@skilly-hand/skilly-hand 0.18.0 → 0.19.0

package/CHANGELOG.md

@@ -16,6 +16,25 @@ All notable changes to this project are documented in this file.
 ### Removed
 - _None._
 
+## [0.19.0] - 2026-04-11
+[View on npm](https://www.npmjs.com/package/@skilly-hand/skilly-hand/v/0.19.0)
+
+### Added
+- Added `scripts/dependency-security-check.mjs` plus new npm script `security:deps` for strict dependency audit and outdated-package reporting.
+- Added a full-screen Ink terminal UI for interactive CLI flows, including the new `--classic` fallback flag for plain text mode.
+- Added dependency security report automation to the project-security GitHub Actions template (scheduled artifact workflow).
+
+### Changed
+- Updated `security:check` to run strict dependency checks in addition to secret/config scanning.
+- Updated project-security hook/CI assets to use shared `run_security_gates` flow.
+- Updated CLI command routing and terminal rendering to support Ink-backed interactive sessions.
+
+### Fixed
+- Expanded and refreshed interactive/terminal/script test coverage for the new UI and security flows.
+
+### Removed
+- _None._
+
 ## [0.18.0] - 2026-04-08
 [View on npm](https://www.npmjs.com/package/@skilly-hand/skilly-hand/v/0.18.0)
 

package/README.md

@@ -5,8 +5,8 @@
 ██╔════╝██║ ██╔╝██║██║     ██║     ╚██╗ ██╔╝    ██║  ██║██╔══██╗████╗  ██║██╔══██╗
 ╚█████╗ █████╔╝ ██║██║     ██║      ╚████╔╝     ███████║███████║██╔██╗ ██║██║  ██║
  ╚══██╗ ██╔═██╗ ██║██║     ██║       ╚██╔╝      ██╔══██║██╔══██║██║╚██╗██║██║  ██║
-██████╔╝██║  ██╗██║███████╗███████╗   ██║        ██║  ██║██║  ██║██║ ╚████║██████╔╝
-╚═════╝ ╚═╝  ╚═╝╚═╝╚══════╝╚══════╝   ╚═╝        ╚═╝  ╚═╝╚═╝  ╚═╝╚═╝  ╚═══╝╚═════╝
+██████╔╝██║  ██╗██║███████╗███████╗   ██║       ██║  ██║██║  ██║██║ ╚████║██████╔╝
+╚═════╝ ╚═╝  ╚═╝╚═╝╚══════╝╚══════╝   ╚═╝       ╚═╝  ╚═╝╚═╝  ╚═╝╚═╝  ╚═══╝╚═════╝
 ```
 
 **Portable AI agent skills. One CLI. Every coding assistant.**
@@ -36,7 +36,7 @@
 npx skilly-hand
 ```
 
-`npx skilly-hand` opens an interactive command launcher when running in a TTY.
+`npx skilly-hand` opens a full-screen skilly-hand terminal UI when running in a TTY.
 
 ---
 
@@ -55,6 +55,7 @@ npx skilly-hand
 | Flag | Description |
 | ---- | ----------- |
 | `--json` | Emit machine-readable output and disable interactive prompts |
+| `--classic` | Force plain text command mode and skip full-screen TUI |
 | `--yes`, `-y` | Skip confirmation prompts for mutating commands (`install`, `uninstall`) |
 | `--dry-run` | Preview install plan without writing files |
 | `--agent`, `-a <name>` | Target a specific assistant (repeatable; e.g. `--agent claude --agent cursor`) |
@@ -100,6 +101,11 @@ See [catalog/README.md](./catalog/README.md) for generated skill metadata.
 8. Smoke test after publish: `npx @skilly-hand/skilly-hand@<version> --help`.
 9. Verify npm metadata (README render, changelog, license, executable bin).
 
+### Security Automation
+
+- `npm run security:check` runs repository secret/config checks plus strict dependency security checks.
+- `npm run security:deps` runs strict dependency audit + outdated reporting only.
+
 ---
 
 ## Stack Detection

package/catalog/skills/project-security/assets/generic-ci-security-gate.sh

@@ -5,32 +5,5 @@ script_dir=$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)
 # shellcheck source=/dev/null
 . "$script_dir/run-security-check.shared.sh"
 
-run_supply_chain_check() {
-  if [ -f "pnpm-lock.yaml" ] && command -v pnpm >/dev/null 2>&1; then
-    if ! pnpm audit --prod; then
-      echo "[project-security] pnpm audit reported issues." >&2
-      return 1
-    fi
-    return
-  fi
-
-  if [ -f "yarn.lock" ] && command -v yarn >/dev/null 2>&1; then
-    if ! yarn npm audit; then
-      echo "[project-security] yarn audit reported issues." >&2
-      return 1
-    fi
-    return
-  fi
-
-  if [ -f "package-lock.json" ] && command -v npm >/dev/null 2>&1; then
-    if ! npm audit --audit-level=high; then
-      echo "[project-security] npm audit reported issues." >&2
-      return 1
-    fi
-    return
-  fi
-}
-
 echo "[project-security] running CI security gate..."
-run_security_check
-run_supply_chain_check
+run_security_gates

package/catalog/skills/project-security/assets/github-actions-security-gate.yml

@@ -5,6 +5,8 @@ on:
   push:
     branches:
       - "**"
+  schedule:
+    - cron: "23 5 * * 1"
   release:
     types: [published]
 
@@ -36,3 +38,39 @@ jobs:
 
       - name: Run security gate
         run: sh catalog/skills/project-security/assets/generic-ci-security-gate.sh
+
+  dependency-report:
+    if: github.event_name == 'schedule'
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+
+      - name: Setup Node
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
+        with:
+          node-version: "20"
+
+      - name: Install dependencies (auto-detect package manager)
+        run: |
+          corepack enable
+          if [ -f pnpm-lock.yaml ]; then
+            pnpm install --frozen-lockfile
+          elif [ -f yarn.lock ]; then
+            yarn install --immutable
+          elif [ -f package-lock.json ]; then
+            npm ci
+          elif [ -f package.json ]; then
+            echo "[project-security] missing lockfile; refusing non-deterministic install" >&2
+            exit 1
+          fi
+
+      - name: Generate dependency report
+        run: |
+          node scripts/dependency-security-check.mjs --json > dependency-security-report.json
+
+      - name: Upload dependency report artifact
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275f52d1598f
+        with:
+          name: dependency-security-report
+          path: dependency-security-report.json

package/catalog/skills/project-security/assets/pre-commit.sample.sh

@@ -6,4 +6,4 @@ script_dir=$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)
 . "$script_dir/run-security-check.shared.sh"
 
 echo "[project-security] running commit gate..."
-run_security_check
+run_security_gates

package/catalog/skills/project-security/assets/pre-push.sample.sh

@@ -5,34 +5,5 @@ script_dir=$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)
 # shellcheck source=/dev/null
 . "$script_dir/run-security-check.shared.sh"
 
-run_optional_supply_chain_check() {
-  if [ -f "pnpm-lock.yaml" ] && command -v pnpm >/dev/null 2>&1; then
-    if ! pnpm audit --prod; then
-      echo "[project-security] pnpm audit reported issues." >&2
-      return 1
-    fi
-    return 0
-  fi
-
-  if [ -f "yarn.lock" ] && command -v yarn >/dev/null 2>&1; then
-    if ! yarn npm audit; then
-      echo "[project-security] yarn audit reported issues." >&2
-      return 1
-    fi
-    return 0
-  fi
-
-  if [ -f "package-lock.json" ] && command -v npm >/dev/null 2>&1; then
-    if ! npm audit --audit-level=high; then
-      echo "[project-security] npm audit reported issues." >&2
-      return 1
-    fi
-    return 0
-  fi
-
-  return 0
-}
-
 echo "[project-security] running push gate..."
-run_security_check
-run_optional_supply_chain_check
+run_security_gates

package/catalog/skills/project-security/assets/run-security-check.shared.sh

@@ -25,3 +25,36 @@ run_security_check() {
   echo "[project-security] no security check command available." >&2
   return 1
 }
+
+run_dependency_security_check() {
+  if [ -f "pnpm-lock.yaml" ] && command -v pnpm >/dev/null 2>&1; then
+    if pnpm run -s security:deps >/dev/null 2>&1; then
+      pnpm run -s security:deps
+      return
+    fi
+  fi
+
+  if [ -f "yarn.lock" ] && command -v yarn >/dev/null 2>&1; then
+    if yarn -s security:deps >/dev/null 2>&1; then
+      yarn -s security:deps
+      return
+    fi
+  fi
+
+  if [ -f "package.json" ] && command -v npm >/dev/null 2>&1; then
+    if npm run --silent security:deps >/dev/null 2>&1; then
+      npm run --silent security:deps
+      return
+    fi
+  fi
+
+  if [ -f "scripts/dependency-security-check.mjs" ] && command -v node >/dev/null 2>&1; then
+    node scripts/dependency-security-check.mjs --strict
+    return
+  fi
+}
+
+run_security_gates() {
+  run_security_check
+  run_dependency_security_check
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@skilly-hand/skilly-hand",
-  "version": "0.18.0",
+  "version": "0.19.0",
   "license": "CC-BY-NC-4.0",
   "type": "module",
   "publishConfig": {
@@ -29,7 +29,8 @@
     "catalog:sync": "node ./scripts/sync-catalog.mjs",
     "agentic:self:sync": "node ./scripts/sync-self-agentic.mjs",
     "test": "node --test tests/*.test.js && node ./scripts/test-in-sandbox.mjs",
-    "security:check": "node ./scripts/security-check.mjs",
+    "security:deps": "node ./scripts/dependency-security-check.mjs --strict",
+    "security:check": "node ./scripts/security-check.mjs --strict-deps",
     "verify:packlist": "node ./scripts/verify-packlist.mjs",
     "verify:versions": "node ./scripts/verify-versions.mjs",
     "verify:publish": "npm run verify:versions && npm run security:check && npm run catalog:check && npm test && npm run verify:packlist",
@@ -46,6 +47,7 @@
     "doctor": "node ./packages/cli/src/bin.js doctor"
   },
   "dependencies": {
-    "@inquirer/prompts": "^7.10.1"
+    "ink": "^5.2.1",
+    "react": "^18.3.1"
   }
 }

package/packages/catalog/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@skilly-hand/catalog",
-  "version": "0.18.0",
+  "version": "0.19.0",
   "private": true,
   "type": "module"
 }

package/packages/cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@skilly-hand/cli",
-  "version": "0.18.0",
+  "version": "0.19.0",
   "private": true,
   "type": "module",
   "bin": {