azclaude-copilot 0.4.31 → 0.4.32

package/.claude-plugin/marketplace.json

@@ -9,7 +9,7 @@
     {
       "name": "azclaude",
       "description": "AZCLAUDE is a complete AI coding environment for Claude Code. It installs 34 commands, 9 auto-invoked skills, 15 specialized agents, 4 hooks, and a persistent memory system — in one command.\n\nKey features:\n• Memory across sessions — goals.md + checkpoints injected automatically before every session\n• Self-improving loop — /reflect fixes stale CLAUDE.md rules, /reflexes learns from tool-use patterns, /evolve creates agents from git evidence\n• Autonomous copilot mode — /copilot runs a three-tier team (orchestrator → problem-architect → milestone-builder) across sessions until the product ships\n• Spec-driven workflow — /constitute writes project rules, /spec writes structured ACs, /analyze detects plan drift and ghost milestones, /blueprint traces every milestone to a spec\n• Security layer — 111-rule environment scan (/sentinel), pre-write secret blocking, pre-ship credential audit\n• Progressive levels 0–10 — start with CLAUDE.md, grow into multi-agent pipelines and self-evolving environments\n• Zero dependencies — no npm packages, no external APIs, no vector databases. Plain markdown files and Claude Code's native architecture.\n• Smart install — npx azclaude-copilot@latest auto-detects first install vs upgrade vs verify. Context-aware onboarding shows the right next command for your project state.\n\nExample use cases:\n• /setup — scan an existing project, detect stack + domain + scale, fill CLAUDE.md, generate project-specific skills and agents automatically\n• /copilot \"Build a compliance SaaS with trilingual support\" — walk away, come back to working code across multiple sessions\n• /sentinel — run a scored security audit (0–100, grade A–F) across hooks, permissions, MCP servers, agent configs, and secrets\n• /evolve — detect gaps in the environment, generate new skills and agents from git co-change evidence, report score delta (e.g. 42/100 → 68/100)\n• /constitute — write your project's constitution (non-negotiables, architectural commitments, definition of done) — gates all future AI actions\n• /analyze — cross-artifact consistency check: ghost milestones, spec vs. code drift, unplanned commits\n• /reflect — find stale, missing, or contradicting rules in CLAUDE.md and propose exact fixes\n• /debate \"REST vs GraphQL for this project\" — adversarial evidence-based decision with order-independent scoring, logged to decisions.md",
-      "version": "0.4.31",
+      "version": "0.4.32",
       "source": {
         "source": "github",
         "repo": "haytamAroui/AZ-CLAUDE-COPILOT",

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "azclaude",
-  "version": "0.4.31",
+  "version": "0.4.32",
   "description": "AZCLAUDE is a complete AI coding environment for Claude Code. It installs 34 commands, 9 auto-invoked skills, 15 specialized agents, 4 hooks, and a persistent memory system — in one command.\n\nKey features:\n• Memory across sessions — goals.md + checkpoints injected automatically before every session\n• Self-improving loop — /reflect fixes stale CLAUDE.md rules, /reflexes learns from tool-use patterns, /evolve creates agents from git evidence\n• Autonomous copilot mode — /copilot runs a three-tier team (orchestrator → problem-architect → milestone-builder) across sessions until the product ships\n• Spec-driven workflow — /constitute writes project rules, /spec writes structured ACs, /analyze detects plan drift and ghost milestones, /blueprint traces every milestone to a spec\n• Security layer — 111-rule environment scan (/sentinel), pre-write secret blocking, pre-ship credential audit\n• Progressive levels 0–10 — start with CLAUDE.md, grow into multi-agent pipelines and self-evolving environments\n• Zero dependencies — no npm packages, no external APIs, no vector databases. Plain markdown files and Claude Code's native architecture.\n• Smart install — npx azclaude-copilot@latest auto-detects first install vs upgrade vs verify. Context-aware onboarding shows the right next command for your project state.\n\nExample use cases:\n• /setup — scan an existing project, detect stack + domain + scale, fill CLAUDE.md, generate project-specific skills and agents automatically\n• /copilot \"Build a compliance SaaS with trilingual support\" — walk away, come back to working code across multiple sessions\n• /sentinel — run a scored security audit (0–100, grade A–F) across hooks, permissions, MCP servers, agent configs, and secrets\n• /evolve — detect gaps in the environment, generate new skills and agents from git co-change evidence, report score delta (e.g. 42/100 → 68/100)\n• /constitute — write your project's constitution (non-negotiables, architectural commitments, definition of done) — gates all future AI actions\n• /analyze — cross-artifact consistency check: ghost milestones, spec vs. code drift, unplanned commits\n• /reflect — find stale, missing, or contradicting rules in CLAUDE.md and propose exact fixes\n• /debate \"REST vs GraphQL for this project\" — adversarial evidence-based decision with order-independent scoring, logged to decisions.md",
   "author": {
     "name": "haytamAroui",

package/bin/cli.js

@@ -1194,32 +1194,44 @@ if (hasPlan && hasPendingMilestones) {
 console.log('\n════════════════════════════════════════════════');
 console.log(`  AZCLAUDE v${currentVer} — ${isFirstInstall ? 'installed' : needsUpgrade ? 'upgraded' : 'up to date'}`);
 console.log('');
+
+// First-time users get a one-liner orientation
+if (isFirstInstall) {
+  console.log('  AI coding commands for Claude Code: /setup, /add, /fix,');
+  console.log('  /copilot, /ship and 29 more. Run them inside Claude Code.');
+  console.log('');
+}
+
 console.log('  Open Claude Code in this directory, then:');
 console.log('');
 
 if (onboardingPath === 'RESUME') {
-  console.log('  You have a plan with pending work:');
+  console.log('  A plan with pending work was found:');
   console.log('');
-  console.log('    /copilot          resume autonomous build');
   console.log('    /pulse            see current state first');
+  console.log('    /copilot          resume autonomous build');
   console.log('    /analyze plan     verify plan vs reality');
+  console.log('');
+  console.log('  Starting fresh instead?');
+  console.log('');
+  console.log('    /setup            (re)configure this project');
 } else if (onboardingPath === 'EXISTING') {
   console.log('  Existing project detected:');
   console.log('');
-  console.log('    /setup            scan + configure this project');
-  console.log('    /dream            define what to build next');
-  console.log('    /blueprint        plan the next feature');
-  console.log('    /copilot .        build autonomously');
+  console.log('    /setup            scan + configure this project  ← start here');
+  console.log('    /add [feature]    start building immediately');
+  console.log('    /dream            plan a full product first');
+  console.log('    /copilot          build autonomously');
 } else {
   console.log('  New project:');
   console.log('');
-  console.log('    /setup            configure this project');
+  console.log('    /setup            configure this project  ← start here');
   console.log('    /add [feature]    start building immediately');
   console.log('    /dream            plan a full product first');
 }
 
 console.log('');
 console.log('  ─────────────────────────────────────────────');
-console.log('  docs:    github.com/haytamAroui/AZ-CLAUDE-COPILOT');
-console.log('  upgrade: npx azclaude-copilot@latest');
+console.log('  all commands: /help  ·  docs: github.com/haytamAroui/AZ-CLAUDE-COPILOT');
+console.log('  upgrade:      npx azclaude-copilot@latest');
 console.log('════════════════════════════════════════════════\n');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "azclaude-copilot",
-  "version": "0.4.31",
+  "version": "0.4.32",
   "description": "AI coding environment — 34 commands, 9 skills, 15 agents, memory, reflexes, evolution. Install: npx azclaude-copilot@latest, then open Claude Code.",
   "bin": {
     "azclaude": "bin/cli.js",

package/templates/skills/security/references/security-details.md

@@ -15,7 +15,7 @@ Claude plans & calls tools
 [pre-tool-use.js] — intercepts 3 tool types before execution:
   Bash  → blocks curl|bash RCE, destructive rm; warns npm install, env var echo
   Read  → warns on credential file access (.env, secrets.json, id_rsa, .pem)
-  Write → 14 code vulnerability pattern rules (see table below)
+  Write → 19 code vulnerability pattern rules (see table below)
        ↓                          ↓
 [post-tool-use.js]         /tmp/.azclaude-seclog-{PID}
   behavioral sequence             ↑ shared session event log
@@ -106,6 +106,10 @@ Scans all Edit/Write/MultiEdit operations. Warnings → stderr. Secrets → exit
 - `yaml-unsafe-load` → use `yaml.safe_load()` — always
 - `path-traversal` → use `path.resolve()` + validate result starts with allowed base dir
 - `prompt-injection-write` → review content before writing to files that will be read by AI agents; never embed instruction-like text in project files
+- `c-gets` → use `fgets(buf, sizeof(buf), stdin)` or `getline()` — always specify buffer bounds
+- `php-shell-exec` → use `escapeshellarg()` / `escapeshellcmd()`, or avoid shell calls entirely
+- `java-runtime-exec` → use `new ProcessBuilder(List.of("cmd", "arg1")).start()` with a String array
+- `jinja2-ssti` → use `render_template("file.html", ...)` with a file-based template, never render raw strings
 - `hardcoded-secret` → use environment variables (`process.env.MY_SECRET` / `os.environ['MY_SECRET']`)
 
 ---