chief-clancy 0.2.0-beta.2 → 0.2.0

package/README.md

@@ -2,7 +2,7 @@
 
 **Autonomous, board-driven development for Claude Code.**
 
-[![npm](https://img.shields.io/npm/v/chief-clancy?color=cb3837)](https://www.npmjs.com/package/chief-clancy) [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](./LICENSE) [![Tests](https://img.shields.io/badge/tests-55%20passing-brightgreen)](./test/) [![GitHub Stars](https://img.shields.io/github/stars/Pushedskydiver/clancy?style=flat)](https://github.com/Pushedskydiver/clancy/stargazers)
+[![npm](https://img.shields.io/npm/v/chief-clancy?style=for-the-badge&color=cb3837)](https://www.npmjs.com/package/chief-clancy) [![License: MIT](https://img.shields.io/badge/License-MIT-blue?style=for-the-badge)](./LICENSE) [![Tests](https://img.shields.io/badge/tests-94%20passing-brightgreen?style=for-the-badge)](./test/) [![GitHub Stars](https://img.shields.io/github/stars/Pushedskydiver/clancy?style=for-the-badge)](https://github.com/Pushedskydiver/clancy/stargazers)
 
 ```bash
 npx chief-clancy
@@ -192,7 +192,7 @@ Clancy also merges a section into your `CLAUDE.md` (or creates one) that tells C
 
 ## Optional enhancements
 
-Set during `/clancy:init` advanced setup, or by editing `.clancy/.env` directly.
+Set during `/clancy:init` advanced setup, or by editing `.clancy/.env` directly. Use `/clancy:settings` → "Save as defaults" to save non-credential settings to `~/.clancy/defaults.json` — new projects created with `/clancy:init` will inherit them automatically.
 
 ### Figma MCP
 
@@ -336,6 +336,12 @@ Your board tokens and API keys live in `.clancy/.env`. Although Claude doesn't n
 
 This prevents Claude from reading these files regardless of what commands run. Clancy automatically adds `.clancy/.env` to `.gitignore` during init, but the deny list is an additional layer.
 
+### Credential guard
+
+Clancy installs a `PreToolUse` hook (`clancy-credential-guard.js`) that scans every Write, Edit, and MultiEdit operation for credential patterns — API keys, tokens, passwords, private keys, and connection strings. If a match is found, the operation is blocked with a message telling Claude to move the credential to `.clancy/.env` instead. Files that are expected to contain credentials (`.clancy/.env`, `.env.example`, etc.) are exempt.
+
+This is best-effort — it won't catch every possible credential format, but it prevents the most common accidental leaks.
+
 ### Token scopes
 
 Use the minimum permissions each integration requires:
@@ -418,6 +424,8 @@ lsof -ti:5173 | xargs kill -9   # replace 5173 with your PLAYWRIGHT_DEV_PORT
 
 Or directly: `npx chief-clancy@latest`
 
+The update workflow shows what's changed (changelog diff) and asks for confirmation before overwriting. If you've customised any command or workflow files, they're automatically backed up to `.claude/clancy/local-patches/` before the update — check there to reapply your changes afterwards.
+
 ---
 
 **Uninstalling?**
@@ -426,7 +434,7 @@ Or directly: `npx chief-clancy@latest`
 /clancy:uninstall
 ```
 
-Removes slash commands from your chosen location. Optionally removes `.clancy/` (credentials and docs). Never touches `CLAUDE.md`.
+Removes slash commands from your chosen location. Cleans up the `<!-- clancy:start -->` / `<!-- clancy:end -->` block from `CLAUDE.md` (or deletes it entirely if Clancy created it) and removes the `.clancy/.env` entry from `.gitignore`. Optionally removes `.clancy/` (credentials and docs).
 
 ---
 

package/bin/install.js

@@ -49,6 +49,13 @@ async function choose(question, options, defaultChoice = 1) {
   return raw.trim() || String(defaultChoice);
 }
 
+const crypto = require('crypto');
+
+function fileHash(filePath) {
+  const content = fs.readFileSync(filePath);
+  return crypto.createHash('sha256').digest('hex', content);
+}
+
 function copyDir(src, dest) {
   // Use lstatSync (not statSync) to detect symlinks — statSync follows them and misreports
   if (fs.existsSync(dest)) {
@@ -65,6 +72,73 @@ function copyDir(src, dest) {
   }
 }
 
+/**
+ * Build a manifest of installed files with SHA-256 hashes.
+ * Format: { "relative/path.md": "<sha256>", ... }
+ */
+function buildManifest(baseDir) {
+  const manifest = {};
+  function walk(dir, prefix) {
+    for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+      const full = path.join(dir, entry.name);
+      const rel = prefix ? `${prefix}/${entry.name}` : entry.name;
+      if (entry.isDirectory()) {
+        walk(full, rel);
+      } else {
+        const content = fs.readFileSync(full);
+        manifest[rel] = crypto.createHash('sha256').update(content).digest('hex');
+      }
+    }
+  }
+  walk(baseDir, '');
+  return manifest;
+}
+
+/**
+ * Detect files modified by the user since last install by comparing
+ * current file hashes against the stored manifest. Returns array of
+ * { rel, absPath } for modified files.
+ */
+function detectModifiedFiles(baseDir, manifestPath) {
+  if (!fs.existsSync(manifestPath)) return [];
+  let manifest;
+  try {
+    manifest = JSON.parse(fs.readFileSync(manifestPath, 'utf8'));
+  } catch { return []; }
+
+  const modified = [];
+  for (const [rel, hash] of Object.entries(manifest)) {
+    const absPath = path.join(baseDir, rel);
+    if (!fs.existsSync(absPath)) continue;
+    const content = fs.readFileSync(absPath);
+    const currentHash = crypto.createHash('sha256').update(content).digest('hex');
+    if (currentHash !== hash) {
+      modified.push({ rel, absPath });
+    }
+  }
+  return modified;
+}
+
+/**
+ * Back up modified files to a patches directory alongside the install.
+ * Returns the backup directory path if any files were backed up.
+ */
+function backupModifiedFiles(modified, patchesDir) {
+  if (modified.length === 0) return null;
+  fs.mkdirSync(patchesDir, { recursive: true });
+  for (const { rel, absPath } of modified) {
+    const backupPath = path.join(patchesDir, rel);
+    fs.mkdirSync(path.dirname(backupPath), { recursive: true });
+    fs.copyFileSync(absPath, backupPath);
+  }
+  // Write metadata so /clancy:update workflow knows what was backed up
+  fs.writeFileSync(
+    path.join(patchesDir, 'backup-meta.json'),
+    JSON.stringify({ backed_up: modified.map(m => m.rel), date: new Date().toISOString() }, null, 2)
+  );
+  return patchesDir;
+}
+
 async function main() {
   console.log('');
   console.log(blue('  ██████╗██╗      █████╗ ███╗   ██╗ ██████╗██╗   ██╗'));
@@ -116,14 +190,42 @@ async function main() {
   console.log(dim(`  Installing to: ${dest}`));
 
   try {
+    // Determine manifest and patches paths (sibling to commands dir)
+    const claudeDir = path.dirname(path.dirname(dest)); // .claude/ (parent of commands/)
+    const manifestPath = path.join(claudeDir, 'clancy', 'manifest.json');
+    const patchesDir = path.join(claudeDir, 'clancy', 'local-patches');
+
     if (fs.existsSync(dest) || fs.existsSync(workflowsDest)) {
       console.log('');
+
+      // Detect user-modified files before overwriting
+      const modified = detectModifiedFiles(dest, manifestPath);
+      const modifiedWorkflows = detectModifiedFiles(workflowsDest, manifestPath.replace('manifest.json', 'workflows-manifest.json'));
+      const allModified = [...modified, ...modifiedWorkflows];
+
+      if (allModified.length > 0) {
+        console.log(blue('  Modified files detected:'));
+        for (const { rel } of allModified) {
+          console.log(`    ${dim('•')} ${rel}`);
+        }
+        console.log('');
+        console.log(dim('  These will be backed up to .claude/clancy/local-patches/'));
+        console.log(dim('  before overwriting. You can reapply them after the update.'));
+        console.log('');
+      }
+
       const overwrite = await ask(blue(`  Commands already exist at ${dest}. Overwrite? [y/N] `));
       if (!overwrite.trim().toLowerCase().startsWith('y')) {
         console.log('\n  Aborted. No files changed.');
         rl.close();
         process.exit(0);
       }
+
+      // Back up modified files before overwriting
+      if (allModified.length > 0) {
+        backupModifiedFiles(allModified, patchesDir);
+        console.log(green(`\n  ✓ ${allModified.length} modified file(s) backed up to local-patches/`));
+      }
     }
 
     copyDir(COMMANDS_SRC, dest);
@@ -150,6 +252,14 @@ async function main() {
     // Write VERSION file so /clancy:doctor and /clancy:update can read the installed version
     fs.writeFileSync(path.join(dest, 'VERSION'), PKG.version);
 
+    // Write manifests so future updates can detect user-modified files
+    fs.mkdirSync(path.dirname(manifestPath), { recursive: true });
+    fs.writeFileSync(manifestPath, JSON.stringify(buildManifest(dest), null, 2));
+    fs.writeFileSync(
+      manifestPath.replace('manifest.json', 'workflows-manifest.json'),
+      JSON.stringify(buildManifest(workflowsDest), null, 2)
+    );
+
     // Install hooks and register them in Claude settings.json
     const claudeConfigDir = dest === GLOBAL_DEST
       ? path.join(homeDir, '.claude')
@@ -161,6 +271,7 @@ async function main() {
       'clancy-check-update.js',
       'clancy-statusline.js',
       'clancy-context-monitor.js',
+      'clancy-credential-guard.js',
     ];
 
     try {
@@ -196,9 +307,11 @@ async function main() {
       const updateScript    = path.join(hooksInstallDir, 'clancy-check-update.js');
       const statuslineScript = path.join(hooksInstallDir, 'clancy-statusline.js');
       const monitorScript   = path.join(hooksInstallDir, 'clancy-context-monitor.js');
+      const guardScript     = path.join(hooksInstallDir, 'clancy-credential-guard.js');
 
       registerHook('SessionStart', `node ${updateScript}`);
       registerHook('PostToolUse',  `node ${monitorScript}`);
+      registerHook('PreToolUse',   `node ${guardScript}`);
 
       // Statusline: registered as top-level key, not inside hooks
       if (!settings.statusLine) {

package/hooks/clancy-credential-guard.js

@@ -0,0 +1,113 @@
+#!/usr/bin/env node
+// Clancy Credential Guard — PreToolUse hook.
+// Scans file content being written or edited for credential patterns
+// (API keys, tokens, passwords, private keys) and blocks the operation
+// if a match is found. Best-effort — never fails the tool call on error.
+
+'use strict';
+
+const CREDENTIAL_PATTERNS = [
+  // Generic API keys and tokens
+  { name: 'Generic API key', pattern: /(?:api[_-]?key|apikey)\s*[:=]\s*["']?[A-Za-z0-9\-_.]{20,}["']?/i },
+  { name: 'Generic secret', pattern: /(?:secret|private[_-]?key)\s*[:=]\s*["']?[A-Za-z0-9\-_.]{20,}["']?/i },
+  { name: 'Generic token', pattern: /(?:auth[_-]?token|access[_-]?token|bearer)\s*[:=]\s*["']?[A-Za-z0-9\-_.]{20,}["']?/i },
+  { name: 'Generic password', pattern: /(?:password|passwd|pwd)\s*[:=]\s*["']?[^\s"']{8,}["']?/i },
+
+  // AWS
+  { name: 'AWS Access Key', pattern: /AKIA[0-9A-Z]{16}/ },
+  { name: 'AWS Secret Key', pattern: /(?:aws_secret_access_key|aws_secret)\s*[:=]\s*["']?[A-Za-z0-9/+=]{40}["']?/i },
+
+  // GitHub
+  { name: 'GitHub PAT (classic)', pattern: /ghp_[A-Za-z0-9]{36}/ },
+  { name: 'GitHub PAT (fine-grained)', pattern: /github_pat_[A-Za-z0-9_]{82}/ },
+  { name: 'GitHub OAuth token', pattern: /gho_[A-Za-z0-9]{36}/ },
+
+  // Slack
+  { name: 'Slack token', pattern: /xox[bpors]-[0-9]{10,}-[A-Za-z0-9-]+/ },
+
+  // Stripe
+  { name: 'Stripe key', pattern: /(?:sk|pk)_(?:live|test)_[A-Za-z0-9]{24,}/ },
+
+  // Private keys
+  { name: 'Private key', pattern: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/ },
+
+  // Jira/Atlassian API tokens (base64-like, 24+ chars after the prefix)
+  { name: 'Atlassian API token', pattern: /(?:jira_api_token|atlassian[_-]?token)\s*[:=]\s*["']?[A-Za-z0-9+/=]{24,}["']?/i },
+
+  // Linear API key
+  { name: 'Linear API key', pattern: /lin_api_[A-Za-z0-9]{40,}/ },
+
+  // Generic connection strings
+  { name: 'Database connection string', pattern: /(?:mongodb|postgres|mysql|redis):\/\/[^\s"']+:[^\s"']+@/i },
+];
+
+// Files that are expected to contain credentials — skip them
+const ALLOWED_PATHS = [
+  '.clancy/.env',
+  '.env.local',
+  '.env.example',
+  '.env.development',
+  '.env.test',
+];
+
+function isAllowedPath(filePath) {
+  if (!filePath) return false;
+  return ALLOWED_PATHS.some(allowed => filePath.endsWith(allowed));
+}
+
+function scanForCredentials(content) {
+  if (!content || typeof content !== 'string') return [];
+  const matches = [];
+  for (const { name, pattern } of CREDENTIAL_PATTERNS) {
+    if (pattern.test(content)) {
+      matches.push(name);
+    }
+  }
+  return matches;
+}
+
+try {
+  const input = JSON.parse(process.argv[2] || '{}');
+  const toolName = input.tool_name || '';
+  const toolInput = input.tool_input || {};
+
+  // Only check file-writing tools
+  if (!['Write', 'Edit', 'MultiEdit'].includes(toolName)) {
+    // Pass through — not a file write
+    console.log(JSON.stringify({ decision: 'approve' }));
+    process.exit(0);
+  }
+
+  const filePath = toolInput.file_path || '';
+
+  // Skip files that are expected to contain credentials
+  if (isAllowedPath(filePath)) {
+    console.log(JSON.stringify({ decision: 'approve' }));
+    process.exit(0);
+  }
+
+  // Collect content to scan based on tool type
+  let contentToScan = '';
+  if (toolName === 'Write') {
+    contentToScan = toolInput.content || '';
+  } else if (toolName === 'Edit') {
+    contentToScan = toolInput.new_string || '';
+  } else if (toolName === 'MultiEdit') {
+    const edits = toolInput.edits || [];
+    contentToScan = edits.map(e => e.new_string || '').join('\n');
+  }
+
+  const found = scanForCredentials(contentToScan);
+
+  if (found.length > 0) {
+    console.log(JSON.stringify({
+      decision: 'block',
+      reason: `Credential guard: blocked writing to ${filePath}. Detected: ${found.join(', ')}. Move credentials to .clancy/.env instead.`,
+    }));
+  } else {
+    console.log(JSON.stringify({ decision: 'approve' }));
+  }
+} catch {
+  // Best-effort — never block on error
+  console.log(JSON.stringify({ decision: 'approve' }));
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "chief-clancy",
-  "version": "0.2.0-beta.2",
+  "version": "0.2.0",
   "description": "Autonomous, board-driven development for Claude Code — scaffolds docs, integrates Kanban boards, runs tickets in a loop.",
   "keywords": [
     "claude",
@@ -34,7 +34,7 @@
     "registry/"
   ],
   "scripts": {
-    "test": "bash test/unit/jira.test.sh && bash test/unit/github.test.sh && bash test/unit/linear.test.sh && bash test/unit/scaffold.test.sh",
+    "test": "bash test/unit/jira.test.sh && bash test/unit/github.test.sh && bash test/unit/linear.test.sh && bash test/unit/scaffold.test.sh && bash test/unit/credential-guard.test.sh",
     "smoke": "bash test/smoke/smoke.sh"
   },
   "engines": {

package/src/workflows/settings.md

@@ -408,9 +408,50 @@ When updating a value:
 
 ---
 
+### Save as global defaults
+
+At the bottom of the settings menu (before Exit), show:
+
+```
+[{N}] Save as defaults   save current settings for all future projects
+```
+
+When selected:
+
+1. Read the current `.clancy/.env` and extract only the non-credential, non-board-specific settings:
+   - `MAX_ITERATIONS`
+   - `CLANCY_MODEL`
+   - `CLANCY_BASE_BRANCH`
+   - `PLAYWRIGHT_ENABLED`
+   - `PLAYWRIGHT_STARTUP_WAIT`
+
+2. Write these to `~/.clancy/defaults.json`:
+   ```json
+   {
+     "MAX_ITERATIONS": "5",
+     "CLANCY_MODEL": "claude-sonnet-4-6",
+     "CLANCY_BASE_BRANCH": "main"
+   }
+   ```
+
+3. Print: `✓ Defaults saved to ~/.clancy/defaults.json — new projects will inherit these settings.`
+
+4. Loop back to the settings menu.
+
+**Never save credentials, board-specific settings (status filter, sprint, label), or webhook URLs to global defaults.**
+
+---
+
+## Step 6 — Load global defaults during init
+
+When `/clancy:init` creates `.clancy/.env`, check if `~/.clancy/defaults.json` exists. If so, pre-populate the `.env` with those values instead of the built-in defaults. The user's answers during init still take priority — defaults are only used for settings that init doesn't ask about (max iterations, model, etc.).
+
+---
+
 ## Notes
 
 - All changes are written to `.clancy/.env` immediately after confirmation
 - Switching boards verifies credentials before making any changes — nothing is written if verification fails
 - `/clancy:init` remains available for a full re-setup (re-scaffolds scripts and docs)
 - This command never restarts any servers or triggers any ticket processing
+- Global defaults (`~/.clancy/defaults.json`) are optional — if the file doesn't exist, built-in defaults are used

package/src/workflows/uninstall.md

@@ -50,14 +50,15 @@ Print: `✓ Clancy commands removed from [location].`
 ### Step 2b — Remove hooks
 
 For each location being removed, delete these hook files if they exist:
-- Project-local: `.claude/hooks/clancy-check-update.js`, `.claude/hooks/clancy-statusline.js`, `.claude/hooks/clancy-context-monitor.js`
-- Global: `~/.claude/hooks/clancy-check-update.js`, `~/.claude/hooks/clancy-statusline.js`, `~/.claude/hooks/clancy-context-monitor.js`
+- Project-local: `.claude/hooks/clancy-check-update.js`, `.claude/hooks/clancy-statusline.js`, `.claude/hooks/clancy-context-monitor.js`, `.claude/hooks/clancy-credential-guard.js`
+- Global: `~/.claude/hooks/clancy-check-update.js`, `~/.claude/hooks/clancy-statusline.js`, `~/.claude/hooks/clancy-context-monitor.js`, `~/.claude/hooks/clancy-credential-guard.js`
 
 Then remove the Clancy hook registrations from the corresponding `settings.json` (`.claude/settings.json` for local, `~/.claude/settings.json` for global):
 - Remove any entry in `hooks.SessionStart` whose `command` contains `clancy-check-update`
 - Remove any entry in `hooks.PostToolUse` whose `command` contains `clancy-context-monitor`
+- Remove any entry in `hooks.PreToolUse` whose `command` contains `clancy-credential-guard`
 - Remove the `statusLine` key if its `command` value contains `clancy-statusline`
-- If removing an entry leaves a `hooks.SessionStart` or `hooks.PostToolUse` array empty, remove the key entirely
+- If removing an entry leaves a `hooks.SessionStart`, `hooks.PostToolUse`, or `hooks.PreToolUse` array empty, remove the key entirely
 
 Also remove the update check cache if it exists: `~/.claude/cache/clancy-update-check.json`
 

package/src/workflows/update.md

@@ -108,6 +108,9 @@ Extract only the entries between the installed version and the latest version. D
 - `.claude/commands/clancy/` will be replaced
 - `.claude/clancy/workflows/` will be replaced
 
+If you've modified any Clancy files directly, they'll be automatically backed up
+to `.claude/clancy/local-patches/` before overwriting.
+
 Your project files are preserved:
 - `.clancy/` project folder (scripts, docs, .env, progress log) ✓
 - `CLAUDE.md` ✓
@@ -167,6 +170,31 @@ View full changelog: github.com/Pushedskydiver/clancy/blob/main/CHANGELOG.md
 
 ---
 
+## Step 6 — Check for local patches
+
+After the update completes, check if the installer backed up any locally modified files:
+
+Check for `.claude/clancy/local-patches/backup-meta.json` (local install) or `~/.claude/clancy/local-patches/backup-meta.json` (global install).
+
+**If patches were found:**
+
+```
+Local patches were backed up before the update.
+Your modified files are in .claude/clancy/local-patches/
+
+To review what changed:
+  Compare each file in local-patches/ against its counterpart in
+  .claude/commands/clancy/ or .claude/clancy/workflows/ and manually
+  reapply any customisations you want to keep.
+
+Backed up files:
+{list from backup-meta.json}
+```
+
+**If no patches:** Continue normally (no message needed).
+
+---
+
 ## Notes
 
 - If the user installed globally, the update applies globally