@tspappsen/elamax 1.2.3

package/dist/update.js

@@ -0,0 +1,72 @@
+import { readFileSync } from "fs";
+import { join, dirname } from "path";
+import { fileURLToPath } from "url";
+import { exec as execCb, execSync } from "child_process";
+const __dirname = dirname(fileURLToPath(import.meta.url));
+function getLocalVersion() {
+    try {
+        const pkg = JSON.parse(readFileSync(join(__dirname, "..", "package.json"), "utf-8"));
+        return pkg.version || "0.0.0";
+    }
+    catch {
+        return "0.0.0";
+    }
+}
+/** Run a command asynchronously and return stdout. */
+function execAsync(cmd, timeoutMs) {
+    return new Promise((resolve, reject) => {
+        execCb(cmd, { encoding: "utf-8", timeout: timeoutMs }, (err, stdout) => {
+            if (err)
+                return reject(err);
+            resolve(stdout.trim());
+        });
+    });
+}
+/** Fetch the latest published version from npm. Returns null on failure. */
+export async function getLatestVersion() {
+    try {
+        const result = await execAsync("npm view elamax version", 10_000);
+        return result || null;
+    }
+    catch {
+        return null;
+    }
+}
+/** Compare two semver strings. Returns true if remote is newer. */
+function isNewer(local, remote) {
+    const parse = (v) => v.split(".").map(Number);
+    const [lMaj, lMin, lPat] = parse(local);
+    const [rMaj, rMin, rPat] = parse(remote);
+    if (rMaj !== lMaj)
+        return rMaj > lMaj;
+    if (rMin !== lMin)
+        return rMin > lMin;
+    return rPat > lPat;
+}
+/** Check whether a newer version is available on npm. */
+export async function checkForUpdate() {
+    const current = getLocalVersion();
+    const latest = await getLatestVersion();
+    return {
+        current,
+        latest,
+        updateAvailable: latest !== null && isNewer(current, latest),
+        checkSucceeded: latest !== null,
+    };
+}
+/** Run `npm install -g elamax@latest` and return success/failure. */
+export async function performUpdate() {
+    try {
+        const output = execSync("npm install -g elamax@latest", {
+            encoding: "utf-8",
+            timeout: 60_000,
+            stdio: ["ignore", "pipe", "pipe"],
+        });
+        return { ok: true, output: output.trim() };
+    }
+    catch (err) {
+        const msg = err.stderr?.trim() || err.message || "Unknown error";
+        return { ok: false, output: msg };
+    }
+}
+//# sourceMappingURL=update.js.map

package/dist/utils/parseJSON.js

@@ -0,0 +1,71 @@
+/**
+ * 3-tier JSON parsing utility for LLM output.
+ *
+ * Tier 1 — Direct parse: try JSON.parse(input) as-is.
+ * Tier 2 — Markdown fence extraction: strip ```json ... ``` (or plain ```) fences, then parse.
+ * Tier 3 — Balanced brace matching: scan for the first `{` or `[`, find its matching
+ *           closing bracket, extract that substring, and parse.
+ *
+ * Returns the parsed value or `null` if all tiers fail.
+ */
+export function parseJSON(input) {
+    const text = input.trim();
+    // Tier 1: direct parse
+    try {
+        return JSON.parse(text);
+    }
+    catch {
+        // fall through
+    }
+    // Tier 2: markdown fence extraction
+    const fenceMatch = text.match(/^```(?:json)?\s*\n?([\s\S]*?)\n?```$/i);
+    if (fenceMatch) {
+        try {
+            return JSON.parse(fenceMatch[1].trim());
+        }
+        catch {
+            // fall through
+        }
+    }
+    // Tier 3: balanced brace/bracket matching
+    const start = text.search(/[{[]/);
+    if (start !== -1) {
+        const open = text[start];
+        const close = open === "{" ? "}" : "]";
+        let depth = 0;
+        let inString = false;
+        let escape = false;
+        for (let i = start; i < text.length; i++) {
+            const ch = text[i];
+            if (escape) {
+                escape = false;
+                continue;
+            }
+            if (ch === "\\" && inString) {
+                escape = true;
+                continue;
+            }
+            if (ch === '"') {
+                inString = !inString;
+                continue;
+            }
+            if (inString)
+                continue;
+            if (ch === open)
+                depth++;
+            else if (ch === close) {
+                depth--;
+                if (depth === 0) {
+                    try {
+                        return JSON.parse(text.slice(start, i + 1));
+                    }
+                    catch {
+                        break;
+                    }
+                }
+            }
+        }
+    }
+    return null;
+}
+//# sourceMappingURL=parseJSON.js.map

package/package.json

@@ -0,0 +1,61 @@
+{
+  "name": "@tspappsen/elamax",
+  "version": "1.2.3",
+  "description": "Max — a personal AI assistant for developers, built on the GitHub Copilot SDK",
+  "bin": {
+    "max": "dist/cli.js"
+  },
+  "files": [
+    "dist/**/*.js",
+    "skills/",
+    "templates/",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "daemon": "tsx src/daemon.ts",
+    "tui": "tsx src/tui/index.ts",
+    "dev": "tsx --watch-path src src/daemon.ts",
+    "prepublishOnly": "npm run build"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "keywords": [
+    "copilot",
+    "telegram",
+    "orchestrator",
+    "ai",
+    "cli"
+  ],
+  "author": "Erik",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/lauraeus/max-assistant"
+  },
+  "homepage": "https://github.com/lauraeus/max-assistant",
+  "bugs": {
+    "url": "https://github.com/lauraeus/max-assistant/max/issues"
+  },
+  "type": "module",
+  "dependencies": {
+    "@github/copilot-sdk": "0.1.30",
+    "better-sqlite3": "^12.6.2",
+    "discord.js": "^14.16.3",
+    "dotenv": "^17.3.1",
+    "express": "^5.2.1",
+    "grammy": "^1.40.0",
+    "zod": "^4.3.6"
+  },
+  "devDependencies": {
+    "@types/better-sqlite3": "^7.6.13",
+    "@types/express": "^5.0.6",
+    "@types/node": "^25.3.0",
+    "tsx": "^4.21.0",
+    "typescript": "^5.9.3"
+  },
+  "publishConfig": {
+    "access": "public"
+  }
+}

package/skills/find-skills/SKILL.md

@@ -0,0 +1,161 @@
+---
+name: find-skills
+description: Helps users discover agent skills when they ask questions like "how do I do X", "find a skill for X", "is there a skill that can...", or express interest in extending capabilities. Always ask the user for permission before installing any skill, and flag security risks.
+---
+
+# Find Skills
+
+Discover and install skills from the open agent skills ecosystem at https://skills.sh/.
+
+## When to Use
+
+Use this skill when the user:
+
+- Asks "how do I do X" where X might be a common task with an existing skill
+- Says "find a skill for X" or "is there a skill for X"
+- Asks "can you do X" where X is a specialized capability
+- Expresses interest in extending agent capabilities
+- Wants to search for tools, templates, or workflows
+
+## Search & Present
+
+Do these two steps in a worker session — they can run in parallel:
+
+### 1. Search the API
+
+```bash
+curl -s "https://skills.sh/api/search?q=QUERY"
+```
+
+Replace `QUERY` with a URL-encoded search term (e.g., `react`, `email`, `pr+review`). The response is JSON with skills sorted by installs (most popular first):
+
+```json
+{
+  "skills": [
+    {
+      "id": "vercel-labs/agent-skills/vercel-react-best-practices",
+      "skillId": "vercel-react-best-practices",
+      "name": "vercel-react-best-practices",
+      "installs": 174847,
+      "source": "vercel-labs/agent-skills"
+    }
+  ]
+}
+```
+
+### 2. Fetch Security Audits
+
+**Required — do not skip.** Use the `web_fetch` tool to get the audits page:
+
+```
+web_fetch url="https://skills.sh/audits"
+```
+
+If `web_fetch` fails or returns unexpected content, still present the search results but show "⚠️ Audit unavailable" for all security columns and include a link to https://skills.sh/audits so the user can check manually.
+
+This returns markdown where each skill has a heading (`### skill-name`) followed by its source, then three security scores:
+
+- **Gen Agent Trust Hub**: Safe / Med Risk / Critical
+- **Socket**: Number of alerts (0 is best)
+- **Snyk**: Low Risk / Med Risk / High Risk / Critical
+
+Scan the returned markdown to find scores for each skill from your search results. Match by both **skill name** and **full source** (`owner/repo`) to avoid misattribution — different repos can have skills with the same name.
+
+### 3. Present Combined Results
+
+Cross-reference the search results with the audit data and format as a numbered table. Show the top 6-8 results sorted by installs:
+
+```
+#  Skill                         Publisher      Installs   Gen    Socket  Snyk
+─  ─────────────────────────────  ─────────────  ────────   ─────  ──────  ────────
+1  vercel-react-best-practices   vercel-labs     175.3K    ✅Safe  ✅ 0    ✅Low
+2  web-design-guidelines         vercel-labs     135.8K    ✅Safe  ✅ 0    ⚠️Med
+3  frontend-design               anthropics      122.6K    ✅Safe  ✅ 0    ✅Low
+4  remotion-best-practices       remotion-dev    125.2K    ✅Safe  ✅ 0    ⚠️Med
+5  browser-use                   browser-use      45.0K    ⚠️Med  🔴 1    🔴High
+```
+
+**Formatting:**
+- Sort by installs descending
+- Format counts: 1000+ → "1.0K", 1000000+ → "1.0M"
+- ✅ for Safe / Low Risk / 0 alerts, ⚠️ for Med Risk, 🔴 for High Risk / Critical / 1+ alerts
+- If a skill has no audit data, show "⚠️ N/A" — never leave security blank
+- Publisher = first part of `source` field (before `/`)
+
+After the table:
+
+```
+🔗 Browse all: https://skills.sh/
+
+Pick a number to install (or "none")
+```
+
+## Install
+
+**NEVER install without the user picking a number first.**
+
+When the user picks a skill:
+
+### Security Gate
+
+If ANY of its three audit scores is not green (Safe / 0 alerts / Low Risk), warn before proceeding:
+
+```
+⚠️ "{skill-name}" has security concerns:
+  • Gen Agent Trust Hub: {score}
+  • Socket: {count} alerts
+  • Snyk: {score}
+
+Want to proceed anyway, or pick a different skill?
+```
+
+Wait for explicit confirmation. Do not install if the user says no.
+
+### Fetch & Install
+
+1. **Fetch the SKILL.md** from GitHub. The `source` field is `owner/repo` and `skillId` is the directory:
+
+```bash
+curl -fsSL "https://raw.githubusercontent.com/{source}/main/{skillId}/SKILL.md" || \
+curl -fsSL "https://raw.githubusercontent.com/{source}/master/{skillId}/SKILL.md"
+```
+
+If both fail, tell the user and link to `https://github.com/{source}`.
+
+2. **Validate** the fetched content: it must not be empty and should contain meaningful instructions (more than just a title). If the content is empty, an HTML error page, or clearly not a SKILL.md, do NOT install — tell the user it couldn't be fetched properly.
+
+3. **Install** using the `learn_skill` tool:
+   - `slug`: the `skillId` from the API
+   - `name`: from the SKILL.md frontmatter `name:` field (between `---` markers). If no frontmatter, use `skillId`.
+   - `description`: from the SKILL.md frontmatter `description:` field. If none, use the first sentence.
+   - `instructions`: if frontmatter exists, use the content after the closing `---`. If no frontmatter, use the full fetched content as instructions.
+
+**Always install to ~/.max/skills/ via learn_skill. Never install globally.**
+
+## Behavioral Security Review
+
+In addition to audit scores, review the fetched SKILL.md content before installing. Flag concerns if the skill:
+
+- **Runs arbitrary shell commands** or executes code on the user's machine
+- **Accesses sensitive data** — credentials, API keys, SSH keys, personal files
+- **Makes network requests** to external services (data exfiltration risk)
+- **Comes from an unknown or unverified source** with no audit data
+
+If any of these apply, warn the user with specifics even if audit scores are green:
+
+```
+⚠️ Note: "{skill-name}" requests shell access and reads files from your home directory.
+This is common for CLI-integration skills, but worth knowing. Proceed?
+```
+
+## When No Skills Are Found
+
+If the API returns no results:
+
+1. Tell the user no existing skill was found
+2. Offer to help directly with your general capabilities
+3. Suggest building a custom skill if the task is worth automating
+
+## Uninstalling
+
+Use the `uninstall_skill` tool with the skill's slug to remove it from `~/.max/skills/`.

package/skills/find-skills/_meta.json

@@ -0,0 +1,4 @@
+{
+  "slug": "find-skills",
+  "version": "1.0.0"
+}

package/templates/instructions/AGENTS.md

@@ -0,0 +1,18 @@
+# Agents
+
+You are Max, Eriks Chief of Staff. This folder is home. Treat it that way.
+
+## GitHub Repository Analysis
+
+If the user provides a GitHub repository URL: 
+
+1. **Analyze** — Use the github-repository-analysis skill/workflow to clone and analyze the github repository. Don't just summarize the README.
+2. **Post to Discord** — Send your review to the discord channel (see `TOOLS.md` for channel ID). This is required for every analysis.
+
+## X/Twitter Thread Analysis
+
+If the user provides an X/Twitter URL, prefer the twitter skill/workflow to fetch the full thread and analyze it.
+
+## Customization
+
+Edit this file to customize how Max behaves. Changes are picked up automatically — no restart needed.

package/templates/instructions/TOOLS.md

@@ -0,0 +1,12 @@
+# Tools
+
+## Discord
+
+| Name | Channel ID |
+|---|---|
+| #mac-max | `1486806366508023818` |
+
+**Send to Discord:**
+```
+message action=send channel=discord target="1486806366508023818" message="YOUR_MESSAGE_HERE"
+```