ccsetup 1.2.0 → 1.2.1

package/lib/templates/README.md

@@ -1,6 +1,6 @@
 # Template Catalog System
 
-The template catalog system provides a powerful foundation for browsing, filtering, and selecting from ccsetup's collection of 50+ agent templates. This system implements Phase 1 of the template selection feature as outlined in PLAN-009.
+The template catalog system provides a powerful foundation for browsing, filtering, and selecting from ccsetup's collection of 8 core agent templates. This system implements Phase 1 of the template selection feature as outlined in PLAN-009.
 
 ## Overview
 
@@ -25,7 +25,7 @@ The template catalog system consists of:
 - Caching for performance
 
 ### Generated Metadata (`metadata/agents.json`)
-- Contains metadata for all 52 agents
+- Contains metadata for all 8 agents
 - Organized by categories: Development, Backend, Planning, AI/ML, etc.
 - Includes tags, tools, examples, and workflows for each agent
 

package/lib/templates/metadata/agents.json

@@ -408,6 +408,6 @@
   "stats": {
     "totalAgents": 8,
     "categories": 2,
-    "lastUpdated": "2026-03-26T17:07:49.795Z"
+    "lastUpdated": "2026-03-26T16:28:36.979Z"
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ccsetup",
-  "version": "1.2.0",
+  "version": "1.2.1",
   "description": "Interactive setup for Claude Code projects with smart context scanning, merge strategies, 8 core agents, and orchestration workflows",
   "bin": {
     "ccsetup": "bin/create-project.js"
@@ -45,7 +45,8 @@
     "jest": "^30.0.5"
   },
   "scripts": {
-    "test": "jest",
+    "test": "jest --testPathIgnorePatterns integration",
+    "test:integration": "jest --testPathPatterns integration",
     "test:watch": "jest --watch",
     "test:coverage": "jest --coverage",
     "metadata:generate": "node scripts/generate-metadata.js",

package/template/.claude/settings.json

@@ -1,4 +1,10 @@
 {
+  "permissions": {
+    "allow": [
+      "Bash(osv-scanner scan:*)",
+      "Bash(osv-scanner:*)"
+    ]
+  },
   "hooks": {
     "UserPromptSubmit": [
       {
@@ -10,6 +16,17 @@
           }
         ]
       }
+    ],
+    "Stop": [
+      {
+        "matcher": ".*",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node $CLAUDE_PROJECT_DIR/.claude/hooks/codex-review/index.js"
+          }
+        ]
+      }
     ]
   }
-}
+}

package/template/.claude/skills/codex-review/SKILL.md

@@ -0,0 +1,139 @@
+---
+name: codex-review
+description: "Get a second-opinion review from Codex CLI. Auto-detects: plan review, implementation review (plan + code changes), or code review (just changes). Runs up to 3 feedback iterations. Triggers on: codex review, second opinion, review this plan, review my code, review implementation, validate changes, codex feedback, code review."
+---
+
+# Codex Review — Plan, Implementation, and Code Review
+
+Get a review from OpenAI's Codex CLI. The script auto-detects what to review based on context:
+
+- **Plan review** — when a plan file is provided and no git changes exist
+- **Implementation review** — when a plan file is provided and git changes exist (validates code against the plan)
+- **Code review** — when no plan file is provided but git changes exist
+
+Iterates up to 3 times, refining based on feedback.
+
+---
+
+## The Job
+
+1. Determine what to review based on user intent and context
+2. Find a plan file if needed (or skip for pure code review)
+3. Call the review script
+4. Present feedback, iterate up to 3 times
+
+**Important:** This skill requires the `codex` CLI to be installed (`npm install -g @openai/codex`) and an OpenAI API key configured.
+
+---
+
+## Step 1: Determine Review Type
+
+Based on user intent:
+- User says "review this plan", "second opinion" → find the plan file, pass it to the script
+- User says "review my implementation", "validate changes", "does this match the plan" → **find the plan file and pass it to the script** (the script auto-includes git diff when changes exist, producing an implementation review)
+- User says "review my code", "code review" → no plan file needed, run the script with no arguments
+
+**Important:** For implementation reviews, you MUST pass the plan file path as an argument. The script uses it to compare the plan against the git diff. Without the plan file, you get a standalone code review instead.
+
+If ambiguous, check:
+1. Is there a recent plan file in `plans/` or `*plan*.md`?
+2. Are there git changes (`git diff HEAD`)?
+3. If a plan file exists and git changes exist, pass the plan file — the script auto-detects implementation review mode
+4. If unsure, ask the user
+
+---
+
+## Step 2: Find the Plan (if needed)
+
+Skip this step for pure code reviews (no plan context).
+
+If the user provides a path argument, use that file.
+
+Otherwise, find the most recently modified plan file:
+1. Use Glob to search for `plans/**/*.md` and `*plan*.md`
+2. Sort by modification time (most recent first)
+3. Use the most recent file
+
+If no plan file is found and one is needed, ask the user which file to review.
+
+---
+
+## Step 3: Review Loop (max 3 iterations)
+
+For each iteration:
+
+### 3a. Get Review
+
+Run the review script using the Bash tool:
+
+```bash
+# With a plan file (plan review or implementation review — auto-detected)
+bash scripts/codex-review/codex-review.sh <plan-file-path>
+
+# Without a plan file (code review of git changes)
+bash scripts/codex-review/codex-review.sh
+
+# Override model
+bash scripts/codex-review/codex-review.sh [plan-file] --model o3-mini
+```
+
+### 3b. Present Feedback
+
+Show the user the review output with an iteration counter:
+
+```
+## Codex Review (Iteration 1/3)
+
+[review output]
+
+---
+Would you like me to update the [plan/code] based on this feedback and run another review?
+```
+
+### 3c. Apply Changes
+
+If the user wants to continue:
+
+**For plan reviews:** Edit the plan file based on feedback, then re-review.
+
+**For implementation/code reviews:** Fix the code based on feedback, then re-review (the git diff changes between iterations as code is updated).
+
+If the user is satisfied, stop iterating.
+
+---
+
+## Step 4: Final Summary
+
+After all iterations (or when the user stops):
+
+```
+## Review Complete (N/3 iterations)
+
+### Changes Made
+- [bullet list of improvements applied]
+
+### Remaining Suggestions (not applied)
+- [any suggestions the user chose to skip]
+```
+
+---
+
+## Error Handling
+
+Handle script exit codes:
+- **Exit 1** — codex CLI not installed: "Install Codex CLI with `npm install -g @openai/codex`"
+- **Exit 1** — nothing to review: "No plan file or git changes found. Provide a plan file or make some code changes first."
+- **Exit 2** — Auth error: "Check your OpenAI API key configuration"
+- **Exit 3** — Timeout: "Review timed out. Try a shorter plan or run again"
+
+---
+
+## Checklist
+
+Before running:
+- [ ] If reviewing a plan: plan file exists and has content
+- [ ] If reviewing code: there are git changes to review
+- [ ] `codex` CLI is available (the script checks this)
+- [ ] Present iteration count clearly (1/3, 2/3, 3/3)
+- [ ] After each iteration, ask user before continuing
+- [ ] Stop after 3 iterations or user satisfaction

package/template/.claude/skills/secops/SKILL.md

@@ -0,0 +1,259 @@
+
+---
+name: secops
+description: >-
+  Scan dependencies for vulnerabilities using OSV Scanner before installing any packages.
+  Use when installing, updating, or auditing dependencies with pip, npm, cargo, go get,
+  gem, composer, nuget, or maven.
+---
+
+## 🔒 CRITICAL SECURITY - OSV-Scanner Requirement
+
+**MANDATORY SECOPS POLICY**: All dependency installations MUST be scanned with `osv-scanner` BEFORE installation. This is a non-negotiable security requirement.
+
+### Security Workflow - ALWAYS Follow This Order
+
+**BEFORE installing ANY dependencies:**
+
+1. **Query the OSV API to check the package before installing:**
+
+   ```bash
+   curl -s -X POST "https://api.osv.dev/v1/query" \
+     -H "Content-Type: application/json" \
+     -d '{"package": {"name": "PACKAGE_NAME", "ecosystem": "ECOSYSTEM"}, "version": "VERSION"}'
+   ```
+
+   | Package Manager | Ecosystem |
+   |---|---|
+   | pip | `PyPI` |
+   | npm/yarn/pnpm | `npm` |
+   | cargo | `crates.io` |
+   | go get | `Go` |
+   | gem | `RubyGems` |
+   | composer | `Packagist` |
+   | nuget | `NuGet` |
+   | maven | `Maven` |
+
+   - Empty `{}` = no known vulnerabilities → proceed
+   - Response contains `vulns` = **STOP**. Report to user, suggest safe version.
+
+2. **Prepare the lockfile for scanning:**
+
+   ```bash
+   # If only pyproject.toml exists, generate requirements.txt first
+   # (osv-scanner works best with concrete dependency lists)
+
+   # Check if requirements.txt exists
+   ls requirements.txt 2>/dev/null || echo "No requirements.txt found"
+
+   # If no requirements.txt, generate from pyproject.toml
+   uv pip compile pyproject.toml -o requirements.txt
+
+   # OR use uv to generate lock file
+   uv lock
+   ```
+
+3. **Scan the lockfile:**
+
+   ```bash
+   osv-scanner scan -r .
+
+   # Or specific lockfile:
+   osv-scanner scan -L requirements.txt
+   osv-scanner scan -L package-lock.json
+   osv-scanner scan -L Cargo.lock
+   osv-scanner scan -L go.sum
+   ```
+
+   | Language | Lockfiles |
+   |---|---|
+   | Python | `requirements.txt`, `Pipfile.lock`, `poetry.lock`, `uv.lock` |
+   | JavaScript | `package-lock.json`, `yarn.lock`, `pnpm-lock.yaml` |
+   | Rust | `Cargo.lock` |
+   | Go | `go.mod`, `go.sum` |
+   | Ruby | `Gemfile.lock` |
+   | PHP | `composer.lock` |
+   | .NET | `packages.lock.json` |
+
+4. **Review the scan results:**
+
+   - ❌ **If vulnerabilities are found:** STOP - Do NOT install. Report findings to the user and discuss mitigation options.
+   - ✅ **If scan is clean:** Proceed with installation.
+
+5. **Only after clean scan, install dependencies:**
+
+   ```bash
+   # Python with uv (this project's standard)
+   uv sync
+   uv pip install <package>
+
+   # Node.js
+   npm install
+   ```
+
+6. **After installation, scan the entire project:**
+
+   ```bash
+   # Scan all dependencies recursively
+   osv-scanner scan -r .
+
+   # Scan with specific config
+   osv-scanner scan --config osv-scanner.toml .
+   ```
+
+### Generating Requirements Files
+
+If a project only has `pyproject.toml` and you need to scan dependencies:
+
+```bash
+# Generate requirements.txt from pyproject.toml
+uv pip compile pyproject.toml -o requirements.txt
+
+# OR generate detailed lock file
+uv lock
+
+# Then scan the generated file
+osv-scanner scan -L requirements.txt
+# OR
+osv-scanner scan -L uv.lock
+```
+
+**Why generate requirements.txt?**
+
+- OSV-Scanner provides better results with concrete dependency lists
+- requirements.txt includes resolved transitive dependencies
+- Lock files (uv.lock) capture exact versions for reproducible scans
+
+### Examples
+
+#### ❌ WRONG - Installing without scanning:
+
+```bash
+# This is FORBIDDEN - no security scan!
+uv pip install requests
+```
+
+#### ✅ CORRECT - Full security workflow:
+
+```bash
+# Step 1: Query OSV API
+curl -s -X POST "https://api.osv.dev/v1/query" \
+  -H "Content-Type: application/json" \
+  -d '{"package": {"name": "requests", "ecosystem": "PyPI"}, "version": "2.28.0"}'
+
+# Step 2: Ensure requirements.txt exists
+if [ ! -f requirements.txt ]; then
+  uv pip compile pyproject.toml -o requirements.txt
+fi
+
+# Step 3: Scan before installation
+osv-scanner scan -L requirements.txt
+
+# Step 4: If clean, proceed with installation
+uv sync
+
+# Step 5: Scan again after installation
+osv-scanner scan -r .
+```
+
+#### ✅ CORRECT - Adding a new package:
+
+```bash
+# Step 1: Add to pyproject.toml manually or:
+# uv add <package> (this also installs - use with caution)
+
+# Step 2: Generate/update requirements.txt
+uv pip compile pyproject.toml -o requirements.txt
+
+# Step 3: Scan the updated dependencies
+osv-scanner scan -L requirements.txt
+
+# Step 4: If vulnerabilities found, STOP and report
+# Step 5: If clean, proceed with sync
+uv sync
+
+# Step 6: Final scan
+osv-scanner scan -r .
+```
+
+### When to Scan
+
+Run `osv-scanner` in these situations:
+
+- ✅ Before installing ANY new package
+- ✅ Before updating existing packages
+- ✅ Before accepting dependency changes from others
+- ✅ Periodically on the entire project (weekly recommended)
+- ✅ Before deploying to production
+- ✅ When investigating security concerns
+
+### Critical Rules
+
+1. **NEVER bypass osv-scanner** - This is a security requirement, not a suggestion
+2. **NEVER install packages without scanning first** - No exceptions
+3. **NEVER ignore osv-scanner warnings** - Always report vulnerabilities to the user
+4. **ALWAYS rescan after installation** - Verify the installed state is secure
+5. **ALWAYS generate requirements.txt if missing** - Needed for accurate vulnerability scanning
+
+### Reporting Format
+
+When vulnerabilities are found, present them clearly and block installation:
+
+```
+⚠️ Found 2 vulnerabilities — installation blocked pending review:
+
+CRITICAL: lodash@4.17.20
+  - GHSA-35jh-r3h4-6jhm: Prototype Pollution
+  - Fix: upgrade to 4.17.21
+
+HIGH: axios@0.21.1
+  - CVE-2021-3749: SSRF
+  - Fix: upgrade to 0.21.2
+
+Upgrade affected packages?
+```
+
+### Ignoring Vulnerabilities
+
+Only with explicit user approval. Add to `osv-scanner.toml`:
+
+```toml
+[[PackageOverrides]]
+name = "package-name"
+ecosystem = "PyPI"
+ignore = true
+reason = "Not exploitable — build tooling only"
+```
+
+### OSV-Scanner Options
+
+```bash
+# Basic scan
+osv-scanner scan -L <lockfile>
+
+# Recursive scan (entire project)
+osv-scanner scan -r .
+
+# JSON output for automation
+osv-scanner scan -r . --format json
+
+# Scan with config
+osv-scanner scan --config osv-scanner.toml .
+```
+
+### Pre-configured Permissions
+
+This project has osv-scanner permissions pre-configured in `.claude/settings.json`:
+
+```json
+{
+  "permissions": {
+    "allow": [
+      "Bash(osv-scanner scan:*)",
+      "Bash(osv-scanner:*)"
+    ]
+  }
+}
+```
+
+**You have permission to run osv-scanner commands without asking. Use this permission proactively.**

package/template/.codex/skills/codex-review/SKILL.md

@@ -0,0 +1,139 @@
+---
+name: codex-review
+description: "Get a second-opinion review from Codex CLI. Auto-detects: plan review, implementation review (plan + code changes), or code review (just changes). Runs up to 3 feedback iterations. Triggers on: codex review, second opinion, review this plan, review my code, review implementation, validate changes, codex feedback, code review."
+---
+
+# Codex Review — Plan, Implementation, and Code Review
+
+Get a review from OpenAI's Codex CLI. The script auto-detects what to review based on context:
+
+- **Plan review** — when a plan file is provided and no git changes exist
+- **Implementation review** — when a plan file is provided and git changes exist (validates code against the plan)
+- **Code review** — when no plan file is provided but git changes exist
+
+Iterates up to 3 times, refining based on feedback.
+
+---
+
+## The Job
+
+1. Determine what to review based on user intent and context
+2. Find a plan file if needed (or skip for pure code review)
+3. Call the review script
+4. Present feedback, iterate up to 3 times
+
+**Important:** This skill requires the `codex` CLI to be installed (`npm install -g @openai/codex`) and an OpenAI API key configured.
+
+---
+
+## Step 1: Determine Review Type
+
+Based on user intent:
+- User says "review this plan", "second opinion" → find the plan file, pass it to the script
+- User says "review my implementation", "validate changes", "does this match the plan" → **find the plan file and pass it to the script** (the script auto-includes git diff when changes exist, producing an implementation review)
+- User says "review my code", "code review" → no plan file needed, run the script with no arguments
+
+**Important:** For implementation reviews, you MUST pass the plan file path as an argument. The script uses it to compare the plan against the git diff. Without the plan file, you get a standalone code review instead.
+
+If ambiguous, check:
+1. Is there a recent plan file in `plans/` or `*plan*.md`?
+2. Are there git changes (`git diff HEAD`)?
+3. If a plan file exists and git changes exist, pass the plan file — the script auto-detects implementation review mode
+4. If unsure, ask the user
+
+---
+
+## Step 2: Find the Plan (if needed)
+
+Skip this step for pure code reviews (no plan context).
+
+If the user provides a path argument, use that file.
+
+Otherwise, find the most recently modified plan file:
+1. Use Glob to search for `plans/**/*.md` and `*plan*.md`
+2. Sort by modification time (most recent first)
+3. Use the most recent file
+
+If no plan file is found and one is needed, ask the user which file to review.
+
+---
+
+## Step 3: Review Loop (max 3 iterations)
+
+For each iteration:
+
+### 3a. Get Review
+
+Run the review script using the Bash tool:
+
+```bash
+# With a plan file (plan review or implementation review — auto-detected)
+bash scripts/codex-review/codex-review.sh <plan-file-path>
+
+# Without a plan file (code review of git changes)
+bash scripts/codex-review/codex-review.sh
+
+# Override model
+bash scripts/codex-review/codex-review.sh [plan-file] --model o3-mini
+```
+
+### 3b. Present Feedback
+
+Show the user the review output with an iteration counter:
+
+```
+## Codex Review (Iteration 1/3)
+
+[review output]
+
+---
+Would you like me to update the [plan/code] based on this feedback and run another review?
+```
+
+### 3c. Apply Changes
+
+If the user wants to continue:
+
+**For plan reviews:** Edit the plan file based on feedback, then re-review.
+
+**For implementation/code reviews:** Fix the code based on feedback, then re-review (the git diff changes between iterations as code is updated).
+
+If the user is satisfied, stop iterating.
+
+---
+
+## Step 4: Final Summary
+
+After all iterations (or when the user stops):
+
+```
+## Review Complete (N/3 iterations)
+
+### Changes Made
+- [bullet list of improvements applied]
+
+### Remaining Suggestions (not applied)
+- [any suggestions the user chose to skip]
+```
+
+---
+
+## Error Handling
+
+Handle script exit codes:
+- **Exit 1** — codex CLI not installed: "Install Codex CLI with `npm install -g @openai/codex`"
+- **Exit 1** — nothing to review: "No plan file or git changes found. Provide a plan file or make some code changes first."
+- **Exit 2** — Auth error: "Check your OpenAI API key configuration"
+- **Exit 3** — Timeout: "Review timed out. Try a shorter plan or run again"
+
+---
+
+## Checklist
+
+Before running:
+- [ ] If reviewing a plan: plan file exists and has content
+- [ ] If reviewing code: there are git changes to review
+- [ ] `codex` CLI is available (the script checks this)
+- [ ] Present iteration count clearly (1/3, 2/3, 3/3)
+- [ ] After each iteration, ask user before continuing
+- [ ] Stop after 3 iterations or user satisfaction