@phren/cli 0.0.10 → 0.0.11

package/mcp/dist/shared-retrieval.js

@@ -4,7 +4,7 @@ import { queryDocRows, queryRows, cosineFallback, extractSnippet, getDocSourceKe
 import { filterTrustedFindingsDetailed, } from "./shared-content.js";
 import { parseCitationComment } from "./content-citation.js";
 import { getHighImpactFindings } from "./finding-impact.js";
-import { buildFtsQueryVariants, buildRelaxedFtsQuery, isFeatureEnabled, STOP_WORDS } from "./utils.js";
+import { buildFtsQueryVariants, buildRelaxedFtsQuery, isFeatureEnabled, STOP_WORDS, errorMessage } from "./utils.js";
 import * as fs from "fs";
 import * as path from "path";
 import { getProjectGlobBoost } from "./cli-hooks-globs.js";
@@ -34,17 +34,23 @@ const TASK_RESCUE_SCORE_MARGIN = 0.6;
 /** Fraction of bullets that must be low-value before applying the low-value penalty. */
 const LOW_VALUE_BULLET_FRACTION = 0.5;
 // ── Intent and scoring helpers ───────────────────────────────────────────────
+const INTENT_SKILL_CMD_RE = /(?:^|\s)\/(?!(?:home|usr|var|tmp|etc|opt|api|mnt)\b)[a-z][\w-]*\b/;
+const INTENT_SKILL_KW_RE = /\bskill\b/;
+const INTENT_DEBUG_RE = /(bug|error|fix|broken|regression|fail|stack trace)/;
+const INTENT_REVIEW_RE = /(review|audit|pr|pull request|nit|refactor)/;
+const INTENT_BUILD_RE = /(build|deploy|release|ci|workflow|pipeline|test)/;
+const INTENT_DOCS_RE = /\b(doc|docs|readme|explain|guide|instructions?)\b/;
 export function detectTaskIntent(prompt) {
     const p = prompt.toLowerCase();
-    if (/(?:^|\s)\/(?!(?:home|usr|var|tmp|etc|opt|api|mnt)\b)[a-z][\w-]*\b/.test(p) || /\bskill\b/.test(p))
+    if (INTENT_SKILL_CMD_RE.test(p) || INTENT_SKILL_KW_RE.test(p))
         return "skill";
-    if (/(bug|error|fix|broken|regression|fail|stack trace)/.test(p))
+    if (INTENT_DEBUG_RE.test(p))
         return "debug";
-    if (/(review|audit|pr|pull request|nit|refactor)/.test(p))
+    if (INTENT_REVIEW_RE.test(p))
         return "review";
-    if (/(build|deploy|release|ci|workflow|pipeline|test)/.test(p))
+    if (INTENT_BUILD_RE.test(p))
         return "build";
-    if (/\b(doc|docs|readme|explain|guide|instructions?)\b/.test(p))
+    if (INTENT_DOCS_RE.test(p))
         return "docs";
     return "general";
 }
@@ -385,8 +391,8 @@ export async function searchDocumentsAsync(db, safeQuery, prompt, keywords, dete
     }
     catch (err) {
         // Vector search failure is non-fatal — return sync result
-        if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
-            process.stderr.write(`[phren] hybridSearch vectorFallback: ${err instanceof Error ? err.message : String(err)}\n`);
+        if ((process.env.PHREN_DEBUG))
+            process.stderr.write(`[phren] hybridSearch vectorFallback: ${errorMessage(err)}\n`);
         return syncResult;
     }
 }
@@ -445,7 +451,7 @@ export async function searchKnowledgeRows(db, options) {
             }
         }
         catch (err) {
-            debugLog(`rowid dedup query failed: ${err instanceof Error ? err.message : String(err)}`);
+            debugLog(`rowid dedup query failed: ${errorMessage(err)}`);
         }
         const cosineResults = cosineFallback(db, query, ftsRowids, maxResults - rows.length)
             .filter((doc) => (!filterProject || doc.project === filterProject) && (!filterType || doc.type === filterType));
@@ -485,8 +491,8 @@ export async function searchKnowledgeRows(db, options) {
             }
         }
         catch (err) {
-            if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG)) {
-                process.stderr.write(`[phren] vectorFallback: ${err instanceof Error ? err.message : String(err)}\n`);
+            if ((process.env.PHREN_DEBUG)) {
+                process.stderr.write(`[phren] vectorFallback: ${errorMessage(err)}\n`);
             }
         }
     }
@@ -732,8 +738,8 @@ export function markStaleCitations(snippet) {
                             }
                         }
                         catch (err) {
-                            if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
-                                process.stderr.write(`[phren] applyCitationAnnotations fileRead: ${err instanceof Error ? err.message : String(err)}\n`);
+                            if ((process.env.PHREN_DEBUG))
+                                process.stderr.write(`[phren] applyCitationAnnotations fileRead: ${errorMessage(err)}\n`);
                             stale = true;
                         }
                     }

package/mcp/dist/shared-search-fallback.js

@@ -1,6 +1,6 @@
 import { createHash } from "crypto";
 import { debugLog } from "./shared.js";
-import { STOP_WORDS } from "./utils.js";
+import { STOP_WORDS, errorMessage } from "./utils.js";
 import { porterStem } from "./shared-stemmer.js";
 import { classifyFile, normalizeIndexedContent, rowToDocWithRowid } from "./shared-index.js";
 import { embedText, cosineSimilarity, getEmbeddingModel, getOllamaUrl, getCloudEmbeddingUrl } from "./shared-ollama.js";
@@ -191,8 +191,8 @@ export function cosineFallback(db, query, excludeRowids, limit) {
         }
     }
     catch (err) {
-        if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
-            process.stderr.write(`[phren] cosineFallback count: ${err instanceof Error ? err.message : String(err)}\n`);
+        if ((process.env.PHREN_DEBUG))
+            process.stderr.write(`[phren] cosineFallback count: ${errorMessage(err)}\n`);
         return [];
     }
     if (totalDocs > COSINE_MAX_CORPUS) {
@@ -220,8 +220,8 @@ export function cosineFallback(db, query, excludeRowids, limit) {
                         ftsRows.push(...ftsRes[0].values);
                 }
                 catch (err) {
-                    if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
-                        process.stderr.write(`[phren] cosineFallback FTS pre-filter: ${err instanceof Error ? err.message : String(err)}\n`);
+                    if ((process.env.PHREN_DEBUG))
+                        process.stderr.write(`[phren] cosineFallback FTS pre-filter: ${errorMessage(err)}\n`);
                 }
             }
             // If FTS gave fewer than cap, supplement with deterministic rowid windows.
@@ -258,8 +258,8 @@ export function cosineFallback(db, query, excludeRowids, limit) {
                     }
                 }
                 catch (err) {
-                    if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
-                        process.stderr.write(`[phren] cosineFallback deterministicSample: ${err instanceof Error ? err.message : String(err)}\n`);
+                    if ((process.env.PHREN_DEBUG))
+                        process.stderr.write(`[phren] cosineFallback deterministicSample: ${errorMessage(err)}\n`);
                 }
             }
             if (ftsRows.length === 0)
@@ -269,8 +269,8 @@ export function cosineFallback(db, query, excludeRowids, limit) {
         }
     }
     catch (err) {
-        if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
-            process.stderr.write(`[phren] cosineFallback loadDocs: ${err instanceof Error ? err.message : String(err)}\n`);
+        if ((process.env.PHREN_DEBUG))
+            process.stderr.write(`[phren] cosineFallback loadDocs: ${errorMessage(err)}\n`);
         return [];
     }
     // Separate rowids, DocRows, and content strings for scoring
@@ -315,8 +315,8 @@ export async function vectorFallback(phrenPath, query, excludePaths, limit, proj
             await cache.load();
         }
         catch (err) {
-            if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
-                process.stderr.write(`[phren] vectorFallback cacheLoad: ${err instanceof Error ? err.message : String(err)}\n`);
+            if ((process.env.PHREN_DEBUG))
+                process.stderr.write(`[phren] vectorFallback cacheLoad: ${errorMessage(err)}\n`);
         }
     }
     if (cache.size() === 0)
@@ -367,8 +367,8 @@ export async function vectorFallback(phrenPath, query, excludePaths, limit, proj
             }
         }
         catch (err) {
-            if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
-                process.stderr.write(`[phren] vectorFallback fileRead: ${err instanceof Error ? err.message : String(err)}\n`);
+            if ((process.env.PHREN_DEBUG))
+                process.stderr.write(`[phren] vectorFallback fileRead: ${errorMessage(err)}\n`);
         }
         return { project: entryProject, filename, type, content, path: e.path };
     });

package/mcp/dist/shared-sqljs.js

@@ -2,6 +2,7 @@ import * as fs from "fs";
 import * as path from "path";
 import { fileURLToPath } from "url";
 import { createRequire } from "module";
+import { errorMessage } from "./utils.js";
 const require = createRequire(import.meta.url);
 /**
  * Locate the sql.js-fts5 WASM binary by require.resolve with path-probe fallback.
@@ -14,8 +15,8 @@ function findWasmBinary() {
             return fs.readFileSync(resolved);
     }
     catch (err) {
-        if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
-            process.stderr.write(`[phren] findWasmBinary requireResolve: ${err instanceof Error ? err.message : String(err)}\n`);
+        if ((process.env.PHREN_DEBUG))
+            process.stderr.write(`[phren] findWasmBinary requireResolve: ${errorMessage(err)}\n`);
         // fall through to path probing
     }
     const __filename = fileURLToPath(import.meta.url);

package/mcp/dist/shared.js

@@ -50,7 +50,7 @@ export function appendAuditLog(phrenPath, event, details) {
                 break;
             }
             catch (err) {
-                if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
+                if ((process.env.PHREN_DEBUG))
                     process.stderr.write(`[phren] appendAuditLog lockWrite: ${errorMessage(err)}\n`);
                 try {
                     const stat = fs.statSync(lockPath);
@@ -68,7 +68,7 @@ export function appendAuditLog(phrenPath, event, details) {
                     }
                 }
                 catch (statErr) {
-                    if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
+                    if ((process.env.PHREN_DEBUG))
                         process.stderr.write(`[phren] appendAuditLog staleStat: ${errorMessage(statErr)}\n`);
                 }
                 Atomics.wait(waiter, 0, 0, pollMs);
@@ -97,7 +97,7 @@ export function appendAuditLog(phrenPath, event, details) {
                 fs.unlinkSync(lockPath);
             }
             catch (err) {
-                if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
+                if ((process.env.PHREN_DEBUG))
                     process.stderr.write(`[phren] appendAuditLog unlock: ${errorMessage(err)}\n`);
             }
         }

package/mcp/dist/shell-input.js

@@ -379,7 +379,7 @@ export async function executePalette(host, input) {
                 }
             }
             catch (err) {
-                if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
+                if ((process.env.PHREN_DEBUG))
                     process.stderr.write(`[phren] shell status gitStatus: ${errorMessage(err)}\n`);
             }
             const auditPathNew = runtimeFile(host.phrenPath, "audit.log");

package/mcp/dist/shell-state-store.js

@@ -45,7 +45,7 @@ export function loadShellState(phrenPath) {
         };
     }
     catch (err) {
-        if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
+        if ((process.env.PHREN_DEBUG))
             process.stderr.write(`[phren] loadShellState parse: ${errorMessage(err)}\n`);
         return fallback;
     }

package/mcp/dist/shell-view.js

@@ -13,6 +13,7 @@ import { listMachines, listProfiles, } from "./data-access.js";
 import { readInstallPreferences } from "./init-preferences.js";
 import { isProjectHookEnabled, readProjectConfig } from "./project-config.js";
 import { getScopedSkills } from "./skill-registry.js";
+import { errorMessage } from "./utils.js";
 // ── Tab bar ────────────────────────────────────────────────────────────────
 function renderTabBar(state) {
     const cols = renderWidth();
@@ -248,8 +249,8 @@ function parseSubsections(taskPath, project, cache) {
         }
     }
     catch (err) {
-        if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
-            process.stderr.write(`[phren] buildSubsectionMap: ${err instanceof Error ? err.message : String(err)}\n`);
+        if ((process.env.PHREN_DEBUG))
+            process.stderr.write(`[phren] buildSubsectionMap: ${errorMessage(err)}\n`);
     }
     const newCache = { project, map };
     return { map, cache: newCache };

package/mcp/dist/shell.js

@@ -72,7 +72,7 @@ export class PhrenShell {
             }
         }
         catch (err) {
-            if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
+            if ((process.env.PHREN_DEBUG))
                 process.stderr.write(`[phren] shell pushUndo: ${errorMessage(err)}\n`);
         }
     }

package/mcp/dist/skill-files.js

@@ -5,6 +5,7 @@ import { findProjectDir } from "./project-locator.js";
 import { buildSkillManifest } from "./skill-registry.js";
 import { setSkillEnabled } from "./skill-state.js";
 import { errorMessage } from "./utils.js";
+import { isManagedSymlink } from "./link-skills.js";
 function normalizeSkillRemovalTarget(skillPath) {
     if (!skillPath)
         return skillPath;
@@ -19,10 +20,9 @@ function symlinkManagedSkill(src, dest, managedRoot) {
         if (stat.isSymbolicLink()) {
             const currentTarget = fs.readlinkSync(dest);
             const resolvedTarget = path.resolve(path.dirname(dest), currentTarget);
-            const managedPrefix = path.resolve(managedRoot) + path.sep;
             if (resolvedTarget === path.resolve(src))
                 return;
-            if (!resolvedTarget.startsWith(managedPrefix))
+            if (!isManagedSymlink(dest, managedRoot))
                 return;
             fs.unlinkSync(dest);
         }
@@ -39,18 +39,12 @@ function symlinkManagedSkill(src, dest, managedRoot) {
 }
 function removeManagedSkillLink(dest, managedRoot) {
     try {
-        const stat = fs.lstatSync(dest);
-        if (!stat.isSymbolicLink())
-            return;
-        const currentTarget = fs.readlinkSync(dest);
-        const resolvedTarget = path.resolve(path.dirname(dest), currentTarget);
-        const managedPrefix = path.resolve(managedRoot) + path.sep;
-        if (!resolvedTarget.startsWith(managedPrefix))
+        if (!isManagedSymlink(dest, managedRoot))
             return;
         fs.unlinkSync(dest);
     }
     catch (err) {
-        if (err.code !== "ENOENT" && (process.env.PHREN_DEBUG || process.env.PHREN_DEBUG)) {
+        if (err.code !== "ENOENT" && (process.env.PHREN_DEBUG)) {
             process.stderr.write(`[phren] removeManagedSkillLink: ${errorMessage(err)}\n`);
         }
     }

package/mcp/dist/skill-registry.js

@@ -64,6 +64,9 @@ function getProjectLocalSkills(phrenPath, project) {
     return collectSkills(phrenPath, path.join(projectDir, "skills"), project, "project", "canonical", seen);
 }
 function skillPriority(skill) {
+    // "user" scope (priority 500) reserved for skills the user marks as untouchable —
+    // not yet wired to a scopeType value, but the priority slot is established here
+    // so the ordering is stable when we add it.
     if (skill.scopeType === "project" && skill.sourceKind === "canonical")
         return 400;
     if (skill.scopeType === "global" && skill.sourceKind === "canonical")

package/mcp/dist/status.js

@@ -3,9 +3,10 @@ import * as path from "path";
 import { fileURLToPath } from "url";
 import { findPhrenPath, getProjectDirs, EXEC_TIMEOUT_QUICK_MS, debugLog, isRecord, hookConfigPath, homeDir, readRootManifest, } from "./shared.js";
 import { buildIndex, detectProject, findFtsCacheForPath, listIndexedDocumentPaths, queryRows } from "./shared-index.js";
+import { mergeConfig, getWorkflowPolicy } from "./shared-governance.js";
 import { getMcpEnabledPreference, getHooksEnabledPreference } from "./init.js";
 import { getTelemetrySummary } from "./telemetry.js";
-import { runGit as runGitShared } from "./utils.js";
+import { runGit as runGitShared, errorMessage } from "./utils.js";
 import { readRuntimeHealth, resolveTaskFilePath } from "./data-access.js";
 import { resolveRuntimeProfile } from "./runtime-profile.js";
 import { renderPhrenArt } from "./phren-art.js";
@@ -17,8 +18,8 @@ function readPackageVersion() {
         return typeof pkg.version === "string" ? pkg.version : "unknown";
     }
     catch (err) {
-        if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
-            process.stderr.write(`[phren] readPackageVersion: ${err instanceof Error ? err.message : String(err)}\n`);
+        if ((process.env.PHREN_DEBUG))
+            process.stderr.write(`[phren] readPackageVersion: ${errorMessage(err)}\n`);
         return "unknown";
     }
 }
@@ -71,6 +72,33 @@ export async function runStatus() {
     // Active project
     if (activeProject) {
         console.log(`  ${DIM}project${RESET}  ${activeProject}`);
+        // Effective config for this project
+        try {
+            const resolved = mergeConfig(phrenPath, activeProject);
+            const globalWorkflow = getWorkflowPolicy(phrenPath);
+            const projectSensitivity = resolved.findingSensitivity !== globalWorkflow.findingSensitivity
+                ? `${resolved.findingSensitivity} ${DIM}(project override)${RESET}`
+                : resolved.findingSensitivity;
+            const projectTaskMode = resolved.taskMode !== globalWorkflow.taskMode
+                ? `${resolved.taskMode} ${DIM}(project override)${RESET}`
+                : resolved.taskMode;
+            console.log(`  ${DIM}sensitivity${RESET}  ${projectSensitivity}`);
+            console.log(`  ${DIM}task mode${RESET}    ${projectTaskMode}`);
+            if (resolved.proactivity.base || resolved.proactivity.findings || resolved.proactivity.tasks) {
+                const parts = [];
+                if (resolved.proactivity.base)
+                    parts.push(`base:${resolved.proactivity.base}`);
+                if (resolved.proactivity.findings)
+                    parts.push(`findings:${resolved.proactivity.findings}`);
+                if (resolved.proactivity.tasks)
+                    parts.push(`tasks:${resolved.proactivity.tasks}`);
+                console.log(`  ${DIM}proactivity${RESET}  ${parts.join(" ")} ${DIM}(project override)${RESET}`);
+            }
+        }
+        catch (err) {
+            if ((process.env.PHREN_DEBUG))
+                process.stderr.write(`[phren] statusConfig: ${errorMessage(err)}\n`);
+        }
     }
     // Phren path and config
     console.log(`  ${DIM}path${RESET}     ${phrenPath}`);
@@ -102,8 +130,8 @@ export async function runStatus() {
                 mcpConfigured = Boolean(servers?.phren || servers?.phren);
             }
             catch (err) {
-                if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
-                    process.stderr.write(`[phren] statusWorkspaceMcp parse: ${err instanceof Error ? err.message : String(err)}\n`);
+                if ((process.env.PHREN_DEBUG))
+                    process.stderr.write(`[phren] statusWorkspaceMcp parse: ${errorMessage(err)}\n`);
             }
         }
     }
@@ -120,8 +148,8 @@ export async function runStatus() {
                 hooksInstalled = hookEvents.every((event) => hasCommandHook(hooks?.[event]));
             }
             catch (err) {
-                if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
-                    process.stderr.write(`[phren] statusHooks settingsParse: ${err instanceof Error ? err.message : String(err)}\n`);
+                if ((process.env.PHREN_DEBUG))
+                    process.stderr.write(`[phren] statusHooks settingsParse: ${errorMessage(err)}\n`);
             }
         }
     }
@@ -151,8 +179,8 @@ export async function runStatus() {
         }
     }
     catch (err) {
-        if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
-            process.stderr.write(`[phren] statusFtsIndex: ${err instanceof Error ? err.message : String(err)}\n`);
+        if ((process.env.PHREN_DEBUG))
+            process.stderr.write(`[phren] statusFtsIndex: ${errorMessage(err)}\n`);
     }
     const ftsLabel = ftsIndexOk
         ? `${GREEN}ok${RESET} ${DIM}(${ftsIndexSize > 0 ? `${(ftsIndexSize / 1024).toFixed(0)} KB` : `${ftsDocCount ?? 0} docs`})${RESET}`
@@ -186,8 +214,8 @@ export async function runStatus() {
         }
     }
     catch (err) {
-        if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
-            process.stderr.write(`[phren] statusSemantic: ${err instanceof Error ? err.message : String(err)}\n`);
+        if ((process.env.PHREN_DEBUG))
+            process.stderr.write(`[phren] statusSemantic: ${errorMessage(err)}\n`);
     }
     // Agent integration status
     function hasPhrenEntry(filePath) {
@@ -198,8 +226,8 @@ export async function runStatus() {
             return raw.includes('"phren"') || raw.includes("'phren'") || raw.includes('"phren"') || raw.includes("'phren'");
         }
         catch (err) {
-            if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
-                process.stderr.write(`[phren] hasPhrenEntry: ${err instanceof Error ? err.message : String(err)}\n`);
+            if ((process.env.PHREN_DEBUG))
+                process.stderr.write(`[phren] hasPhrenEntry: ${errorMessage(err)}\n`);
             return false;
         }
     }

package/mcp/dist/task-hygiene.js

@@ -141,7 +141,7 @@ function collectCorpus(root) {
                 texts.push(fs.readFileSync(fullPath, "utf8").slice(0, MAX_TEXT_BYTES).toLowerCase());
             }
             catch (err) {
-                if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
+                if ((process.env.PHREN_DEBUG))
                     process.stderr.write(`[phren] task hygiene read ${fullPath}: ${errorMessage(err)}\n`);
             }
             if (filesSeen >= MAX_FILES_PER_ROOT)

package/mcp/dist/telemetry.js

@@ -1,6 +1,7 @@
 import * as fs from "fs";
 import * as path from "path";
 import { runtimeDir } from "./shared.js";
+import { errorMessage } from "./utils.js";
 // In-memory buffers keyed by phrenPath to batch disk writes
 // Keeping per-path buffers avoids silently losing events when the active path changes.
 const buffers = new Map();
@@ -25,8 +26,8 @@ function loadFromDisk(phrenPath) {
         };
     }
     catch (err) {
-        if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
-            process.stderr.write(`[phren] telemetry loadFromDisk: ${err instanceof Error ? err.message : String(err)}\n`);
+        if ((process.env.PHREN_DEBUG))
+            process.stderr.write(`[phren] telemetry loadFromDisk: ${errorMessage(err)}\n`);
         return defaults;
     }
 }
@@ -57,8 +58,8 @@ function flushTelemetryForPath(phrenPath) {
         fs.writeFileSync(file, JSON.stringify(data, null, 2) + "\n");
     }
     catch (err) {
-        if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
-            process.stderr.write(`[phren] telemetry flush: ${err instanceof Error ? err.message : String(err)}\n`);
+        if ((process.env.PHREN_DEBUG))
+            process.stderr.write(`[phren] telemetry flush: ${errorMessage(err)}\n`);
     }
     pendingCounts.set(phrenPath, 0);
 }

package/mcp/dist/update.js

@@ -63,7 +63,7 @@ export async function runPhrenUpdate(opts = {}) {
                 }
             }
             catch (err) {
-                if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
+                if ((process.env.PHREN_DEBUG))
                     process.stderr.write(`[phren] runPhrenUpdate gitStatus: ${errorMessage(err)}\n`);
             }
             const pull = run("git", ["pull", "--rebase", "--autostash"], root);

package/mcp/dist/utils.js

@@ -12,7 +12,7 @@ function loadSynonymsJson(fileName) {
         return JSON.parse(fs.readFileSync(filePath, "utf8"));
     }
     catch (err) {
-        if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
+        if ((process.env.PHREN_DEBUG))
             process.stderr.write(`[phren] ${fileName} load failed: ${err instanceof Error ? err.message : String(err)}\n`);
         return {};
     }
@@ -276,7 +276,7 @@ function parseSynonymsYaml(filePath) {
         return loaded;
     }
     catch (err) {
-        if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
+        if ((process.env.PHREN_DEBUG))
             process.stderr.write(`[phren] synonyms.yaml parse failed (${filePath}): ${err instanceof Error ? err.message : String(err)}\n`);
         return {};
     }
@@ -315,7 +315,7 @@ function parseLearnedSynonymsJson(filePath) {
         return loaded;
     }
     catch (err) {
-        if ((process.env.PHREN_DEBUG || process.env.PHREN_DEBUG))
+        if ((process.env.PHREN_DEBUG))
             process.stderr.write(`[phren] learned-synonyms parse failed (${filePath}): ${err instanceof Error ? err.message : String(err)}\n`);
         return {};
     }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@phren/cli",
-  "version": "0.0.10",
-  "description": "Knowledge layer for AI agents. Claude remembers you. Phren remembers your work.",
+  "version": "0.0.11",
+  "description": "Knowledge layer for AI agents. Phren learns and recalls.",
   "type": "module",
   "bin": {
     "phren": "mcp/dist/index.js"

package/starter/global/skills/audit.md

@@ -0,0 +1,106 @@
+---
+name: audit
+description: Full codebase audit — dead code, security, dependencies, performance, optimization. Not a diff review — scans everything.
+---
+# /audit - Full Codebase Audit
+
+Unlike `/simplify` (which reviews your last diff), this scans the entire codebase. Run it when you want to clean house.
+
+## What It Does
+
+Launch 5 parallel agents. Each one scans the full codebase for a different class of problem. When they're done, aggregate findings and fix what's fixable.
+
+## Phase 1: Discover the Codebase
+
+Before launching agents, understand the project:
+
+```
+1. Read package.json (or pyproject.toml, Cargo.toml, go.mod — whatever applies)
+2. Find the source directories (src/, lib/, app/, etc.)
+3. Count files by extension to understand the stack
+4. Check for existing lint/test configs
+```
+
+Pass this context to every agent so they know where to look.
+
+## Phase 2: Launch 5 Agents in Parallel
+
+Use the Agent tool to launch all five concurrently in a single message. Give each agent the project context from Phase 1.
+
+### Agent 1: Dead Code & Unused Exports
+
+Find code that exists but isn't used:
+
+1. **Unused exports.** For every `export` in the codebase, check if it's imported anywhere. Flag exports that are only used in their own file or not used at all. Exclude entry points and public API surfaces.
+2. **Unused dependencies.** Cross-reference `package.json` dependencies against actual imports in source files. Flag packages that are installed but never imported. Check devDependencies too — are test utilities actually used in tests?
+3. **Dead functions.** Functions defined but never called. Methods on classes that nothing invokes. Event handlers registered but for events that are never emitted.
+4. **Orphan files.** Files that nothing imports. Test files for source files that no longer exist. Config files for tools that aren't in the project.
+5. **Feature flags that resolved.** Environment variable checks where one branch is clearly dead. TODO/FIXME/HACK comments older than 6 months.
+6. **Stale type definitions.** Interfaces or types that nothing references. Generic type parameters that are always the same concrete type.
+
+### Agent 2: Security Scan
+
+Look for vulnerabilities in the actual code (not just `npm audit`):
+
+1. **Injection vectors.** Shell commands built from user input without sanitization. SQL queries with string concatenation. HTML built from unescaped variables. Regex built from user input (ReDoS).
+2. **Path traversal.** Any file operation where the path comes from user input or external data without validation. Check for `../` normalization and symlink following.
+3. **Secret exposure.** Hardcoded API keys, tokens, passwords. Environment variables logged or included in error messages. Secrets in URLs or query parameters.
+4. **Insecure defaults.** TLS verification disabled. CORS set to `*`. Cookies without secure/httponly/samesite flags. Debug modes that shouldn't ship.
+5. **Dependency vulnerabilities.** Run `npm audit` (or equivalent). Check for known CVEs. Flag dependencies that haven't been updated in 12+ months.
+6. **Auth and access control.** Endpoints or functions that should check permissions but don't. Token validation that's incomplete. Rate limiting gaps.
+7. **SSRF and network.** Outbound requests where the URL comes from user input. Webhook/callback URLs that aren't validated against internal networks.
+
+### Agent 3: Performance & Efficiency
+
+Find code that wastes time or resources:
+
+1. **Startup cost.** What runs at import/require time? Top-level await, synchronous file reads, heavy initialization that could be lazy.
+2. **N+1 patterns.** Loops that make a network/disk/DB call per iteration instead of batching.
+3. **Redundant computation.** The same value computed multiple times in a hot path. Missing memoization where inputs rarely change. Expensive operations inside loops that could be hoisted.
+4. **Blocking operations.** Synchronous file I/O on async paths. `JSON.parse` on large payloads without streaming. CPU-heavy work on the event loop.
+5. **Unbounded growth.** Caches without eviction. Arrays that grow without limits. Event listeners that are added but never removed. Intervals that are set but never cleared.
+6. **Over-fetching.** Loading entire files when you need one field. Importing a whole library for one function. Reading all records when filtering for a subset.
+7. **Missed parallelism.** Sequential `await` calls that are independent and could use `Promise.all`. File operations that could be batched.
+
+### Agent 4: Code Quality & Simplification
+
+Find code that's more complicated than it needs to be:
+
+1. **Abstraction debt.** Functions over 80 lines. Files over 500 lines. Classes that do too many things. Deeply nested conditionals (3+ levels).
+2. **Copy-paste code.** Near-duplicate blocks across files. Similar switch/case statements that should share logic. Functions that differ by one parameter.
+3. **Unnecessary indirection.** Wrapper functions that add nothing. Abstract classes with one implementation. Factory patterns for objects that are only created once.
+4. **Type complexity.** Union types with 5+ members. Generic types nested 3+ levels deep. Type assertions (`as`) that could be avoided with better typing.
+5. **Error handling.** Empty catch blocks. Catch-and-rethrow without adding context. Inconsistent error types across similar operations.
+6. **Naming.** Boolean variables that don't read as questions. Functions whose names don't describe what they return. Abbreviations that only the author understands.
+7. **Stale patterns.** Callbacks where promises/async would be cleaner. Manual iteration where array methods would work. Hand-rolled utilities where the language or a dependency provides it.
+
+### Agent 5: Dependency Health
+
+Audit the dependency tree:
+
+1. **Outdated packages.** Run `npm outdated` (or equivalent). Flag major version bumps that are available. Note any breaking changes.
+2. **Heavy dependencies.** Check bundle/install size. Flag packages over 1MB that could be replaced with lighter alternatives or native APIs.
+3. **Duplicate functionality.** Multiple packages that do the same thing (e.g., both `lodash` and `underscore`, or `axios` and `node-fetch`).
+4. **License issues.** Check for GPL or other copyleft licenses in a non-GPL project. Flag any "unknown" licenses.
+5. **Abandoned packages.** Dependencies with no commits in 2+ years, or archived repos.
+6. **Phantom dependencies.** Imports that resolve only because a parent dependency installs them (not in your own package.json).
+
+## Phase 3: Triage and Fix
+
+Wait for all agents. Then:
+
+1. **Deduplicate.** Multiple agents may flag the same issue from different angles. Merge them.
+2. **Prioritize.** Security issues first. Then dead code (easy wins). Then performance. Then quality.
+3. **Fix directly.** Don't just report — fix what you can. For things that need the user's input (like removing a dependency that might be used in a way you can't see), ask.
+4. **Summarize.** Report what was found, what was fixed, and what needs the user's decision.
+
+## Options
+
+The user can scope the audit:
+
+- `/audit` — full audit, all 5 agents
+- `/audit security` — just the security agent
+- `/audit dead-code` — just dead code detection
+- `/audit performance` — just performance
+- `/audit deps` — just dependency health
+- `/audit quality` — just code quality

package/mcp/dist/shared-paths.js

@@ -1 +0,0 @@
-export * from "./phren-paths.js";