azclaude-copilot 0.4.8 → 0.4.10

package/README.md

@@ -477,11 +477,11 @@ See [SECURITY.md](SECURITY.md) for full details.
 
 ## Verified
 
-1197 tests. Every template, command, capability, agent, hook, and CLI feature verified.
+1196 tests. Every template, command, capability, agent, hook, and CLI feature verified.
 
 ```bash
 bash tests/test-features.sh
-# Results: 1197 passed, 0 failed, 1197 total
+# Results: 1196 passed, 0 failed, 1196 total
 ```
 
 ---

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "azclaude-copilot",
-  "version": "0.4.8",
+  "version": "0.4.10",
   "description": "AI coding environment — 26 commands, 8 skills, 10 agents, memory, reflexes, evolution. Install: npm install -g azclaude-copilot@latest, then in Claude Code: azclaude-copilot setup --full",
   "bin": {
     "azclaude": "bin/cli.js",

package/templates/commands/copilot.md

@@ -16,6 +16,26 @@ If `.claude/agents/orchestrator.md` does not exist (fallback — run built-in lo
 
 ---
 
+## Step 0: Intent Check
+
+Check if `.claude/copilot-intent.md` exists:
+```bash
+ls .claude/copilot-intent.md 2>/dev/null && echo "intent=found" || echo "intent=missing"
+```
+
+If `intent=missing`:
+```
+⚠ No copilot-intent.md found.
+
+Run /dream first to define your product? (recommended — provides test strategy, done criteria, deployment target)
+Or continue inferring intent from CLAUDE.md? (faster, less precise for complex projects)
+
+Proceeding without copilot-intent.md — inferring from CLAUDE.md and plan.md.
+```
+Continue to Step 1 either way — do NOT block. Log the absence in goals.md as a note.
+
+---
+
 ## Step 1: Read State
 
 Read these files (skip any that don't exist):

package/templates/commands/evolve.md

@@ -35,7 +35,7 @@ ls .claude/agents/loop-controller.md 2>/dev/null
 **If loop-controller.md exists**: delegate evolution work to it via Agent tool:
 ```
 Run a full evolution cycle: re-derivation check, then Cycle 1 (detect/generate/evaluate),
-Cycle 2 (knowledge consolidation if 3+ sessions), Cycle 3 (topology if friction detected).
+Cycle 2 (knowledge consolidation if 2+ sessions), Cycle 3 (topology if friction detected).
 Show the full cycle report when done.
 ```
 **After loop-controller finishes**: continue to Step 7 (Generate Project-Specific Skills and Agents).

package/templates/commands/sentinel.md

@@ -30,13 +30,8 @@ ls .claude/agents/security-auditor.md 2>/dev/null && echo "agent=found" || echo
 ```
 
 If `agent=found`:
-```
-Spawn security-auditor agent with:
-  Task: Full security scan — all 5 categories, 102 rules
-  Scope: $ARGUMENTS (default: --all)
-  Return: Security Report in standard format
-```
-Display the returned Security Report and **ExitPlanMode**. Done — do not run layers below.
+Read `.claude/agents/security-auditor.md` and execute the full scan inline using the agent's instructions and rule set. This gives the full 102-rule scan without requiring a subprocess.
+Display the Security Report and **ExitPlanMode**. Done — do not run layers below.
 
 If `agent=missing`: continue with manual layers below.
 
@@ -63,7 +58,12 @@ Check if hooks were modified outside of AZCLAUDE.
 
 ```bash
 INTEGRITY="$HOME/.claude/.azclaude-integrity"
-SETTINGS="$HOME/.claude/settings.json"
+# Windows stores settings at %APPDATA%\Claude\settings.json, Unix/Mac at ~/.claude/settings.json
+if [ -n "$APPDATA" ]; then
+  SETTINGS="$APPDATA/Claude/settings.json"
+else
+  SETTINGS="$HOME/.claude/settings.json"
+fi
 [ -f "$INTEGRITY" ] && echo "integrity_file=found" || echo "integrity_file=missing"
 [ -f "$SETTINGS"  ] && echo "settings_file=found"  || echo "settings_file=missing"
 ```
@@ -77,6 +77,8 @@ Compute SHA-256 of the `hooks` key in settings.json and compare.
 - Mismatch → +0 pts — **BLOCK** "Hook integrity mismatch — hooks modified outside AZCLAUDE"
 - Missing integrity file → +15 pts — "No integrity baseline (run `npx azclaude install` to establish one)"
 
+Note: AZCLAUDE registers hooks in `.claude/settings.local.json` (project-level), not `~/.claude/settings.json` (global). The integrity baseline must be computed against `settings.local.json` — comparing against global settings will always produce a hash mismatch (MEDIUM finding).
+
 Check each hook script for dangerous patterns:
 ```bash
 ls .claude/hooks/ 2>/dev/null || ls "$HOME/.claude/hooks/" 2>/dev/null
@@ -95,7 +97,10 @@ For each `.js` / `.sh` hook found, flag:
 Check Claude Code settings for over-permissioned configurations.
 
 ```bash
-cat "$HOME/.claude/settings.json" 2>/dev/null | head -80
+# Windows: %APPDATA%\Claude\settings.json — Unix/Mac: ~/.claude/settings.json
+SETTINGS="${APPDATA:+$APPDATA/Claude/settings.json}"
+SETTINGS="${SETTINGS:-$HOME/.claude/settings.json}"
+cat "$SETTINGS" 2>/dev/null | head -80
 cat .claude/settings.local.json 2>/dev/null
 ```
 
@@ -116,7 +121,10 @@ Score: start at 20, subtract per finding: HIGH −8, MEDIUM −3, LOW −1 (floo
 
 ```bash
 cat .mcp.json 2>/dev/null
-cat "$HOME/.claude/mcp.json" 2>/dev/null
+# Windows: %APPDATA%\Claude\mcp.json — Unix/Mac: ~/.claude/mcp.json
+MCP_GLOBAL="${APPDATA:+$APPDATA/Claude/mcp.json}"
+MCP_GLOBAL="${MCP_GLOBAL:-$HOME/.claude/mcp.json}"
+cat "$MCP_GLOBAL" 2>/dev/null
 ```
 
 For each MCP server entry, check:
@@ -178,6 +186,10 @@ Also scan for:
 - `sk_live_` (Stripe secret), `SG\.` (SendGrid)
 - `-----BEGIN.*PRIVATE KEY` (private keys)
 
+**IMPORTANT — Secret redaction in output:** Never print full secret values in the report.
+Always truncate: show first 8 chars + `...` + last 3 chars. Example: `AIzaSyCM...VNM`.
+The report may be logged, shared, or appear in conversation transcripts.
+
 If `.env` exists: check it is in `.gitignore`:
 ```bash
 grep -q "\.env" .gitignore 2>/dev/null && echo ".env gitignored: yes" || echo ".env gitignored: NO"

package/templates/commands/ship.md

@@ -41,7 +41,7 @@ If problem-architect not installed OR git diff is only docs/config: skip and pro
 ```bash
 ls .claude/agents/security-auditor.md 2>/dev/null && echo "agent=found" || echo "agent=missing"
 ```
-If `agent=found`: spawn `security-auditor` agent. If verdict is `BLOCKED` → STOP.
+If `agent=found`: read `.claude/agents/security-auditor.md` and execute the secrets scan inline using its rules. If verdict is `BLOCKED` → STOP.
 ```
 ✗ Pre-ship blocked: security-auditor found BLOCKED findings. Run /sentinel for details.
 ```

package/templates/hooks/post-tool-use.js

@@ -221,3 +221,26 @@ try { fs.writeFileSync(counterPath, String(editCount)); } catch (_) {}
 if (editCount > 0 && editCount % 15 === 0) {
   process.stdout.write(`\n⚠ ${editCount} edits this session — run /snapshot before context compaction loses your reasoning\n`);
 }
+
+// ── Rapid-edit detection — same file edited 5+ times in <5 min ───────────────
+// Signal: unclear spec before coding. Warn once, suggest /blueprint.
+if (isFileTool && rel) {
+  const rapidPath = path.join(os.tmpdir(), `.azclaude-rapid-${process.ppid || process.pid}`);
+  let rapidLog = {};
+  try { rapidLog = JSON.parse(fs.readFileSync(rapidPath, 'utf8')); } catch (_) {}
+  const fileLog = rapidLog[rel] || { count: 0, firstTs: Date.now(), warned: false };
+  const elapsed = Date.now() - fileLog.firstTs;
+  if (elapsed > 5 * 60 * 1000) {
+    // Reset window
+    rapidLog[rel] = { count: 1, firstTs: Date.now(), warned: false };
+  } else {
+    fileLog.count += 1;
+    if (fileLog.count >= 5 && !fileLog.warned) {
+      fileLog.warned = true;
+      const shortName = path.basename(rel);
+      process.stdout.write(`\n⚠ ${fileLog.count} edits to ${shortName} in ${Math.round(elapsed/60000)}min — unclear spec? Consider /blueprint before continuing\n`);
+    }
+    rapidLog[rel] = fileLog;
+  }
+  try { fs.writeFileSync(rapidPath, JSON.stringify(rapidLog)); } catch (_) {}
+}