import { writeFile as writeFile22 } from "node:fs/promises";
-import { join as join26 } from "node:path";
+import { join as join27 } from "node:path";
 import { input } from "@inquirer/prompts";
 init_src();
 import { buildCommand as buildCommand2, buildRouteMap as buildRouteMap2 } from "@stricli/core";
@@ -7768,7 +7991,7 @@ function generateGitignore(programmatic) {
 }
 async function runCapabilityNew(flags, capabilityId) {
   try {
-    if (!existsSync24(".omni")) {
+    if (!existsSync25(".omni")) {
       console.error("✗ OmniDev is not initialized in this directory.");
       console.log("");
       console.log("  Run: omnidev init");
@@ -7792,28 +8015,28 @@ async function runCapabilityNew(flags, capabilityId) {
         default: defaultPath
       });
     }
-    if (existsSync24(capabilityDir)) {
+    if (existsSync25(capabilityDir)) {
       console.error(`✗ Directory already exists at ${capabilityDir}`);
       process.exit(1);
     }
     const name = toTitleCase(id);
     mkdirSync9(capabilityDir, { recursive: true });
     const capabilityToml = generateCapabilityToml2({ id, name });
-    await writeFile22(join26(capabilityDir, "capability.toml"), capabilityToml, "utf-8");
-    const skillDir = join26(capabilityDir, "skills", "getting-started");
+    await writeFile22(join27(capabilityDir, "capability.toml"), capabilityToml, "utf-8");
+    const skillDir = join27(capabilityDir, "skills", "getting-started");
     mkdirSync9(skillDir, { recursive: true });
-    await writeFile22(join26(skillDir, "SKILL.md"), generateSkillTemplate("getting-started"), "utf-8");
-    const rulesDir = join26(capabilityDir, "rules");
+    await writeFile22(join27(skillDir, "SKILL.md"), generateSkillTemplate("getting-started"), "utf-8");
+    const rulesDir = join27(capabilityDir, "rules");
     mkdirSync9(rulesDir, { recursive: true });
-    await writeFile22(join26(rulesDir, "coding-standards.md"), generateRuleTemplate("coding-standards"), "utf-8");
-    const hooksDir = join26(capabilityDir, "hooks");
+    await writeFile22(join27(rulesDir, "coding-standards.md"), generateRuleTemplate("coding-standards"), "utf-8");
+    const hooksDir = join27(capabilityDir, "hooks");
     mkdirSync9(hooksDir, { recursive: true });
-    await writeFile22(join26(hooksDir, "hooks.toml"), generateHooksTemplate(), "utf-8");
-    await writeFile22(join26(hooksDir, "example-hook.sh"), generateHookScript(), "utf-8");
-    await writeFile22(join26(capabilityDir, ".gitignore"), generateGitignore(Boolean(flags.programmatic)), "utf-8");
+    await writeFile22(join27(hooksDir, "hooks.toml"), generateHooksTemplate(), "utf-8");
+    await writeFile22(join27(hooksDir, "example-hook.sh"), generateHookScript(), "utf-8");
+    await writeFile22(join27(capabilityDir, ".gitignore"), generateGitignore(Boolean(flags.programmatic)), "utf-8");
     if (flags.programmatic) {
-      await writeFile22(join26(capabilityDir, "package.json"), generatePackageJson(id), "utf-8");
-      await writeFile22(join26(capabilityDir, "index.ts"), generateIndexTs(id, name), "utf-8");
+      await writeFile22(join27(capabilityDir, "package.json"), generatePackageJson(id), "utf-8");
+      await writeFile22(join27(capabilityDir, "index.ts"), generateIndexTs(id, name), "utf-8");
     }
     console.log(`✓ Created capability: ${name}`);
     console.log(`  Location: ${capabilityDir}`);
@@ -7969,7 +8192,7 @@ var capabilityRoutes = buildRouteMap2({
 });
 
 // src/commands/doctor.ts
-import { existsSync as existsSync25 } from "node:fs";
+import { existsSync as existsSync26 } from "node:fs";
 import { execFile } from "node:child_process";
 import { readFile as readFile20 } from "node:fs/promises";
 import { promisify } from "node:util";
@@ -8016,50 +8239,52 @@ async function runDoctor() {
 async function checkPackageManager() {
   const execFileAsync = promisify(execFile);
   try {
-    const { stdout } = await execFileAsync("bun", ["--version"]);
-    const version2 = stdout.trim();
-    const firstPart = version2.split(".")[0];
-    if (!firstPart) {
+    const { stdout: npmStdout } = await execFileAsync("npm", ["--version"]);
+    const npmVersion = npmStdout.trim();
+    try {
+      const { stdout: bunStdout } = await execFileAsync("bun", ["--version"]);
+      const bunVersion = bunStdout.trim();
+      const firstPart = bunVersion.split(".")[0];
+      if (!firstPart) {
+        return {
+          name: "Package Manager",
+          passed: false,
+          message: `Invalid Bun version format: ${bunVersion}`,
+          fix: "Reinstall Bun: curl -fsSL https://bun.sh/install | bash"
+        };
+      }
+      const major = Number.parseInt(firstPart, 10);
+      if (major < 1) {
+        return {
+          name: "Package Manager",
+          passed: false,
+          message: `npm v${npmVersion}; bun v${bunVersion}`,
+          fix: "Upgrade Bun: curl -fsSL https://bun.sh/install | bash"
+        };
+      }
       return {
         name: "Package Manager",
-        passed: false,
-        message: `Invalid Bun version format: ${version2}`,
-        fix: "Reinstall Bun: curl -fsSL https://bun.sh/install | bash"
+        passed: true,
+        message: `npm v${npmVersion}; bun v${bunVersion}`
       };
-    }
-    const major = Number.parseInt(firstPart, 10);
-    if (major < 1) {
+    } catch {
       return {
         name: "Package Manager",
-        passed: false,
-        message: `bun v${version2}`,
-        fix: "Upgrade Bun: curl -fsSL https://bun.sh/install | bash"
+        passed: true,
+        message: `npm v${npmVersion}`
       };
     }
-    return {
-      name: "Package Manager",
-      passed: true,
-      message: `bun v${version2}`
-    };
-  } catch {}
-  try {
-    const { stdout } = await execFileAsync("npm", ["--version"]);
-    return {
-      name: "Package Manager",
-      passed: true,
-      message: `npm v${stdout.trim()}`
-    };
   } catch {
     return {
       name: "Package Manager",
       passed: false,
-      message: "Neither Bun nor npm is installed",
-      fix: "Install Bun (recommended): curl -fsSL https://bun.sh/install | bash"
+      message: "npm is not installed",
+      fix: "Install Node.js and npm: https://nodejs.org/"
     };
   }
 }
 async function checkOmniLocalDir() {
-  const exists = existsSync25(".omni");
+  const exists = existsSync26(".omni");
   if (!exists) {
     return {
       name: ".omni/ directory",
@@ -8076,7 +8301,7 @@ async function checkOmniLocalDir() {
 }
 async function checkConfig() {
   const configPath = "omni.toml";
-  if (!existsSync25(configPath)) {
+  if (!existsSync26(configPath)) {
     return {
       name: "Configuration",
       passed: false,
@@ -8103,7 +8328,7 @@ async function checkConfig() {
 }
 async function checkRootGitignore() {
   const gitignorePath = ".gitignore";
-  if (!existsSync25(gitignorePath)) {
+  if (!existsSync26(gitignorePath)) {
     return {
       name: "Root .gitignore",
       passed: false,
@@ -8137,7 +8362,7 @@ async function checkRootGitignore() {
 }
 async function checkCapabilitiesDir() {
   const capabilitiesDirPath = ".omni/capabilities";
-  if (!existsSync25(capabilitiesDirPath)) {
+  if (!existsSync26(capabilitiesDirPath)) {
     return {
       name: "Capabilities Directory",
       passed: true,
@@ -8153,7 +8378,7 @@ async function checkCapabilitiesDir() {
 
 // src/commands/init.ts
 import { exec } from "node:child_process";
-import { existsSync as existsSync26, mkdirSync as mkdirSync10 } from "node:fs";
+import { existsSync as existsSync27, mkdirSync as mkdirSync10 } from "node:fs";
 import { readFile as readFile21, writeFile as writeFile23 } from "node:fs/promises";
 import { promisify as promisify2 } from "node:util";
 init_src();
@@ -8223,7 +8448,7 @@ async function runInit(_flags, providerArg) {
     }
   }
   await writeEnabledProviders(providerIds);
-  if (!existsSync26("omni.toml")) {
+  if (!existsSync27("omni.toml")) {
     await writeConfig({
       profiles: {
         default: {
@@ -8239,7 +8464,7 @@ async function runInit(_flags, providerArg) {
     });
     await setActiveProfile("default");
   }
-  if (!existsSync26("OMNI.md")) {
+  if (!existsSync27("OMNI.md")) {
     await writeFile23("OMNI.md", generateOmniMdTemplate(), "utf-8");
   }
   const config3 = await loadConfig();
@@ -8317,7 +8542,7 @@ async function addProviderFilesToGitignore(entries) {
 async function addToGitignore(entriesToAdd, sectionHeader) {
   const gitignorePath = ".gitignore";
   let content = "";
-  if (existsSync26(gitignorePath)) {
+  if (existsSync27(gitignorePath)) {
     content = await readFile21(gitignorePath, "utf-8");
   }
   const lines = content.split(`
@@ -8349,7 +8574,7 @@ async function getTrackedProviderFiles(files) {
 }
 
 // src/commands/profile.ts
-import { existsSync as existsSync27 } from "node:fs";
+import { existsSync as existsSync28 } from "node:fs";
 init_src();
 import { buildCommand as buildCommand5, buildRouteMap as buildRouteMap3 } from "@stricli/core";
 var listCommand2 = buildCommand5({
@@ -8393,7 +8618,7 @@ var profileRoutes = buildRouteMap3({
 });
 async function runProfileList() {
   try {
-    if (!existsSync27("omni.toml")) {
+    if (!existsSync28("omni.toml")) {
       console.log("✗ No config file found");
       console.log("  Run: omnidev init");
       process.exit(1);
@@ -8433,7 +8658,7 @@ async function runProfileList() {
 }
 async function runProfileSet(profileName) {
   try {
-    if (!existsSync27("omni.toml")) {
+    if (!existsSync28("omni.toml")) {
       console.log("✗ No config file found");
       console.log("  Run: omnidev init");
       process.exit(1);
@@ -8582,7 +8807,7 @@ var providerRoutes = buildRouteMap4({
 
 // src/commands/security.ts
 init_src();
-import { existsSync as existsSync28 } from "node:fs";
+import { existsSync as existsSync29 } from "node:fs";
 import { buildCommand as buildCommand7, buildRouteMap as buildRouteMap5 } from "@stricli/core";
 var VALID_FINDING_TYPES = [
   "unicode_bidi",
@@ -8621,7 +8846,9 @@ async function filterAllowedFindings(summary, options = {}) {
     symlink_escape: 0,
     symlink_absolute: 0,
     suspicious_script: 0,
-    binary_file: 0
+    binary_file: 0,
+    hidden_command: 0,
+    network_request: 0
   };
   const findingsBySeverity = {
     low: 0,
@@ -8699,7 +8926,7 @@ function formatFindingsWithHints(summary) {
 }
 async function runSecurityIssues(flags = {}) {
   try {
-    if (!existsSync28("omni.toml")) {
+    if (!existsSync29("omni.toml")) {
       console.log("No config file found");
       console.log("  Run: omnidev init");
       process.exit(1);
@@ -8954,7 +9181,7 @@ var securityRoutes = buildRouteMap5({
 });
 
 // src/commands/sync.ts
-import { existsSync as existsSync29 } from "node:fs";
+import { existsSync as existsSync30 } from "node:fs";
 init_src();
 import { buildCommand as buildCommand8 } from "@stricli/core";
 var PROVIDERS_STATE_PATH = ".omni/state/providers.json";
@@ -8972,7 +9199,7 @@ async function runSync() {
     const config3 = await loadConfig();
     const activeProfile = await getActiveProfile() ?? "default";
     let adapters = await getEnabledAdapters();
-    if (!existsSync29(PROVIDERS_STATE_PATH) || adapters.length === 0) {
+    if (!existsSync30(PROVIDERS_STATE_PATH) || adapters.length === 0) {
       console.log("No providers configured yet. Select your provider(s):");
       const providerIds = await promptForProviders();
       await writeEnabledProviders(providerIds);
@@ -9182,9 +9409,9 @@ async function buildDynamicApp() {
     security: securityRoutes
   };
   debug("Core routes registered", Object.keys(routes));
-  const configPath = join27(process.cwd(), "omni.toml");
-  debug("Checking for config", { configPath, exists: existsSync30(configPath), cwd: process.cwd() });
-  if (existsSync30(configPath)) {
+  const configPath = join28(process.cwd(), "omni.toml");
+  debug("Checking for config", { configPath, exists: existsSync31(configPath), cwd: process.cwd() });
+  if (existsSync31(configPath)) {
     try {
       debug("Loading capability commands...");
       const capabilityCommands = await loadCapabilityCommands();
@@ -9259,25 +9486,25 @@ async function loadCapabilityCommands() {
   return commands;
 }
 async function loadCapabilityExport(capability3) {
-  const capabilityPath = join27(process.cwd(), capability3.path);
-  const builtIndexPath = join27(capabilityPath, "dist", "index.js");
-  const jsIndexPath = join27(capabilityPath, "index.js");
-  const tsIndexPath = join27(capabilityPath, "index.ts");
+  const capabilityPath = join28(process.cwd(), capability3.path);
+  const builtIndexPath = join28(capabilityPath, "dist", "index.js");
+  const jsIndexPath = join28(capabilityPath, "index.js");
+  const tsIndexPath = join28(capabilityPath, "index.ts");
   debug(`Checking entry points for '${capability3.id}'`, {
     capabilityPath,
     builtIndexPath,
-    builtExists: existsSync30(builtIndexPath),
+    builtExists: existsSync31(builtIndexPath),
     jsIndexPath,
-    jsExists: existsSync30(jsIndexPath),
+    jsExists: existsSync31(jsIndexPath),
     tsIndexPath,
-    tsExists: existsSync30(tsIndexPath)
+    tsExists: existsSync31(tsIndexPath)
   });
   let indexPath = null;
-  if (existsSync30(builtIndexPath)) {
+  if (existsSync31(builtIndexPath)) {
     indexPath = builtIndexPath;
-  } else if (existsSync30(jsIndexPath)) {
+  } else if (existsSync31(jsIndexPath)) {
     indexPath = jsIndexPath;
-  } else if (existsSync30(tsIndexPath)) {
+  } else if (existsSync31(tsIndexPath)) {
     indexPath = tsIndexPath;
   }
   if (!indexPath) {