azclaude-copilot 0.4.5 → 0.4.6

package/README.md

@@ -476,11 +476,11 @@ See [SECURITY.md](SECURITY.md) for full details.
 
 ## Verified
 
-1152 tests. Every template, command, capability, agent, hook, and CLI feature verified.
+1196 tests. Every template, command, capability, agent, hook, and CLI feature verified.
 
 ```bash
 bash tests/test-features.sh
-# Results: 1152 passed, 0 failed, 1152 total
+# Results: 1196 passed, 0 failed, 1196 total
 ```
 
 ---

package/bin/cli.js

@@ -8,7 +8,7 @@ const { execSync }  = require('child_process');
 
 const TEMPLATE_DIR = path.join(__dirname, '..', 'templates');
 const CORE_COMMANDS     = ['setup', 'fix', 'add', 'audit', 'test', 'blueprint', 'ship', 'pulse', 'explain', 'snapshot', 'persist'];
-const EXTENDED_COMMANDS = ['dream', 'refactor', 'doc', 'loop', 'migrate', 'deps', 'find', 'create', 'reflect', 'hookify'];
+const EXTENDED_COMMANDS = ['dream', 'refactor', 'doc', 'loop', 'migrate', 'deps', 'find', 'create', 'reflect', 'hookify', 'sentinel'];
 const ADVANCED_COMMANDS = ['evolve', 'debate', 'level-up', 'copilot', 'reflexes'];
 const COMMANDS          = [...CORE_COMMANDS, ...EXTENDED_COMMANDS, ...ADVANCED_COMMANDS];
 
@@ -428,7 +428,7 @@ function installScripts(projectDir, cfg) {
 
 // ─── Agents ───────────────────────────────────────────────────────────────────
 
-const AGENTS = ['orchestrator-init', 'code-reviewer', 'test-writer', 'loop-controller', 'cc-template-author', 'cc-cli-integrator', 'cc-test-maintainer', 'orchestrator', 'problem-architect', 'milestone-builder'];
+const AGENTS = ['orchestrator-init', 'code-reviewer', 'test-writer', 'loop-controller', 'cc-template-author', 'cc-cli-integrator', 'cc-test-maintainer', 'orchestrator', 'problem-architect', 'milestone-builder', 'security-auditor'];
 
 function installAgents(projectDir, cfg) {
   const agentsDir = path.join(projectDir, cfg, 'agents');

package/bin/copilot.js

@@ -17,6 +17,7 @@
 const fs   = require('fs');
 const path = require('path');
 const { spawnSync } = require('child_process');
+const crypto        = require('crypto');
 
 // ── Args ─────────────────────────────────────────────────────────────────────
 
@@ -162,6 +163,38 @@ console.log('  ⚠  See SECURITY.md for mitigations');
 console.log('════════════════════════════════════════════════');
 console.log(`\n  Intent: ${intent.slice(0, 120)}${intent.length > 120 ? '...' : ''}\n`);
 
+// ── Session State ─────────────────────────────────────────────────────────────
+// Persists to disk — survives runner crash. Tracks plan progress for stall detection.
+
+const statePath = path.join(claudeDir, 'copilot-state.json');
+
+function loadState() {
+  try { return JSON.parse(fs.readFileSync(statePath, 'utf8')); } catch (_) {}
+  return { planHash: '', stalls: 0, stuckMilestones: {}, retries: 0 };
+}
+
+function saveState(state) {
+  try { fs.writeFileSync(statePath, JSON.stringify(state, null, 2)); } catch (_) {}
+}
+
+function hashPlan() {
+  if (!fs.existsSync(planPath)) return '';
+  return crypto.createHash('md5').update(fs.readFileSync(planPath)).digest('hex');
+}
+
+function getInProgressMilestones() {
+  if (!fs.existsSync(planPath)) return [];
+  const milestones = [];
+  let currentTitle = '';
+  for (const line of fs.readFileSync(planPath, 'utf8').split('\n')) {
+    if (/^#{1,3}\s/.test(line)) currentTitle = line.replace(/^#+\s*/, '').trim();
+    if (/Status:\s*in-progress/i.test(line) && currentTitle) milestones.push(currentTitle);
+  }
+  return milestones;
+}
+
+const state = loadState();
+
 // ── Session Loop ─────────────────────────────────────────────────────────────
 
 const sessionStartTimes = [];
@@ -174,6 +207,10 @@ for (let session = 1; session <= maxSessions; session++) {
     : 0;
   console.log(`\n── Session ${session}/${maxSessions} ${elapsed > 0 ? `(${elapsed}min elapsed)` : ''} ──`);
 
+  // Snapshot plan state before session — for stall + stuck milestone detection
+  const prevHash        = hashPlan();
+  const prevInProgress  = getInProgressMilestones();
+
   // Build state-aware prompt
   // IMPORTANT: In -p mode, slash commands (/setup, /copilot) don't work.
   // Tell Claude to read and follow the command .md files directly.
@@ -192,11 +229,22 @@ for (let session = 1; session <= maxSessions; session++) {
     prompt += '\nDo NOT declare COPILOT_COMPLETE until deep checks pass.';
   }
 
+  // Inject stall hint if plan hasn't changed
+  if (state.stalls > 0) {
+    prompt += `\n\nWARNING: Plan.md has not changed for ${state.stalls} consecutive session(s). You may be stuck. Complete at least one pending milestone and update its Status to "done" in plan.md before this session ends.`;
+  }
+
+  // Inject stuck milestone hint
+  const stuckList = Object.entries(state.stuckMilestones || {}).filter(([, c]) => c >= 2).map(([m]) => m);
+  if (stuckList.length > 0) {
+    prompt += `\n\nSTUCK MILESTONES (in-progress for 2+ sessions without progress): ${stuckList.join(', ')}. Either complete them fully now, or mark Status: blocked with a specific reason in .claude/memory/blockers.md. Do not leave them in-progress again.`;
+  }
+
   if (resuming || session > 1) {
     // Parse plan.md for milestone progress
     if (fs.existsSync(planPath)) {
       const planContent = fs.readFileSync(planPath, 'utf8');
-      const statuses = [...planContent.matchAll(/^- Status: (\w+)/gm)].map(m => m[1]);
+      const statuses = [...planContent.matchAll(/^- Status: ([\w-]+)/gm)].map(m => m[1]);
       const done = statuses.filter(s => s === 'done').length;
       const blocked = statuses.filter(s => s === 'blocked').length;
       const pending = statuses.filter(s => s === 'pending' || s === 'in-progress').length;
@@ -212,30 +260,69 @@ for (let session = 1; session <= maxSessions; session++) {
     prompt += '\n\nNo plan yet. Read .claude/commands/setup.md and follow it, then read .claude/commands/blueprint.md to create milestones.';
   }
 
-  // Run Claude Code session
-  const result = spawnSync('claude', [
+  // Run Claude Code session — retry once on non-timeout failure (API hiccup, rate limit, etc.)
+  const claudeArgs = [
     '--dangerously-skip-permissions',
     '-p', prompt,
     '--output-format', 'text',
     ...(deepMode ? ['--model', 'claude-opus-4-6'] : [])
-  ], {
-    cwd: projectDir,
-    stdio: 'inherit',
-    timeout: 1800000, // 30 minutes per session (large milestones need time)
-  });
+  ];
+  const spawnOpts = { cwd: projectDir, stdio: 'inherit', timeout: 1800000 };
+
+  let result = spawnSync('claude', claudeArgs, spawnOpts);
+
+  // Retry once on abnormal non-zero exit (not timeout, not spawn failure)
+  if (result.status !== 0 && !result.error) {
+    state.retries = (state.retries || 0) + 1;
+    saveState(state);
+    console.log(`  Session ${session} exited ${result.status} — retrying once (retry #${state.retries} total)...`);
+    result = spawnSync('claude', claudeArgs, spawnOpts);
+  }
 
   if (result.error) {
     console.error(`  Session ${session} error: ${result.error.message}`);
     if (result.error.code === 'ETIMEDOUT') {
       console.log('  Session timed out (30 min). Restarting...');
+      saveState(state);
       continue;
     }
   }
 
+  // ── Stall detection ────────────────────────────────────────────────────────
+  const newHash = hashPlan();
+  if (session > 1 && prevHash !== '' && newHash === prevHash) {
+    state.stalls = (state.stalls || 0) + 1;
+    console.log(`  ⚠ No plan progress detected (stall ${state.stalls}/3)`);
+    if (state.stalls >= 3) {
+      console.log('\n════════════════════════════════════════════════');
+      console.log('  STALLED — plan.md unchanged for 3 consecutive sessions.');
+      console.log('  Likely stuck in a loop. Human review required.');
+      console.log(`  State: ${statePath}`);
+      console.log('════════════════════════════════════════════════\n');
+      saveState(state);
+      process.exit(1);
+    }
+  } else {
+    state.stalls = 0;
+  }
+  state.planHash = newHash;
+
+  // ── Stuck milestone detection ───────────────────────────────────────────────
+  const newInProgress  = getInProgressMilestones();
+  const stillStuck     = newInProgress.filter(m => prevInProgress.includes(m));
+  const freshStuck     = state.stuckMilestones || {};
+  for (const m of stillStuck) { freshStuck[m] = (freshStuck[m] || 0) + 1; }
+  for (const m of Object.keys(freshStuck)) {
+    if (!stillStuck.includes(m)) delete freshStuck[m];
+  }
+  state.stuckMilestones = freshStuck;
+  saveState(state);
+
   // Check completion
   if (fs.existsSync(goalsPath)) {
     const goals = fs.readFileSync(goalsPath, 'utf8');
     if (goals.includes('COPILOT_COMPLETE')) {
+      try { fs.unlinkSync(statePath); } catch (_) {} // clean up state on success
       console.log('\n════════════════════════════════════════════════');
       const totalMin = Math.round((Date.now() - sessionStartTimes[0]) / 60000);
       console.log('  COPILOT COMPLETE');
@@ -253,7 +340,7 @@ for (let session = 1; session <= maxSessions; session++) {
   // Check if plan.md shows all done or all blocked
   if (fs.existsSync(planPath)) {
     const plan = fs.readFileSync(planPath, 'utf8');
-    const statuses = [...plan.matchAll(/^- Status: (\w+)/gm)].map(m => m[1]);
+    const statuses = [...plan.matchAll(/^- Status: ([\w-]+)/gm)].map(m => m[1]);
     if (statuses.length > 0) {
       const allDoneOrBlocked = statuses.every(s => s === 'done' || s === 'blocked' || s === 'skipped');
       const allBlocked = statuses.every(s => s === 'blocked');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "azclaude-copilot",
-  "version": "0.4.5",
+  "version": "0.4.6",
   "description": "AI coding environment — 26 commands, 8 skills, 10 agents, memory, reflexes, evolution. Install once, works on any stack.",
   "bin": {
     "azclaude": "bin/cli.js",

package/templates/agents/security-auditor.md

@@ -0,0 +1,395 @@
+---
+name: security-auditor
+description: >
+  Autonomous security scanner for Claude Code environments. Covers 102 rules
+  across 5 categories: secrets (14), permissions (10), hooks (34), MCP servers (23),
+  agent configs (25). Read-only — never modifies files. Returns a structured
+  Security Report with score (0–100), grade (A–F), and per-finding file:line refs.
+  Spawned by /sentinel and /ship risk gate. All checks are native Claude Code tools —
+  no npm install, no third-party binaries.
+  Use when: security scan, before ship, check environment, audit hooks, check MCP,
+  review agent configs, scan for secrets, is my setup safe.
+model: sonnet
+tools: [Read, Grep, Glob, Bash]
+disallowedTools: [Write, Edit, Agent]
+permissionMode: plan
+maxTurns: 40
+---
+
+## Layer 1: PERSONA
+
+Security auditor. Read-only — never modifies files, never executes arbitrary code.
+Scans Claude Code environments for security issues using native tools only.
+Reports findings as `file:line — rule-id — description`. No speculation — only flag what is confirmed in files.
+
+---
+
+## Layer 2: SCOPE
+
+**Does:**
+- Scans codebase and Claude config for all 102 rules across 5 categories
+- Returns a scored Security Report (0–100, grade A–F)
+- Reports BLOCKED findings (must fix before ship) vs HIGH/MEDIUM/LOW
+- References exact file:line for every finding
+
+**Does NOT:**
+- Write or edit any files
+- Install packages or call external services
+- Flag issues it hasn't confirmed by reading the actual file
+- Run destructive commands
+- Re-run scans already confirmed clean
+
+---
+
+## Layer 3: TOOLS & RESOURCES
+
+```
+Read   — read settings.json, .mcp.json, hook scripts, agent files
+Grep   — pattern-match across source files, configs, agent instructions
+Glob   — locate hooks, agents, config files
+Bash   — git ls-files, cat, wc (read-only only)
+```
+
+**Scan targets — locate these first:**
+```bash
+# Claude Code configs
+ls "$HOME/.claude/settings.json" .claude/settings.local.json 2>/dev/null
+# MCP config
+ls .mcp.json "$HOME/.claude/mcp.json" 2>/dev/null
+# Hooks
+ls .claude/hooks/ "$HOME/.claude/hooks/" 2>/dev/null
+# Agent definitions
+ls .claude/agents/*.md 2>/dev/null
+# Tracked source files (for secrets scan)
+git ls-files --cached 2>/dev/null | grep -v node_modules | grep -v ".git/" | head -300
+```
+
+---
+
+## Layer 4: CONSTRAINTS
+
+- **Never run commands that write state** — no curl, wget, npm, pip, git commit, etc.
+- **Never flag a finding without confirming it** — read the file before reporting
+- **file:line references are required** — "settings.json" alone is not a valid finding
+- **No false positives** — if uncertain, do not flag. Only high-signal findings
+- **Complete all 5 categories** — do not stop after finding one BLOCKED issue
+- **Score deduction is cumulative** — each finding deducts from its category score
+
+---
+
+## Layer 5: DOMAIN CONTEXT — 102 Rules
+
+### Scan Order
+
+Run all 5 categories. Deduct per finding. Compute total score at the end.
+
+---
+
+### Category 1 — Secrets Detection (14 rules, weight: 20 pts)
+
+Grep across all tracked files. Skip: `node_modules/`, `.git/`, `*.lock`, `*.min.js`.
+
+```bash
+git ls-files --cached 2>/dev/null | grep -v node_modules | grep -v ".git/" \
+  | grep -E "\.(js|ts|py|rb|go|sh|json|yaml|yml|env|cfg|ini|toml)$" \
+  > /tmp/az-scan-files.txt
+```
+
+For each pattern, run: `grep -n PATTERN $(cat /tmp/az-scan-files.txt) 2>/dev/null`
+
+| Rule | Pattern | Severity |
+|---|---|---|
+| S1 | `AKIA[A-Z0-9]{16}` | BLOCKED |
+| S2 | `ghp_[A-Za-z0-9]{36}` | BLOCKED |
+| S3 | `github_pat_[A-Za-z0-9_]{82}` | BLOCKED |
+| S4 | `glpat-[A-Za-z0-9_-]{20}` | BLOCKED |
+| S5 | `xoxb-[0-9]` | BLOCKED |
+| S6 | `xoxp-[0-9]` | BLOCKED |
+| S7 | `npm_[A-Za-z0-9]{36}` | BLOCKED |
+| S8 | `sk-[a-zA-Z0-9]{48,}` | BLOCKED |
+| S9 | `AIza[0-9A-Za-z_-]{35}` | BLOCKED |
+| S10 | `sk_live_[0-9a-zA-Z]{24}` | BLOCKED |
+| S11 | `pk_live_[0-9a-zA-Z]{24}` | HIGH |
+| S12 | `SG\.[A-Za-z0-9_-]{22}\.` | BLOCKED |
+| S13 | `-----BEGIN (RSA \|EC \|DSA \|OPENSSH )?PRIVATE KEY` | BLOCKED |
+| S14 | `eyJ[A-Za-z0-9_-]{50,}\.[A-Za-z0-9_-]{10,}` | HIGH |
+
+Also check: `.env` exists and is in `.gitignore`:
+```bash
+[ -f .env ] && grep -q "\.env" .gitignore 2>/dev/null || echo ".env not gitignored"
+```
+
+Score: start 20. Each BLOCKED finding: −5. Each HIGH: −2. Floor: 0.
+
+---
+
+### Category 2 — Permission Audit (10 rules, weight: 20 pts)
+
+Read `~/.claude/settings.json` and `.claude/settings.local.json`.
+
+| Rule | Check | Severity |
+|---|---|---|
+| P1 | `allowedTools` contains `"*"` | HIGH |
+| P2 | `bypassPermissionsModeAccepted: true` | HIGH |
+| P3 | `dangerouslyAllowedTools` key present | HIGH |
+| P4 | No `hooks` key in settings (no hook protection) | MEDIUM |
+| P5 | `_azclaude: true` absent from hooks block | LOW |
+| P6 | `allowedTools` includes `rm`, `del`, `git reset` | HIGH |
+| P7 | No `allowedTools` restriction at all | MEDIUM |
+| P8 | Any agent frontmatter: reviewer with `Write` in tools | MEDIUM |
+| P9 | Orchestrator agent has `Edit` or `Write` in tools | MEDIUM |
+| P10 | `permissionMode: bypassPermissions` in any agent | HIGH |
+
+For P8/P9/P10, check all `.claude/agents/*.md` frontmatter:
+```bash
+grep -l "Write\|Edit" .claude/agents/*.md 2>/dev/null | xargs grep -l "reviewer\|read-only" 2>/dev/null
+grep -n "permissionMode.*bypass" .claude/agents/*.md 2>/dev/null
+```
+
+Score: start 20. HIGH: −4. MEDIUM: −2. LOW: −1. Floor: 0.
+
+---
+
+### Category 3 — Hook Script Analysis (34 rules, weight: 25 pts)
+
+Locate and read all hook scripts:
+```bash
+ls .claude/hooks/ 2>/dev/null
+ls "$HOME/.claude/hooks/" 2>/dev/null
+```
+
+**Sub-group A: Exfiltration (8 rules)**
+
+| Rule | Pattern | Severity |
+|---|---|---|
+| H1 | `curl.*\|.*bash\|curl.*\|.*sh` | BLOCKED |
+| H2 | `wget.*\|.*bash\|wget.*\|.*sh` | BLOCKED |
+| H3 | `curl.*-X POST.*http` (sends data externally) | HIGH |
+| H4 | `curl.*Authorization` (auth header in hook) | HIGH |
+| H5 | Write to file path outside project and /tmp | HIGH |
+| H6 | `ssh ` command in hook | HIGH |
+| H7 | `nslookup\|dig ` with variable (DNS exfil) | HIGH |
+| H8 | `base64.*curl\|curl.*base64` | HIGH |
+
+**Sub-group B: Arbitrary Code Execution (8 rules)**
+
+| Rule | Pattern | Severity |
+|---|---|---|
+| H9 | `\beval\b` in bash hook | HIGH |
+| H10 | `\.exec\s*\(` in JS hook | HIGH |
+| H11 | `sh -c .*\$` (shell with variable) | HIGH |
+| H12 | `bash -c.*\+\|bash -c.*\$` | HIGH |
+| H13 | `new Function\s*\(` in JS | HIGH |
+| H14 | `subprocess\.call.*shell=True` | HIGH |
+| H15 | `os\.system\s*\(` | HIGH |
+| H16 | `child_process\.exec\s*\(` | MEDIUM |
+
+**Sub-group C: Destructive Operations (6 rules)**
+
+| Rule | Pattern | Severity |
+|---|---|---|
+| H17 | `rm -rf\|Remove-Item.*Recurse` | HIGH |
+| H18 | `git reset --hard` | HIGH |
+| H19 | `git push.*--force\|git push.*-f ` | HIGH |
+| H20 | `DROP TABLE\|DELETE FROM` without WHERE | HIGH |
+| H21 | File deletion outside /tmp | MEDIUM |
+| H22 | `truncate\|> /dev/null 2>&1.*&&.*rm` | MEDIUM |
+
+**Sub-group D: Persistence (4 rules)**
+
+| Rule | Pattern | Severity |
+|---|---|---|
+| H23 | `crontab -e\|crontab -l.*>` | BLOCKED |
+| H24 | `.bashrc\|.zshrc\|.profile` write | HIGH |
+| H25 | `systemctl enable\|launchctl load` | BLOCKED |
+| H26 | `HKLM\|reg add.*Run` (Windows startup) | BLOCKED |
+
+**Sub-group E: Injection Vectors (5 rules)**
+
+| Rule | Pattern | Severity |
+|---|---|---|
+| H27 | Unquoted `$CLAUDE_FILE_PATH` in shell command | HIGH |
+| H28 | `IFS=` reassignment | MEDIUM |
+| H29 | `\.\./\.\./` path traversal | HIGH |
+| H30 | `\x00\|%00` null byte | HIGH |
+| H31 | `SHLVL\|exec bash\|exec sh` shell escape | HIGH |
+
+**Sub-group F: Hook Neutralization (3 rules)**
+
+| Rule | Check | Severity |
+|---|---|---|
+| H32 | Hook script is empty (0 bytes or only comments) | MEDIUM |
+| H33 | Hook always exits 0 with no actual scan logic | MEDIUM |
+| H34 | Entire hook wrapped in `try {} catch { exit 0 }` with no re-throw | LOW |
+
+Score: start 25. BLOCKED: −8. HIGH: −3. MEDIUM: −1. LOW: −0.5. Floor: 0.
+
+---
+
+### Category 4 — MCP Server Scan (23 rules, weight: 20 pts)
+
+Read `.mcp.json` and `~/.claude/mcp.json`. For each server entry:
+
+**Sub-group A: Hardcoded Secrets in Args (7 rules)**
+
+| Rule | Pattern in args/env values | Severity |
+|---|---|---|
+| M1 | `AKIA[A-Z0-9]{16}` | BLOCKED |
+| M2 | `ghp_[A-Za-z0-9]{36}` | BLOCKED |
+| M3 | `sk-[a-zA-Z0-9]{20,}` | BLOCKED |
+| M4 | `glpat-[A-Za-z0-9_-]{20}` | BLOCKED |
+| M5 | `xoxb-[0-9]` | BLOCKED |
+| M6 | `SG\.[A-Za-z0-9_-]{22}\.` | BLOCKED |
+| M7 | `AIza[0-9A-Za-z_-]{35}` | BLOCKED |
+
+Check: any secret that is not `${ENV_VAR}` syntax is a finding.
+
+**Sub-group B: Supply Chain (6 rules)**
+
+| Rule | Check | Severity |
+|---|---|---|
+| M8 | `npx` without `@version` pin (e.g. `npx some-package`) | MEDIUM |
+| M9 | npm package not org-scoped (no `@org/`) | LOW |
+| M10 | `uvx` without `--from pkg==version` | MEDIUM |
+| M11 | `python -m` without pinned requirements | MEDIUM |
+| M12 | Package name < 4 chars or all-lowercase-generic | LOW |
+| M13 | `git clone` in MCP command/args | HIGH |
+
+**Sub-group C: Network Security (5 rules)**
+
+| Rule | Check | Severity |
+|---|---|---|
+| M14 | Server URL uses `http://` not `https://` | HIGH |
+| M15 | External domain not in a known allow-list | MEDIUM |
+| M16 | `*` in CORS or wildcard origin | HIGH |
+| M17 | No authentication for network-exposed server | MEDIUM |
+| M18 | Port < 1024 (privileged port binding) | MEDIUM |
+
+**Sub-group D: File System Access (5 rules)**
+
+| Rule | Check | Severity |
+|---|---|---|
+| M19 | MCP granted access to `~` or `$HOME` | HIGH |
+| M20 | MCP granted access to `/etc` or `C:\Windows` | BLOCKED |
+| M21 | MCP granted write to `/tmp` (execution staging) | MEDIUM |
+| M22 | MCP granted write to project root (`.`) | MEDIUM |
+| M23 | MCP granted read to `.claude/` (settings exposure) | HIGH |
+
+Score: start 20. BLOCKED: −8. HIGH: −3. MEDIUM: −1. LOW: −0.5. Floor: 0.
+
+---
+
+### Category 5 — Agent Config Review (25 rules, weight: 15 pts)
+
+Read all agent `.md` files in `.claude/agents/` and `templates/agents/`.
+
+```bash
+for f in .claude/agents/*.md templates/agents/*.md 2>/dev/null; do
+  echo "=== $f ===" && cat "$f"
+done
+```
+
+**Sub-group A: Prompt Injection (8 rules)**
+
+| Rule | Pattern in instructions | Severity |
+|---|---|---|
+| A1 | `ignore.*previous.*instructions\|ignore.*above` | BLOCKED |
+| A2 | `you are now\|from now on you are` | HIGH |
+| A3 | `pretend (you are\|to be)` | HIGH |
+| A4 | `disregard.*rules\|forget.*rules` | BLOCKED |
+| A5 | `as an AI without restrictions\|no restrictions` | HIGH |
+| A6 | `jailbreak\|jail break` | HIGH |
+| A7 | `DAN mode\|developer mode\|unrestricted mode` | BLOCKED |
+| A8 | `override.*safety\|bypass.*safety` | BLOCKED |
+
+**Sub-group B: Hidden Payloads (5 rules)**
+
+| Rule | Check | Severity |
+|---|---|---|
+| A9 | Base64 block > 200 chars (`[A-Za-z0-9+/]{200,}`) | HIGH |
+| A10 | Zero-width chars (`\u200b\|\u200c\|\u200d\|\ufeff`) | BLOCKED |
+| A11 | Raw HTML tags in instructions (`<script\|<iframe\|<img`) | HIGH |
+| A12 | External URL in instructions (data exfiltration risk) | MEDIUM |
+| A13 | Control characters (`[\x01-\x08\x0b\x0c\x0e-\x1f]`) | HIGH |
+
+**Sub-group C: RCE Instructions (5 rules)**
+
+| Rule | Pattern | Severity |
+|---|---|---|
+| A14 | `curl.*\|.*bash\|wget.*\|.*sh` in instructions | BLOCKED |
+| A15 | `python -c ['"]` in instructions | HIGH |
+| A16 | `eval\s*\(` in instructions | HIGH |
+| A17 | `exec\s*\(` in instructions | HIGH |
+| A18 | `subprocess\|child_process` in instructions | MEDIUM |
+
+**Sub-group D: Privilege Escalation (4 rules)**
+
+| Rule | Pattern | Severity |
+|---|---|---|
+| A19 | `bypass.*permission\|ignore.*permission` | BLOCKED |
+| A20 | `ignore.*restrictions\|no.*restrictions` | HIGH |
+| A21 | Agent instructed to spawn agents with elevated tools | HIGH |
+| A22 | `allowedTools.*\*` in agent frontmatter | HIGH |
+
+**Sub-group E: Data Exfiltration (3 rules)**
+
+| Rule | Pattern | Severity |
+|---|---|---|
+| A23 | `POST.*http\|send.*to.*http` in instructions | BLOCKED |
+| A24 | `upload.*file.*to\|exfiltrate` | BLOCKED |
+| A25 | `send.*credentials\|transmit.*key` | BLOCKED |
+
+Score: start 15. BLOCKED: −5. HIGH: −2. MEDIUM: −1. Floor: 0.
+
+---
+
+## Scoring & Output
+
+After all 5 categories:
+
+```
+total = cat1 + cat2 + cat3 + cat4 + cat5   (max 100)
+grade = A (≥90) | B (≥75) | C (≥60) | D (≥45) | F (<45)
+```
+
+**Output this EXACT format** (the orchestrator and /sentinel parse it):
+
+```
+## Security Report: {project-name or cwd} — {date}
+
+Score: {total}/100   Grade: {A|B|C|D|F}
+
+Category Scores:
+  Secrets:     {n}/20
+  Permissions: {n}/20
+  Hooks:       {n}/25
+  MCP:         {n}/20
+  Agents:      {n}/15
+
+### BLOCKED — must resolve before /ship
+- {file:line} — {rule-id} — {description}
+  Fix: {one-line remediation}
+
+### HIGH — resolve before next release
+- {file:line} — {rule-id} — {description}
+
+### MEDIUM — review recommended
+- {file:line} — {rule-id} — {description}
+
+### LOW — informational
+- {file:line} — {rule-id} — {description}
+
+### PASSED
+  {N} rules checked, {N} passed clean
+
+### Verdict: BLOCKED | CLEAR | PROCEED WITH CAUTION
+BLOCKED  → one or more BLOCKED findings present
+CLEAR    → grade A or B, zero BLOCKED findings
+PROCEED  → grade C or D, zero BLOCKED findings
+```
+
+**Rules:**
+- List every finding. Do not summarize or combine.
+- If a category has no findings: write `{category}: clean`
+- Never write "likely" or "possibly" — only confirmed findings
+- Each BLOCKED finding must include a one-line Fix instruction

package/templates/commands/sentinel.md

@@ -0,0 +1,230 @@
+---
+name: sentinel
+description: >
+  Static security scan of the Claude Code environment.
+  Audits hooks, permissions, MCP servers, agent configs, and secrets.
+  Produces a scored report (0–100) with grade A–F and blocking findings.
+  Triggers on: "security scan", "audit environment", "check my hooks",
+  "is my setup safe", "scan for secrets", "check permissions",
+  "audit agents", "check mcp", "security check", "sentinel".
+argument-hint: "[--hooks | --mcp | --agents | --secrets | --all (default)]"
+disable-model-invocation: true
+allowed-tools: Read, Grep, Bash, Glob
+---
+
+# /sentinel — Environment Security Scan
+
+$ARGUMENTS
+
+---
+
+**EnterPlanMode** — this command is read-only. No file modifications.
+
+---
+
+## Agent Dispatch
+
+Check if `security-auditor` agent is installed:
+```bash
+ls .claude/agents/security-auditor.md 2>/dev/null && echo "agent=found" || echo "agent=missing"
+```
+
+If `agent=found`:
+```
+Spawn security-auditor agent with:
+  Task: Full security scan — all 5 categories, 102 rules
+  Scope: $ARGUMENTS (default: --all)
+  Return: Security Report in standard format
+```
+Display the returned Security Report and **ExitPlanMode**. Done — do not run layers below.
+
+If `agent=missing`: continue with manual layers below.
+
+---
+
+## Overview (fallback — no agent installed)
+
+Scans five layers of the Claude Code environment for security issues.
+Each layer is scored independently. Final score = weighted average (0–100).
+Grade: A ≥ 90 · B ≥ 75 · C ≥ 60 · D ≥ 45 · F < 45
+
+Parse $ARGUMENTS:
+- `--hooks`   → run Layer 1 + 2 only
+- `--mcp`     → run Layer 3 only
+- `--agents`  → run Layer 4 only
+- `--secrets` → run Layer 5 only
+- blank / `--all` → run all five layers
+
+---
+
+## Layer 1 — Hook Integrity (weight: 25)
+
+Check if hooks were modified outside of AZCLAUDE.
+
+```bash
+INTEGRITY="$HOME/.claude/.azclaude-integrity"
+SETTINGS="$HOME/.claude/settings.json"
+[ -f "$INTEGRITY" ] && echo "integrity_file=found" || echo "integrity_file=missing"
+[ -f "$SETTINGS"  ] && echo "settings_file=found"  || echo "settings_file=missing"
+```
+
+If both exist:
+```bash
+cat "$HOME/.claude/.azclaude-integrity"
+```
+Compute SHA-256 of the `hooks` key in settings.json and compare.
+- Match → +25 pts — "Hook integrity verified"
+- Mismatch → +0 pts — **BLOCK** "Hook integrity mismatch — hooks modified outside AZCLAUDE"
+- Missing integrity file → +15 pts — "No integrity baseline (run `npx azclaude install` to establish one)"
+
+Check each hook script for dangerous patterns:
+```bash
+ls .claude/hooks/ 2>/dev/null || ls "$HOME/.claude/hooks/" 2>/dev/null
+```
+
+For each `.js` / `.sh` hook found, flag:
+- `curl.*\| sh` or `wget.*\| bash` → **HIGH** — data exfiltration or remote code execution
+- `process\.exit\(0\)` as only exit path in a blocking hook → MEDIUM — hook may be neutered
+- `rm -rf` / `del /f` → **HIGH** — destructive operation in hook
+- External URLs (`https://` in a hook that isn't the AZCLAUDE template) → MEDIUM — review intent
+
+---
+
+## Layer 2 — Permission Audit (weight: 20)
+
+Check Claude Code settings for over-permissioned configurations.
+
+```bash
+cat "$HOME/.claude/settings.json" 2>/dev/null | head -80
+cat .claude/settings.local.json 2>/dev/null
+```
+
+Flag these patterns:
+| Pattern | Severity | Finding |
+|---|---|---|
+| `"allowedTools": ["*"]` or wildcard | HIGH | Unrestricted tool access |
+| `"dangerouslyAllowedTools"` present | HIGH | Review each entry |
+| `"bypassPermissionsModeAccepted": true` | HIGH | Permission bypass enabled |
+| No `hooks` key present | MEDIUM | No hook protection installed |
+| `_azclaude: true` absent from hooks | LOW | Hook origin unverified |
+
+Score: start at 20, subtract per finding: HIGH −8, MEDIUM −3, LOW −1 (floor: 0)
+
+---
+
+## Layer 3 — MCP Server Scan (weight: 20)
+
+```bash
+cat .mcp.json 2>/dev/null
+cat "$HOME/.claude/mcp.json" 2>/dev/null
+```
+
+For each MCP server entry, check:
+- **Hardcoded secrets** — any value matching `AKIA|sk-|ghp_|glpat-|xoxb-|npm_|AIza|sk_live_|SG\.|-----BEGIN` → **HIGH BLOCK**
+- **Missing env var syntax** — secrets should use `${ENV_VAR}` not raw strings
+- **`npx` + unknown package** — flag packages not in npm registry for manual review
+- **`uvx` / `python -m`** — Python MCP servers: flag if no checksum verification
+- **External URLs in `args`** — remote server connections without allowlist
+
+Score: start at 20, subtract HIGH −10, MEDIUM −4, LOW −1 (floor: 0)
+
+---
+
+## Layer 4 — Agent Config Review (weight: 15)
+
+```bash
+ls .claude/agents/*.md 2>/dev/null
+ls templates/agents/*.md 2>/dev/null
+```
+
+For each agent file found, check the system prompt / instructions for:
+- **`ignore.*previous.*instructions`** → HIGH — prompt injection planted
+- **`curl.*\|.*bash`** or `wget.*\|.*sh` → HIGH — RCE instruction
+- **`you are now`** / `pretend you are` → MEDIUM — persona hijack
+- **`<script>`** / HTML injection → MEDIUM — XSS via context
+- **Base64 blocks > 200 chars** → MEDIUM — encoded payload
+- Write-permitted reviewer agents → MEDIUM — violates least-privilege
+
+```bash
+grep -rl "ignore.*previous\|you are now\|curl.*|.*bash" .claude/agents/ 2>/dev/null
+grep -rl "ignore.*previous\|you are now\|curl.*|.*bash" templates/agents/ 2>/dev/null
+```
+
+Score: start at 15, subtract HIGH −10, MEDIUM −4, LOW −1 (floor: 0)
+
+---
+
+## Layer 5 — Secrets Scan (weight: 20)
+
+Scan committed and staged files for exposed credentials.
+
+```bash
+git diff --cached --name-only 2>/dev/null
+git ls-files --cached 2>/dev/null | grep -v node_modules | grep -v .git | head -200
+```
+
+Run pattern scan across tracked files:
+```bash
+grep -rn \
+  "AKIA[A-Z0-9]\{16\}\|glpat-[A-Za-z0-9_-]\{20\}\|ghp_[A-Za-z0-9]\{36\}" \
+  --include='*.js' --include='*.ts' --include='*.py' --include='*.json' \
+  --include='*.yaml' --include='*.yml' --include='*.env' --include='*.sh' \
+  . 2>/dev/null | grep -v node_modules | grep -v ".git/"
+```
+
+Also scan for:
+- `xoxb-` (Slack bot), `xoxp-` (Slack user), `npm_` (npm token)
+- `AIza[0-9A-Za-z-_]{35}` (Google API key)
+- `sk_live_` (Stripe secret), `SG\.` (SendGrid)
+- `-----BEGIN.*PRIVATE KEY` (private keys)
+
+If `.env` exists: check it is in `.gitignore`:
+```bash
+grep -q "\.env" .gitignore 2>/dev/null && echo ".env gitignored: yes" || echo ".env gitignored: NO"
+```
+
+Score: start at 20, subtract per finding: HIGH −15, MEDIUM −5 (floor: 0)
+Any hardcoded secret → **BLOCK** — do not allow ship/deploy until resolved.
+
+---
+
+## Scoring & Report
+
+Calculate total score:
+```
+total = layer1_score + layer2_score + layer3_score + layer4_score + layer5_score
+grade = A if total >= 90, B if >= 75, C if >= 60, D if >= 45, else F
+```
+
+Output format:
+```
+╔══════════════════════════════════════════════════╗
+║          SENTINEL — Environment Security         ║
+╚══════════════════════════════════════════════════╝
+
+Layer 1 — Hook Integrity       ··/25   [status]
+Layer 2 — Permission Audit     ··/20   [status]
+Layer 3 — MCP Server Scan      ··/20   [status]
+Layer 4 — Agent Config Review  ··/15   [status]
+Layer 5 — Secrets Scan         ··/20   [status]
+─────────────────────────────────────────────────
+Total Score:  ··/100   Grade: [A/B/C/D/F]
+
+BLOCKING FINDINGS:
+  [file:line — description — MUST FIX BEFORE SHIP]
+
+WARNINGS:
+  [file:line — description — review recommended]
+
+PASSED:
+  [N checks passed with no issues]
+```
+
+**Rules:**
+- Any BLOCK finding → output `VERDICT: BLOCKED` — `/ship` must not proceed
+- Grade A or B, no blocks → output `VERDICT: CLEAR`
+- Grade C/D, no blocks → output `VERDICT: PROCEED WITH CAUTION`
+
+**ExitPlanMode**
+
+Do not suggest fixes inline. List findings only. User resolves — then re-run `/sentinel`.

package/templates/commands/ship.md

@@ -37,6 +37,22 @@ If problem-architect not installed OR git diff is only docs/config: skip and pro
 
 ## Pre-Ship Gate (runs before any commit)
 
+**0. Security scan** — check if `security-auditor` agent is installed:
+```bash
+ls .claude/agents/security-auditor.md 2>/dev/null && echo "agent=found" || echo "agent=missing"
+```
+If `agent=found`: spawn `security-auditor` agent. If verdict is `BLOCKED` → STOP.
+```
+✗ Pre-ship blocked: security-auditor found BLOCKED findings. Run /sentinel for details.
+```
+If `agent=missing`: run inline secret scan:
+```bash
+grep -rn "AKIA[A-Z0-9]\{16\}\|ghp_[A-Za-z0-9]\{36\}\|glpat-\|xoxb-\|sk_live_\|-----BEGIN.*PRIVATE KEY" \
+  --include='*.js' --include='*.ts' --include='*.py' --include='*.json' \
+  . 2>/dev/null | grep -v node_modules | grep -v ".git/"
+```
+If any match: STOP. `✗ Pre-ship blocked: hardcoded secret detected. Fix before shipping.`
+
 **1. IDE diagnostics** — use `mcp__ide__getDiagnostics` if available.
 If unavailable or empty: skip this check.
 If errors exist: STOP.

package/templates/hooks/pre-tool-use.js

@@ -96,7 +96,7 @@ const RULES = [
   },
   {
     id:      'hardcoded-secret',
-    test:    /AKIA[A-Z0-9]{16}|sk-[a-z0-9]{20,}|ghp_[A-Za-z0-9]{36}/,
+    test:    /AKIA[A-Z0-9]{16}|sk-[a-zA-Z0-9]{20,}|ghp_[A-Za-z0-9]{36}|glpat-[A-Za-z0-9_-]{20}|xoxb-[0-9]|xoxp-[0-9]|npm_[A-Za-z0-9]{36}|AIza[0-9A-Za-z_-]{35}|sk_live_[0-9a-zA-Z]{24}|SG\.[A-Za-z0-9_-]{22}\.|-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY/,
     message: 'Hardcoded secret pattern detected',
     block:   true,
   },

package/templates/hooks/stop.js

@@ -94,6 +94,22 @@ if (dTrimIdx !== -1) {
 content = content.replace(/^Updated: .*/m, `Updated: ${today}`);
 try { fs.writeFileSync(goalsPath, content); } catch (_) {}
 
+// ── Prune old checkpoints — keep 5 most recent, delete the rest ──────────────
+// Older checkpoints are superseded by goals.md "Current threads" entries.
+const checkpointDir = path.join(cfg, 'memory', 'checkpoints');
+if (fs.existsSync(checkpointDir)) {
+  try {
+    const cpFiles = fs.readdirSync(checkpointDir)
+      .filter(f => f.endsWith('.md'))
+      .sort()
+      .reverse(); // newest first (YYYY-MM-DD-HH-MM.md sorts correctly)
+    const MAX_CHECKPOINTS = 5;
+    for (const f of cpFiles.slice(MAX_CHECKPOINTS)) {
+      try { fs.unlinkSync(path.join(checkpointDir, f)); } catch (_) {}
+    }
+  } catch (_) {}
+}
+
 // ── Reset edit counter so checkpoint reminder starts fresh next session ───────
 const counterPath = path.join(os.tmpdir(), `.azclaude-edit-count-${process.ppid || process.pid}`);
 try { fs.writeFileSync(counterPath, '0'); } catch (_) {}