@orderful/droid 0.45.0 → 0.46.0

package/.claude-plugin/marketplace.json

@@ -9,7 +9,7 @@
     {
       "name": "droid",
       "description": "Core droid meta-skill for update awareness, tool discovery, and usage help. Checks for updates, helps users find tools, and answers 'how do I...' questions about droid workflows.",
-      "version": "0.7.0",
+      "version": "0.7.1",
       "source": {
         "source": "github",
         "repo": "orderful/droid",

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "droid",
-  "version": "0.7.0",
+  "version": "0.7.1",
   "description": "AI-powered development tools for Claude Code",
   "author": {
     "name": "Orderful",
@@ -22,7 +22,9 @@
     "./src/tools/comments/skills/comments/SKILL.md",
     "./src/tools/droid/skills/droid/SKILL.md",
     "./src/tools/droid/skills/droid-bootstrap/SKILL.md",
+    "./src/tools/edi-schema/skills/edi-schema/SKILL.md",
     "./src/tools/meeting/skills/meeting/SKILL.md",
+    "./src/tools/pii/skills/pii/SKILL.md",
     "./src/tools/plan/skills/plan/SKILL.md",
     "./src/tools/project/skills/project/SKILL.md",
     "./src/tools/release/skills/release/SKILL.md",
@@ -38,7 +40,9 @@
     "./src/tools/codex/commands/codex.md",
     "./src/tools/comments/commands/comments.md",
     "./src/tools/droid/commands/setup.md",
+    "./src/tools/edi-schema/commands/edi-schema.md",
     "./src/tools/meeting/commands/meeting.md",
+    "./src/tools/pii/commands/pii.md",
     "./src/tools/plan/commands/plan.md",
     "./src/tools/project/commands/project.md",
     "./src/tools/release/commands/release.md",
@@ -52,6 +56,8 @@
     "./src/tools/code-review/agents/error-handling-reviewer.md",
     "./src/tools/code-review/agents/test-coverage-analyzer.md",
     "./src/tools/code-review/agents/type-reviewer.md",
-    "./src/tools/codex/agents/codex-document-processor.md"
+    "./src/tools/codex/agents/codex-document-processor.md",
+    "./src/tools/edi-schema/agents/edi-schema-agent.md",
+    "./src/tools/pii/agents/pii-scanner.md"
   ]
 }

package/.github/workflows/claude-issue-agent.yml

@@ -148,7 +148,6 @@ jobs:
         id: implement
         uses: anthropics/claude-code-action@v1
         with:
-          github_token: ${{ github.token }}
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
           track_progress: true
 
@@ -199,7 +198,7 @@ jobs:
         continue-on-error: true
         if: steps.implement.outputs.branch_name
         env:
-          GH_TOKEN: ${{ steps.implement.outputs.github_token || github.token }}
+          GH_TOKEN: ${{ github.token }}
           PLAN_JSON: ${{ steps.plan.outputs.structured_output }}
         run: |
           BRANCH="${{ steps.implement.outputs.branch_name }}"

package/CHANGELOG.md

@@ -1,5 +1,19 @@
 # @orderful/droid
 
+## 0.46.0
+
+### Minor Changes
+
+- [#293](https://github.com/Orderful/droid/pull/293) [`66a2fd2`](https://github.com/Orderful/droid/commit/66a2fd20b1cbb13ea8ce54e1e7c7a9b9de835a7e) Thanks [@frytyler](https://github.com/frytyler)! - Add pii tool for PII detection and redaction powered by Microsoft Presidio with bundled Python venv, pii-scanner sub-agent, and scan/redact commands.
+
+## 0.45.1
+
+### Patch Changes
+
+- [#289](https://github.com/Orderful/droid/pull/289) [`f6e43e5`](https://github.com/Orderful/droid/commit/f6e43e52069e53cb8c4000455e46b04ddd515ea8) Thanks [@claude](https://github.com/apps/claude)! - droid: add alwaysApply: true to droid-bootstrap and droid skills so update awareness and tool discovery load every session
+
+- [#291](https://github.com/Orderful/droid/pull/291) [`b5819c2`](https://github.com/Orderful/droid/commit/b5819c254dabd51bb1e85e423e3163d057d502e3) Thanks [@frytyler](https://github.com/frytyler)! - add new `edi-schema` tool with skill, command, and specialized sub-agent for querying X12/EDIFACT schemas using targeted extraction strategies
+
 ## 0.45.0
 
 ### Minor Changes

package/dist/tools/droid/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "droid",
-  "version": "0.7.0",
+  "version": "0.7.1",
   "description": "Core droid meta-skill for update awareness, tool discovery, and usage help. Checks for updates, helps users find tools, and answers 'how do I...' questions about droid workflows.",
   "author": {
     "name": "Orderful",

package/dist/tools/droid/TOOL.yaml

@@ -1,6 +1,6 @@
 name: droid
 description: "Core droid meta-skill for update awareness, tool discovery, and usage help. Checks for updates, helps users find tools, and answers 'how do I...' questions about droid workflows."
-version: 0.7.0
+version: 0.7.1
 status: beta
 
 # System tool - always stays current regardless of auto-update settings

package/dist/tools/droid/skills/droid/SKILL.md

@@ -1,6 +1,7 @@
 ---
 name: droid
 description: "Core droid meta-skill for updates, tool discovery, usage help, and skill overrides. Use when checking for droid updates, discovering available tools, answering 'how do I...' questions about droid workflows, or customizing skill behaviour. User prompts like 'any droid updates?', 'what tools do I have?', 'what tools do you have?', 'remind me what tools you have', 'hey droid what can you do', 'how do I add context?', 'remind me how to use codex', 'what's the best way to start a session?', 'customize brain search', 'create an override for brain'."
+alwaysApply: true
 allowed-tools: [Bash, Read, Write]
 ---
 

package/dist/tools/droid/skills/droid-bootstrap/SKILL.md

@@ -1,6 +1,7 @@
 ---
 name: droid-bootstrap
 description: "Lightweight droid bootstrap for update awareness. Checks for droid updates once per session."
+alwaysApply: true
 allowed-tools: [Bash]
 ---
 

package/dist/tools/edi-schema/.claude-plugin/plugin.json

@@ -0,0 +1,25 @@
+{
+  "name": "droid-edi-schema",
+  "version": "0.1.0",
+  "description": "Query EDI schemas without context overhead. Uses a sub-agent to inspect large schema and code-list files, then returns concise results.",
+  "author": {
+    "name": "Orderful",
+    "url": "https://github.com/orderful"
+  },
+  "repository": "https://github.com/orderful/droid",
+  "license": "MIT",
+  "keywords": [
+    "droid",
+    "ai",
+    "edi-schema"
+  ],
+  "skills": [
+    "./skills/edi-schema/SKILL.md"
+  ],
+  "commands": [
+    "./commands/edi-schema.md"
+  ],
+  "agents": [
+    "./agents/edi-schema-agent.md"
+  ]
+}

package/dist/tools/edi-schema/TOOL.yaml

@@ -0,0 +1,29 @@
+name: edi-schema
+description: "Query EDI schemas without context overhead. Uses a sub-agent to inspect large schema and code-list files, then returns concise results."
+version: 0.1.0
+status: beta
+
+includes:
+  skills:
+    - name: edi-schema
+      required: true
+  commands:
+    - name: edi-schema
+      is_alias: false
+  agents:
+    - edi-schema-agent
+
+dependencies: []
+
+prerequisites:
+  - name: jq
+    description: JSON query tool used for targeted schema extraction
+    check: "jq --version"
+    install_hint: "brew install jq"
+
+config_schema:
+  schemas_dir:
+    type: string
+    description: "Optional absolute path to a repository containing libs/schemas/. If empty, auto-detect from current workspace."
+    required: false
+    default: ""

package/dist/tools/edi-schema/agents/edi-schema-agent.md

@@ -0,0 +1,97 @@
+---
+name: edi-schema-agent
+description: "Specialized EDI schema query agent. Uses jq and targeted reads to extract precise schema details with minimal output."
+tools:
+  - Read
+  - Glob
+  - Grep
+  - Bash
+color: blue
+---
+
+You are an EDI schema analysis agent. Your job is to query large schema files and return concise, accurate findings.
+
+## Inputs
+
+You will receive:
+
+1. `schemasRoot`: Absolute repo path containing `libs/schemas/src/lib/data`
+2. `mode`: One of `field-search`, `segments`, `loops`, `codes`, `versions`, `types`
+3. `transactionType`: Full or short transaction type identifier
+4. `schemaFile` (optional): Resolved schema file path for schema-specific modes
+5. `query` (optional): Search text for `field-search`
+6. `elementId` (optional): Element identifier for `codes`
+
+## Rules
+
+- Prioritize correctness over broad output.
+- Never output full JSON blobs.
+- Keep returned content compact and actionable.
+- Prefer jq for extraction. If jq is missing, use `rg` + targeted reads.
+
+## Query Strategies
+
+### `field-search`
+
+Run exact identifier and title-first queries before fuzzy search:
+
+```bash
+jq '.. | objects | select(.elementIdentifier? == $id)' --arg id "{query}" "{schemaFile}"
+jq '.. | objects | select(.title? == $title)' --arg title "{query}" "{schemaFile}"
+jq '.. | objects | select(.title? | test($q; "i"))' --arg q "{query}" "{schemaFile}"
+```
+
+Return top matches including:
+
+- `elementIdentifier` (if present)
+- `title`
+- `schemaType`
+- `X12Requirement` / relevant requirement field
+- a concise path hint when derivable
+
+### `segments`
+
+```bash
+jq '[.. | objects | select(.schemaType? == "segmentInstance") | {title, requirement: .X12Requirement}] | unique' "{schemaFile}"
+```
+
+Return deduplicated segment names and requirement info.
+
+### `loops`
+
+```bash
+jq '[.. | objects | select(.schemaType? | test("loop")) | {title, schemaType}]' "{schemaFile}"
+```
+
+Return loop hierarchy summary. Include parent-child nesting hints if visible.
+
+### `codes`
+
+Find likely code-list file (for example `x12_004010_codeList.json`), then:
+
+```bash
+jq --arg id "{elementId}" '.[$id]' "{codeListFile}"
+```
+
+Return code values and descriptions. If no entry exists, return "not found" and suggest checking identifier/version.
+
+### `versions`
+
+List available schema filenames matching type in x12 + edifact directories, then normalize to type/version list.
+
+### `types`
+
+Read `transactionTypes.json` and return a concise sorted list (or filtered list if query provided).
+
+## Output Format
+
+Respond in markdown with this structure:
+
+1. `Resolved:` line (type/version and file used)
+2. `Results:` compact bullets or table
+3. `Notes:` any ambiguity, fallbacks, or missing data
+
+If no match:
+
+- state that clearly
+- provide 2-5 nearest alternatives when possible

package/dist/tools/edi-schema/commands/edi-schema.md

@@ -0,0 +1,33 @@
+---
+name: edi-schema
+description: "Query EDI schemas (X12/EDIFACT) without context blowup. Find fields, segments, loops, and code-list values."
+argument-hint: "{transactionType|types|versions {transactionType}} [{query|--segments|--loops|--codes {elementId}}]"
+---
+
+# /edi-schema
+
+**User invoked:** `/edi-schema $ARGUMENTS`
+
+**Your task:** Invoke the **edi-schema skill** with these arguments.
+
+## Examples
+
+- `/edi-schema 944_004010 freeFormDescription`
+- `/edi-schema 850 --segments`
+- `/edi-schema 856_004010 --loops`
+- `/edi-schema 850 --codes BEG01`
+- `/edi-schema types`
+- `/edi-schema versions 850`
+
+## Quick Reference
+
+```bash
+/edi-schema {transactionType} {query}     # Search fields/elements
+/edi-schema {transactionType} --segments  # List segment set
+/edi-schema {transactionType} --loops     # Show loop structure
+/edi-schema {transactionType} --codes ID  # Code-list values for element
+/edi-schema types                         # List transaction types
+/edi-schema versions {transactionType}    # List available versions
+```
+
+See the **edi-schema skill** for full behaviour and resolution rules.

package/dist/tools/edi-schema/skills/edi-schema/SKILL.md

@@ -0,0 +1,86 @@
+---
+name: edi-schema
+description: "Query EDI schemas without consuming parent context. Use when finding fields, loops, segments, requirements, or code-list values for X12/EDIFACT transaction types. User prompts like '/edi-schema 944_004010 freeFormDescription' or '/edi-schema 850 --codes BEG01'."
+argument-hint: "{transactionType|types|versions {transactionType}} [{query|--segments|--loops|--codes {elementId}}]"
+allowed-tools: [Read, Glob, Grep, Bash, Task]
+---
+
+# EDI Schema Skill
+
+Query EDI schemas through a sub-agent so large schema JSON files never enter parent context.
+
+## Commands
+
+```bash
+/edi-schema {transactionType} {query}
+/edi-schema {transactionType} --segments
+/edi-schema {transactionType} --loops
+/edi-schema {transactionType} --codes {elementId}
+/edi-schema types
+/edi-schema versions {transactionType}
+```
+
+## Input Rules
+
+- `transactionType` accepts either full form (`850_004010`, `ORDERS_D96A`) or short form (`850`, `ORDERS`).
+- If short form is used, resolve to the most common version and state which version was selected.
+- If multiple plausible versions exist and no safe default is clear, show options and ask user to pick.
+
+## Data Sources
+
+Expected paths in the target schemas repo:
+
+- `libs/schemas/src/lib/data/transactionSchemas/x12/`
+- `libs/schemas/src/lib/data/transactionSchemas/edifact/`
+- `libs/schemas/src/lib/data/codeLists/`
+- `libs/schemas/src/lib/data/transactionTypes.json`
+
+## Procedure
+
+### 1. Resolve schemas root
+
+1. Check `droid config --get tools.edi-schema.schemas_dir`.
+2. If configured and valid, use it.
+3. Otherwise auto-detect from current workspace by finding `libs/schemas/src/lib/data/`.
+4. If not found, ask user for the repo path or suggest setting `tools.edi-schema.schemas_dir`.
+
+### 2. Route command
+
+- `types`:
+  - List transaction types from `transactionTypes.json` (type + description where available).
+- `versions {transactionType}`:
+  - List matching schema versions from x12/edifact schema filenames.
+- `{transactionType} --segments`:
+  - Ask sub-agent for unique segment list and requirement indicators.
+- `{transactionType} --loops`:
+  - Ask sub-agent for loop hierarchy.
+- `{transactionType} --codes {elementId}`:
+  - Ask sub-agent for code-list values for the requested element ID.
+- `{transactionType} {query}`:
+  - Ask sub-agent to search by identifier/title/business term and return best matches.
+
+### 3. Sub-agent handoff
+
+Use `edi-schema-agent` for all schema/content queries. Pass:
+
+- Resolved schemas root
+- Resolved schema file path + transaction type/version
+- Query mode (`field-search`, `segments`, `loops`, `codes`, `versions`, `types`)
+- User input (`query`, `elementId`)
+
+### 4. Response format
+
+Keep responses compact and structured:
+
+- Header with resolved schema (`850_004010`, etc.)
+- Result table or bullets with identifiers and titles
+- Requirement/type constraints where relevant
+- Path hints (loop/segment path) when available
+- Clear next step if no matches
+
+## Behaviour Rules
+
+- Never dump the entire schema JSON.
+- Prefer exact identifier match first (for example `BEG01`) before fuzzy title matching.
+- When no exact match, return top fuzzy matches with confidence notes.
+- If jq is unavailable, fall back to `rg`/targeted reads and state that fallback was used.

package/dist/tools/pii/.claude-plugin/plugin.json

@@ -0,0 +1,25 @@
+{
+  "name": "droid-pii",
+  "version": "0.1.0",
+  "description": "Detect and redact PII (personally identifiable information) in text files. Powered by Microsoft Presidio with a bundled Python venv — zero external dependencies after first run.",
+  "author": {
+    "name": "Orderful",
+    "url": "https://github.com/orderful"
+  },
+  "repository": "https://github.com/orderful/droid",
+  "license": "MIT",
+  "keywords": [
+    "droid",
+    "ai",
+    "pii"
+  ],
+  "skills": [
+    "./skills/pii/SKILL.md"
+  ],
+  "commands": [
+    "./commands/pii.md"
+  ],
+  "agents": [
+    "./agents/pii-scanner.md"
+  ]
+}

package/dist/tools/pii/TOOL.yaml

@@ -0,0 +1,22 @@
+name: pii
+description: "Detect and redact PII (personally identifiable information) in text files. Powered by Microsoft Presidio with a bundled Python venv — zero external dependencies after first run."
+version: 0.1.0
+status: beta
+
+includes:
+  skills:
+    - name: pii
+      required: true
+  commands:
+    - name: pii
+      is_alias: false
+  agents:
+    - pii-scanner
+
+dependencies: []
+
+prerequisites:
+  - name: python3
+    description: "Python 3.8+ required to run the Presidio venv"
+    check: "python3 --version"
+    install_hint: "Install Python 3 from python.org or via: brew install python3"

package/dist/tools/pii/agents/pii-scanner.md

@@ -0,0 +1,85 @@
+---
+name: pii-scanner
+description: "Isolated PII analysis agent. Runs presidio-analyze.ts in a contained context so raw entity values never appear in the parent conversation. Use PROACTIVELY when the pii skill delegates scan operations."
+tools:
+  - Bash
+color: orange
+---
+
+You are a PII scanning agent. Your sole job is to run `presidio-analyze.ts` on a file or text and return a structured summary — without leaking raw PII values into the conversation.
+
+## Inputs
+
+You will receive:
+
+1. `file_path` — absolute path to the file to scan (preferred), OR
+2. `text_content` — inline text to scan (for small strings only)
+3. `entities` (optional) — comma-separated list of entity types to filter (e.g. `EMAIL_ADDRESS,PHONE_NUMBER`)
+4. `venv_path` (optional) — override for the Presidio venv path (default: `~/.droid/runtimes/presidio/`)
+
+## Rules
+
+- **Never echo raw PII values** in your output — return entity types, counts, and line numbers only
+- Make exactly one Bash call to `presidio-analyze.ts`
+- Parse the JSON result and return only the structured summary
+- If the script returns `init_required: true`, stop and tell the parent skill to run `presidio-init.ts` first
+- If the file does not exist, return a clear error
+
+## Procedure
+
+1. Build the command:
+   ```bash
+   droid exec pii presidio-analyze --file <file_path> [--entities <types>]
+   ```
+   (Use `--text` only for inline strings under ~1000 characters)
+
+2. Parse the JSON output from the script
+
+3. From the `entities` array, compute:
+   - `total_entities`: total count
+   - `by_type`: entity type → count map
+   - `lines_affected`: sorted unique list of line numbers
+   - `sample_lines`: up to 5 line numbers with the entity types found on each line
+
+4. Return the structured summary (see Output Format below)
+
+## Output Format
+
+Return JSON:
+
+```json
+{
+  "file": "/path/to/file.md",
+  "total_entities": 3,
+  "by_type": {
+    "EMAIL_ADDRESS": 2,
+    "PHONE_NUMBER": 1
+  },
+  "lines_affected": [4, 8, 12],
+  "sample_lines": [
+    { "line": 4, "types": ["EMAIL_ADDRESS"] },
+    { "line": 8, "types": ["PHONE_NUMBER"] },
+    { "line": 12, "types": ["EMAIL_ADDRESS"] }
+  ]
+}
+```
+
+If no entities are found:
+```json
+{
+  "file": "/path/to/file.md",
+  "total_entities": 0,
+  "by_type": {},
+  "lines_affected": [],
+  "sample_lines": []
+}
+```
+
+If an error occurs:
+```json
+{
+  "file": "/path/to/file.md",
+  "error": "...",
+  "init_required": true
+}
+```

package/dist/tools/pii/commands/pii.md

@@ -0,0 +1,33 @@
+---
+name: pii
+description: "Detect and redact PII (personally identifiable information) in files and directories. Powered by Microsoft Presidio."
+argument-hint: "[scan | redact] {file|dir} [--entities TYPES] [--output PATH] [--dry-run] [--mask]"
+---
+
+# /pii
+
+**User invoked:** `/pii $ARGUMENTS`
+
+**Your task:** Invoke the **pii skill** with these arguments.
+
+## Examples
+
+- `/pii scan transcript.md`
+- `/pii scan ./meeting-notes/`
+- `/pii redact transcript.md --output transcript-clean.md`
+- `/pii redact transcript.md --dry-run`
+- `/pii redact transcript.md --entities PHONE_NUMBER,EMAIL_ADDRESS`
+
+## Quick Reference
+
+```bash
+/pii scan {file}                              # Scan file for PII
+/pii scan {dir}                               # Scan directory recursively
+/pii redact {file}                            # Redact PII (writes {file}-redacted.{ext})
+/pii redact {file} --output {out}             # Redact to specific output path
+/pii redact {file} --dry-run                  # Preview redactions without writing
+/pii redact {file} --entities TYPES           # Redact only specific entity types
+/pii redact {file} --mask                     # Use *** instead of <ENTITY_TYPE>
+```
+
+See the **pii skill** for full behaviour, procedure, and supported entity types.

package/dist/tools/pii/skills/pii/SKILL.md

@@ -0,0 +1,97 @@
+---
+name: pii
+description: "Detect and redact PII in text files and directories. Use when scanning files for sensitive data before sharing, or redacting emails, phone numbers, credit cards, SSNs, and other PII. User prompts like '/pii scan transcript.md' or '/pii redact meeting-notes/ --dry-run'."
+argument-hint: "[scan | redact] {file|dir} [--entities TYPES] [--output PATH] [--dry-run] [--mask]"
+allowed-tools: [Read, Glob, Grep, Bash, Task]
+---
+
+# PII Skill
+
+Detect and redact personally identifiable information using Microsoft Presidio — deterministic pattern matching + NER, fully offline after first run.
+
+## Usage
+
+```bash
+/pii scan transcript.md                          # Scan a file for PII
+/pii scan ./meeting-notes/                       # Scan a directory recursively
+/pii redact transcript.md                        # Redact PII in-place (writes to transcript-redacted.md)
+/pii redact transcript.md --output clean.md      # Redact to specific output file
+/pii redact transcript.md --dry-run              # Preview redactions without writing
+/pii redact transcript.md --entities PHONE_NUMBER,EMAIL_ADDRESS  # Redact specific types only
+/pii redact transcript.md --mask                 # Use *** instead of <ENTITY_TYPE> placeholders
+```
+
+## Procedure
+
+### Step 0: Ensure Presidio venv is ready
+
+Before any scan or redact operation, verify the venv exists:
+
+```bash
+droid exec pii presidio-init
+```
+
+On first run this takes ~2–3 min (downloads Presidio packages + spaCy en_core_web_lg model). Subsequent runs return immediately (`already_existed: true`).
+
+If init fails, surface the error and stop — do not attempt to run analysis without the venv.
+
+### Step 1: Route on subcommand
+
+Parse the first argument:
+- `scan` → proceed to Step 2
+- `redact` → proceed to Step 3
+- anything else → show usage and stop
+
+### Step 2: Scan (delegate to pii-scanner agent)
+
+The `pii-scanner` agent runs analysis in an isolated context so raw PII values never appear in the parent conversation.
+
+**For a single file:**
+Delegate to the `pii-scanner` agent with `file_path` set to the absolute path.
+
+**For a directory:**
+Use `Glob` to find text files matching: `**/*.{md,txt,ts,js,json,yaml,yml,csv,html,xml}`
+Delegate each file to `pii-scanner` individually and aggregate results.
+
+**Display results:**
+Show entity types, counts, and affected line numbers only — never print raw PII values.
+
+Example output:
+```
+transcript.md: 3 PII entities found
+  EMAIL_ADDRESS × 2  (lines 4, 12)
+  PHONE_NUMBER × 1   (line 8)
+```
+
+### Step 3: Redact (run presidio-redact.ts directly)
+
+```bash
+droid exec pii presidio-redact \
+  --file <path> \
+  [--output <path>] \
+  [--dry-run] \
+  [--entities <TYPES>] \
+  [--mask]
+```
+
+Parse the JSON result and display:
+- Number of entities found and redacted
+- Output file path (if written)
+- In `--dry-run` mode: show a brief diff preview (first 10 redacted lines), but do NOT echo the full `redacted_text` field by default
+
+**Never echo `redacted_text` in full to the terminal** unless the user explicitly requests it.
+
+### Step 4: Format and present results
+
+- Always show: entity type, count, affected lines
+- On success for redact: confirm output path and entity counts
+- On failure: surface the error from the script's `error` field with actionable next steps
+
+## Behaviour Rules
+
+- **Never print raw PII values** to the terminal — always show types + line numbers only
+- For `--dry-run` redact, show a preview diff (10 lines max) not the full document
+- If `python3` is not found, show a clear install message from the prerequisite check
+- Binary files and unknown extensions are skipped during directory scans
+- The `pii-scanner` agent handles the isolation boundary for `scan`; `redact` operates directly since the redacted output is the goal
+- Supported entity types are listed in `references/supported-entities.md`