claude-code-arcane 1.0.0 → 1.0.1

package/CHANGELOG.md

@@ -1,3 +1,10 @@
+## [1.0.1](https://github.com/SebastianLuser/claude-code-arcane/compare/v1.0.0...v1.0.1) (2026-06-05)
+
+
+### Bug Fixes
+
+* add/remove commands now handle full profile assets (rules, agents, statusline, permissions) ([2425ea9](https://github.com/SebastianLuser/claude-code-arcane/commit/2425ea93e3b41cc28d4b7622e6cf1a58dfaa814e))
+
 # 1.0.0 (2026-06-03)
 
 

package/dist/cli.js

@@ -1298,8 +1298,13 @@ async function addCommand(items) {
     );
     process.exit(1);
   }
+  const claudeDir = path10.join(target, ".claude");
   const added = [];
   const skipped = [];
+  const notFound = [];
+  const addedRules = [];
+  const addedAgents = [];
+  let statuslineAdded = false;
   for (const item of items) {
     if (item.startsWith("+")) {
       const profileName = item.slice(1);
@@ -1312,19 +1317,69 @@ async function addCommand(items) {
       for (const skill of profile.skills) {
         const result = addSkill(root, target, skill, manifest.installed_skills);
         if (result === "added") added.push(skill);
+        else if (result === "not-found") notFound.push(skill);
         else skipped.push(skill);
       }
+      for (const rule of profile.rules.universal) {
+        if (!manifest.installed_rules.includes(rule)) {
+          const src = path10.join(root, "rules", `${rule}.md`);
+          if (fs8.existsSync(src)) {
+            ensureDir(path10.join(claudeDir, "rules"));
+            fs8.copyFileSync(src, path10.join(claudeDir, "rules", `${rule}.md`));
+            manifest.installed_rules.push(rule);
+            addedRules.push(rule);
+          }
+        }
+      }
+      for (const rule of profile.rules.gamedev) {
+        if (!manifest.installed_rules.includes(rule)) {
+          const src = path10.join(root, "rules", "gamedev", `${rule}.md`);
+          if (fs8.existsSync(src)) {
+            ensureDir(path10.join(claudeDir, "rules"));
+            fs8.copyFileSync(src, path10.join(claudeDir, "rules", `${rule}.md`));
+            manifest.installed_rules.push(rule);
+            addedRules.push(rule);
+          }
+        }
+      }
+      for (const agentDir of profile.agents) {
+        if (!manifest.installed_agents.includes(agentDir)) {
+          const src = path10.join(root, "agents", agentDir);
+          if (fs8.existsSync(src)) {
+            const dst = path10.join(claudeDir, "agents", agentDir);
+            copyDirSync(src, dst);
+            manifest.installed_agents.push(agentDir);
+            addedAgents.push(agentDir);
+          }
+        }
+      }
+      if (profileName === "statusline") {
+        const statuslineSrc = path10.join(root, "hooks", "statusline.sh");
+        if (fs8.existsSync(statuslineSrc)) {
+          fs8.copyFileSync(statuslineSrc, path10.join(claudeDir, "statusline.sh"));
+          statuslineAdded = true;
+        }
+      }
+      if (profile.permissions.allow.length > 0 || profile.permissions.deny.length > 0) {
+        mergePermissions(claudeDir, profile.permissions);
+      }
       if (!manifest.profiles.includes(profileName)) {
         manifest.profiles.push(profileName);
+        manifest.profile_command = manifest.profiles.filter((p) => p !== "core").join("+");
+      }
+      if (statuslineAdded) {
+        addStatuslineToSettings(claudeDir);
       }
     } else {
       const result = addSkill(root, target, item, manifest.installed_skills);
       if (result === "added") added.push(item);
+      else if (result === "not-found") notFound.push(item);
       else skipped.push(item);
     }
   }
   manifest.installed_skills.push(...added);
   manifest.total_skills = manifest.installed_skills.length;
+  manifest.total_rules = manifest.installed_rules.length;
   const merged = {
     loaded: manifest.profiles,
     skills: manifest.installed_skills,
@@ -1334,23 +1389,51 @@ async function addCommand(items) {
     permissions: { allow: [], deny: [] }
   };
   writeManifest(target, merged, manifest.profile_command, root);
+  const totalAdded = added.length + addedRules.length + addedAgents.length + (statuslineAdded ? 1 : 0);
   console.log(chalk2.bold(`
-Added ${added.length} skills:`));
-  for (const s of added) console.log(chalk2.green(`  [ok] ${s}`));
+Added ${totalAdded} items:`));
+  for (const s of added) console.log(chalk2.green(`  [ok] skill: ${s}`));
+  for (const r of addedRules) console.log(chalk2.green(`  [ok] rule: ${r}`));
+  for (const a of addedAgents) console.log(chalk2.green(`  [ok] agents: ${a}/`));
+  if (statuslineAdded) console.log(chalk2.green("  [ok] statusline.sh"));
   for (const s of skipped)
     console.log(chalk2.dim(`  [skip] ${s} (already installed)`));
+  for (const s of notFound)
+    console.log(chalk2.red(`  [miss] ${s} (not found in source)`));
 }
 function addSkill(root, target, skill, installed) {
   if (installed.includes(skill)) return "skipped";
   const src = path10.join(root, "skills", skill);
-  if (!fs8.existsSync(src)) {
-    console.error(chalk2.red(`  Skill '${skill}' not found in skills/`));
-    return "skipped";
-  }
+  if (!fs8.existsSync(src)) return "not-found";
   const dst = path10.join(target, ".claude", "skills", skill);
   copyDirSync(src, dst);
   return "added";
 }
+function mergePermissions(claudeDir, newPerms) {
+  const settingsPath = path10.join(claudeDir, "settings.json");
+  if (!fs8.existsSync(settingsPath)) return;
+  const settings = readJsonSync(settingsPath);
+  const perms = settings.permissions ?? { allow: [], deny: [] };
+  const allowSet = new Set(perms.allow);
+  for (const a of newPerms.allow) allowSet.add(a);
+  perms.allow = [...allowSet];
+  const denySet = new Set(perms.deny);
+  for (const d of newPerms.deny) denySet.add(d);
+  perms.deny = [...denySet];
+  settings.permissions = perms;
+  writeJsonSync(settingsPath, settings);
+}
+function addStatuslineToSettings(claudeDir) {
+  const settingsPath = path10.join(claudeDir, "settings.json");
+  if (!fs8.existsSync(settingsPath)) return;
+  const settings = readJsonSync(settingsPath);
+  if (settings.statusLine) return;
+  settings.statusLine = {
+    type: "command",
+    command: "bash .claude/statusline.sh"
+  };
+  writeJsonSync(settingsPath, settings);
+}
 
 // src/commands/remove.ts
 import fs9 from "fs";
@@ -1520,10 +1603,26 @@ function removeProfile(root, target, profileName, manifest) {
       (r) => r !== rule
     );
   }
+  if (profileName === "statusline") {
+    const statuslineFile = path11.join(target, ".claude", "statusline.sh");
+    if (fs9.existsSync(statuslineFile)) {
+      fs9.rmSync(statuslineFile);
+    }
+    removeStatuslineFromSettings(path11.join(target, ".claude"));
+  }
   manifest.profiles = remainingProfiles;
   manifest.profile_command = remainingProfiles.filter((p) => p !== "core").join("+");
   return { removed: true, skills: removedSkills, agents: removedAgents };
 }
+function removeStatuslineFromSettings(claudeDir) {
+  const settingsPath = path11.join(claudeDir, "settings.json");
+  if (!fs9.existsSync(settingsPath)) return;
+  const settings = JSON.parse(fs9.readFileSync(settingsPath, "utf-8"));
+  if (settings.statusLine) {
+    delete settings.statusLine;
+    fs9.writeFileSync(settingsPath, JSON.stringify(settings, null, 2) + "\n", "utf-8");
+  }
+}
 
 // src/commands/list.ts
 import fs10 from "fs";

package/docs/trusted-publishing-setup.md

@@ -0,0 +1,163 @@
+# Migración a Trusted Publishing (OIDC) — guía futura
+
+> **Estado actual (jun 2026):** el paquete se publica con un **token `NPM_TOKEN`** (Classic Automation, saltea 2FA) cargado como secret en GitHub Actions. Funciona y es estable. Este documento describe cómo migrar a **Trusted Publishing (OIDC)** cuando convenga.
+
+---
+
+## 1. Qué es y por qué migrar
+
+**Trusted Publishing** usa **OpenID Connect (OIDC)**: GitHub Actions se autentica contra npm con una **identidad efímera por run** (un id-token de corta vida), en vez de un token de larga duración guardado como secret.
+
+| | Token (actual) | Trusted Publishing (OIDC) |
+|---|---|---|
+| Secret de larga vida | Sí (`NPM_TOKEN`) | **No** |
+| Expira / hay que rotar | Sí (vence **2026-09-01**) | **No** |
+| Riesgo si se filtra | Alto (válido hasta expirar) | Bajo (token efímero por run) |
+| Provenance / attestations | Manual | **Automático** |
+| Mantenimiento | Rotar token periódicamente | Cero |
+
+**Motivo principal para migrar:** eliminar la rotación del token y el riesgo de que un release falle sin aviso cuando el token expire.
+
+---
+
+## 2. ⚠️ Por qué HOY (jun 2026) no se hizo
+
+El setup actual está varias piezas por debajo de lo que OIDC requiere. **Verificar y resolver estos puntos ANTES de migrar:**
+
+| Requisito OIDC | Estado al jun-2026 | Acción |
+|---|---|---|
+| `@semantic-release/npm` **≥ 13.1.0** (soporte OIDC, oct-2025) | **12.0.2** (bundleado por `semantic-release@24.2.9`) — **no soporta OIDC** | Forzar upgrade del plugin |
+| **npm ≥ 11.5.1** en el CI | Node 22 trae **npm 10.x** | Agregar step que actualice npm |
+| `permissions: id-token: write` en el job | No está | Editar `release.yml` |
+| Trusted publisher configurado en npm | No está | Configurar en la web de npm |
+| Paquete ya existe en npm | ✅ (`claude-code-arcane@1.0.0`) | OK — OIDC **no** permite el *primer* publish, pero ya está hecho |
+
+**Bugs conocidos a revisar antes de migrar** (pueden estar resueltos en versiones nuevas):
+- [semantic-release/npm#1069](https://github.com/semantic-release/npm/issues/1069) — `ENONPMTOKEN` aún pide token en `verifyConditions` (reportado ene-2026).
+- [semantic-release/npm#1023](https://github.com/semantic-release/npm/issues/1023) — falla el primer publish desde maintenance branch.
+
+> Antes de empezar, chequear que estos issues estén cerrados o tengan workaround claro.
+
+---
+
+## 3. Setup paso a paso
+
+### Paso 1 — Actualizar dependencias
+
+Asegurar `@semantic-release/npm` ≥ 13.1.0. Como `semantic-release@24.x` puede seguir bundleando una versión vieja, declararlo como dependencia directa:
+
+```bash
+npm install -D @semantic-release/npm@latest semantic-release@latest
+```
+
+Verificar que quedó ≥ 13.1.0:
+
+```bash
+npm ls @semantic-release/npm
+```
+
+### Paso 2 — Editar `.github/workflows/release.yml`
+
+Dos cambios: **(a)** agregar el permiso `id-token: write`, **(b)** actualizar npm a ≥ 11.5.1 antes del release.
+
+```yaml
+name: Release
+
+on:
+  push:
+    branches: [main]
+
+permissions:
+  contents: write
+  issues: write
+  pull-requests: write
+  id-token: write          # ← NUEVO: habilita OIDC
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: 'npm'
+      - run: npm install -g npm@latest   # ← NUEVO: npm >= 11.5.1 para OIDC
+      - run: npm ci
+      - run: npm run build
+      - run: npm test
+      - name: Release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # NPM_TOKEN ya NO es necesario una vez que OIDC funcione.
+          # Dejarlo como fallback durante la transición; quitarlo al confirmar.
+        run: npx semantic-release
+```
+
+> **Importante:** durante la transición, **no borrar** el secret `NPM_TOKEN` todavía. Token y OIDC pueden coexistir; el token queda como red de seguridad.
+
+### Paso 3 — Configurar el Trusted Publisher en npm
+
+1. Ir a [npmjs.com](https://www.npmjs.com) → paquete **claude-code-arcane** → **Settings**.
+2. Sección **Trusted Publishers** (o *Publishing access*).
+3. **Add trusted publisher** → GitHub Actions:
+   - **Organization / user:** `SebastianLuser`
+   - **Repository:** `claude-code-arcane`
+   - **Workflow filename:** `release.yml`
+   - **Environment:** (dejar vacío salvo que el job use un `environment:`)
+4. Guardar.
+
+### Paso 4 — Release de prueba (additive, sin riesgo)
+
+Con el token todavía presente como fallback:
+
+```bash
+git commit --allow-empty -m "fix: test trusted publishing via OIDC"
+git push origin main
+```
+
+Revisar el log del step **Release** en Actions:
+- ✅ Si publica vía OIDC (suele loguear `provenance` / autenticación OIDC) → migración OK.
+- ❌ Si falla pidiendo token (`ENONPMTOKEN`) → el soporte aún tiene asperezas; **revertir** y seguir con token.
+
+### Paso 5 — Quitar el token (solo si el Paso 4 fue verde)
+
+1. En GitHub → Settings → Secrets → borrar `NPM_TOKEN`.
+2. En npm → Access Tokens → borrar el token de automatización.
+3. Commit confirmando que ya no se usa el token.
+
+---
+
+## 4. Rollback
+
+Si algo falla después de migrar:
+
+1. Recargar el secret `NPM_TOKEN` (regenerar token Classic Automation en npm).
+2. Revertir los cambios del `release.yml` (`git revert` del commit de migración).
+3. El release vuelve a funcionar con token como antes.
+
+---
+
+## 5. Checklist rápido
+
+- [ ] `@semantic-release/npm` ≥ 13.1.0 instalado y verificado
+- [ ] Issues #1069 / #1023 cerrados o con workaround
+- [ ] `id-token: write` agregado al workflow
+- [ ] Step `npm install -g npm@latest` agregado
+- [ ] Trusted publisher configurado en npm (repo + `release.yml`)
+- [ ] Release de prueba publicó vía OIDC (con token aún presente)
+- [ ] Token `NPM_TOKEN` eliminado de GitHub y npm
+- [ ] Documentado el cambio en CHANGELOG / README
+
+---
+
+## Referencias
+
+- [npm trusted publishing GA — GitHub Changelog](https://github.blog/changelog/2025-07-31-npm-trusted-publishing-with-oidc-is-generally-available/)
+- [Trusted publishing for npm packages — npm Docs](https://docs.npmjs.com/trusted-publishers/)
+- [@semantic-release/npm releases (v13.1.0 = soporte OIDC)](https://github.com/semantic-release/npm/releases)
+- [Issue #1069 — ENONPMTOKEN con OIDC](https://github.com/semantic-release/npm/issues/1069)
+- [Issue #1023 — primer publish desde maintenance branch](https://github.com/semantic-release/npm/issues/1023)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-code-arcane",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "description": "Skills, agents, hooks and rules for Claude Code — installable via npx arcane",
   "type": "module",
   "bin": {