claude-code-pilot 2.0.0 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (455) hide show
  1. package/bin/install.js +267 -250
  2. package/manifest.json +5 -18
  3. package/package.json +5 -7
  4. package/src/agents/build-error-resolver.md +114 -0
  5. package/src/agents/ccp-advisor-researcher.md +104 -0
  6. package/src/agents/ccp-assumptions-analyzer.md +105 -0
  7. package/{gsd/agents/gsd-codebase-mapper.md → src/agents/ccp-codebase-mapper.md} +7 -7
  8. package/{gsd/agents/gsd-debugger.md → src/agents/ccp-debugger.md} +125 -8
  9. package/{gsd/agents/gsd-executor.md → src/agents/ccp-executor.md} +31 -20
  10. package/{gsd/agents/gsd-integration-checker.md → src/agents/ccp-integration-checker.md} +2 -2
  11. package/{gsd/agents/gsd-nyquist-auditor.md → src/agents/ccp-nyquist-auditor.md} +3 -3
  12. package/{gsd/agents/gsd-phase-researcher.md → src/agents/ccp-phase-researcher.md} +127 -13
  13. package/{gsd/agents/gsd-plan-checker.md → src/agents/ccp-plan-checker.md} +57 -21
  14. package/{gsd/agents/gsd-planner.md → src/agents/ccp-planner.md} +61 -23
  15. package/{gsd/agents/gsd-project-researcher.md → src/agents/ccp-project-researcher.md} +33 -6
  16. package/{gsd/agents/gsd-research-synthesizer.md → src/agents/ccp-research-synthesizer.md} +11 -11
  17. package/{gsd/agents/gsd-roadmapper.md → src/agents/ccp-roadmapper.md} +39 -10
  18. package/src/agents/ccp-ui-auditor.md +439 -0
  19. package/src/agents/ccp-ui-checker.md +300 -0
  20. package/src/agents/ccp-ui-researcher.md +357 -0
  21. package/{gsd/agents/gsd-verifier.md → src/agents/ccp-verifier.md} +81 -15
  22. package/src/agents/cpp-build-resolver.md +90 -0
  23. package/src/agents/cpp-reviewer.md +72 -0
  24. package/src/agents/database-reviewer.md +91 -0
  25. package/src/agents/docs-lookup.md +68 -0
  26. package/src/agents/flutter-reviewer.md +243 -0
  27. package/src/agents/go-build-resolver.md +94 -0
  28. package/src/agents/go-reviewer.md +76 -0
  29. package/src/agents/java-build-resolver.md +153 -0
  30. package/src/agents/java-reviewer.md +92 -0
  31. package/src/agents/kotlin-build-resolver.md +118 -0
  32. package/src/agents/kotlin-reviewer.md +159 -0
  33. package/src/agents/planner.md +212 -0
  34. package/src/agents/python-reviewer.md +98 -0
  35. package/src/agents/pytorch-build-resolver.md +120 -0
  36. package/src/agents/refactor-cleaner.md +85 -0
  37. package/src/agents/rust-build-resolver.md +148 -0
  38. package/src/agents/rust-reviewer.md +94 -0
  39. package/src/agents/typescript-reviewer.md +112 -0
  40. package/src/available-rules/README.md +80 -0
  41. package/src/available-rules/cpp/coding-style.md +44 -0
  42. package/src/available-rules/cpp/hooks.md +39 -0
  43. package/src/available-rules/cpp/patterns.md +51 -0
  44. package/src/available-rules/cpp/security.md +51 -0
  45. package/src/available-rules/cpp/testing.md +44 -0
  46. package/src/available-rules/csharp/coding-style.md +72 -0
  47. package/src/available-rules/csharp/hooks.md +25 -0
  48. package/src/available-rules/csharp/patterns.md +50 -0
  49. package/src/available-rules/csharp/security.md +58 -0
  50. package/src/available-rules/csharp/testing.md +46 -0
  51. package/src/available-rules/java/coding-style.md +114 -0
  52. package/src/available-rules/java/hooks.md +18 -0
  53. package/src/available-rules/java/patterns.md +146 -0
  54. package/src/available-rules/java/security.md +100 -0
  55. package/src/available-rules/java/testing.md +131 -0
  56. package/src/available-rules/kotlin/hooks.md +17 -0
  57. package/src/available-rules/rust/coding-style.md +151 -0
  58. package/src/available-rules/rust/hooks.md +16 -0
  59. package/src/available-rules/rust/patterns.md +168 -0
  60. package/src/available-rules/rust/security.md +141 -0
  61. package/src/available-rules/rust/testing.md +154 -0
  62. package/src/commands/aside.md +164 -0
  63. package/src/commands/build-fix.md +62 -0
  64. package/src/commands/ccp/add-backlog.md +76 -0
  65. package/{gsd/commands-gsd → src/commands/ccp}/add-phase.md +3 -3
  66. package/{gsd/commands-gsd → src/commands/ccp}/add-tests.md +5 -5
  67. package/{gsd/commands-gsd → src/commands/ccp}/add-todo.md +4 -4
  68. package/{gsd/commands-gsd → src/commands/ccp}/audit-milestone.md +3 -3
  69. package/src/commands/ccp/audit-uat.md +24 -0
  70. package/src/commands/ccp/autonomous.md +41 -0
  71. package/{gsd/commands-gsd → src/commands/ccp}/check-todos.md +3 -3
  72. package/{gsd/commands-gsd → src/commands/ccp}/cleanup.md +3 -3
  73. package/{gsd/commands-gsd → src/commands/ccp}/complete-milestone.md +9 -9
  74. package/{gsd/commands-gsd → src/commands/ccp}/debug.md +14 -9
  75. package/src/commands/ccp/discuss-phase.md +64 -0
  76. package/src/commands/ccp/do.md +30 -0
  77. package/src/commands/ccp/execute-phase.md +59 -0
  78. package/src/commands/ccp/fast.md +30 -0
  79. package/src/commands/ccp/forensics.md +56 -0
  80. package/{gsd/commands-gsd → src/commands/ccp}/health.md +3 -3
  81. package/{gsd/commands-gsd → src/commands/ccp}/help.md +5 -5
  82. package/{gsd/commands-gsd → src/commands/ccp}/insert-phase.md +3 -3
  83. package/{gsd/commands-gsd → src/commands/ccp}/list-phase-assumptions.md +2 -2
  84. package/src/commands/ccp/manager.md +39 -0
  85. package/{gsd/commands-gsd → src/commands/ccp}/map-codebase.md +7 -7
  86. package/src/commands/ccp/milestone-summary.md +51 -0
  87. package/{gsd/commands-gsd → src/commands/ccp}/new-milestone.md +8 -8
  88. package/{gsd/commands-gsd → src/commands/ccp}/new-project.md +8 -8
  89. package/src/commands/ccp/next.md +24 -0
  90. package/src/commands/ccp/note.md +34 -0
  91. package/{gsd/commands-gsd → src/commands/ccp}/pause-work.md +3 -3
  92. package/{gsd/commands-gsd → src/commands/ccp}/plan-milestone-gaps.md +5 -5
  93. package/{gsd/commands-gsd → src/commands/ccp}/plan-phase.md +9 -7
  94. package/src/commands/ccp/plant-seed.md +28 -0
  95. package/src/commands/ccp/pr-branch.md +25 -0
  96. package/{gsd/commands-gsd → src/commands/ccp}/progress.md +3 -3
  97. package/{gsd/commands-gsd → src/commands/ccp}/quick.md +10 -8
  98. package/{gsd/commands-gsd → src/commands/ccp}/remove-phase.md +3 -3
  99. package/{gsd/commands-gsd → src/commands/ccp}/research-phase.md +17 -12
  100. package/{gsd/commands-gsd → src/commands/ccp}/resume-work.md +3 -3
  101. package/src/commands/ccp/review-backlog.md +61 -0
  102. package/src/commands/ccp/session-report.md +19 -0
  103. package/src/commands/ccp/set-profile.md +12 -0
  104. package/{gsd/commands-gsd → src/commands/ccp}/settings.md +5 -5
  105. package/src/commands/ccp/ship.md +23 -0
  106. package/src/commands/ccp/stats.md +18 -0
  107. package/src/commands/ccp/thread.md +127 -0
  108. package/src/commands/ccp/ui-phase.md +34 -0
  109. package/src/commands/ccp/ui-review.md +32 -0
  110. package/{gsd/commands-gsd → src/commands/ccp}/update.md +5 -5
  111. package/{gsd/commands-gsd → src/commands/ccp}/validate-phase.md +3 -3
  112. package/{gsd/commands-gsd → src/commands/ccp}/verify-work.md +5 -5
  113. package/src/commands/code-review.md +40 -0
  114. package/src/commands/context-budget.md +29 -0
  115. package/src/commands/cpp-build.md +173 -0
  116. package/src/commands/cpp-review.md +132 -0
  117. package/src/commands/cpp-test.md +251 -0
  118. package/src/commands/docs.md +31 -0
  119. package/src/commands/e2e.md +364 -0
  120. package/src/commands/eval.md +120 -0
  121. package/{ecc → src}/commands/evolve.md +2 -2
  122. package/src/commands/go-build.md +183 -0
  123. package/src/commands/go-review.md +148 -0
  124. package/src/commands/go-test.md +268 -0
  125. package/src/commands/gradle-build.md +70 -0
  126. package/src/commands/harness-audit.md +71 -0
  127. package/src/commands/kotlin-build.md +174 -0
  128. package/src/commands/kotlin-review.md +140 -0
  129. package/src/commands/kotlin-test.md +312 -0
  130. package/src/commands/orchestrate.md +231 -0
  131. package/src/commands/plan.md +114 -0
  132. package/src/commands/prompt-optimize.md +38 -0
  133. package/src/commands/prune.md +25 -0
  134. package/src/commands/python-review.md +297 -0
  135. package/{ecc → src}/commands/quality-gate.md +1 -1
  136. package/src/commands/refactor-clean.md +80 -0
  137. package/src/commands/rules-distill.md +11 -0
  138. package/src/commands/rust-build.md +187 -0
  139. package/src/commands/rust-review.md +142 -0
  140. package/src/commands/rust-test.md +308 -0
  141. package/{ecc → src}/commands/sessions.md +10 -10
  142. package/src/commands/setup-pm.md +80 -0
  143. package/{kit → src}/commands/setup.md +45 -19
  144. package/src/commands/skill-create.md +172 -0
  145. package/src/commands/skill-health.md +51 -0
  146. package/src/commands/tdd.md +328 -0
  147. package/src/commands/test-coverage.md +69 -0
  148. package/src/commands/update-codemaps.md +72 -0
  149. package/src/commands/update-docs.md +84 -0
  150. package/{gsd/hooks/gsd-context-monitor.js → src/hooks/ccp-context-monitor.js} +3 -3
  151. package/src/hooks/ccp-prompt-guard.js +96 -0
  152. package/{gsd/hooks/gsd-statusline.js → src/hooks/ccp-statusline.js} +7 -7
  153. package/src/hooks/ccp-workflow-guard.js +94 -0
  154. package/src/hooks/config-protection.js +141 -0
  155. package/{kit → src}/hooks/kit-check-update.js +7 -4
  156. package/src/hooks/mcp-health-check.js +620 -0
  157. package/{ecc/scripts → src}/hooks/run-with-flags-shell.sh +1 -1
  158. package/{ecc/scripts → src}/hooks/run-with-flags.js +74 -13
  159. package/src/hooks/session-end-marker.js +29 -0
  160. package/{ecc/scripts → src}/hooks/session-end.js +83 -40
  161. package/{ecc/scripts → src}/hooks/session-start.js +75 -9
  162. package/{ecc/scripts → src}/lib/hook-flags.js +8 -4
  163. package/{ecc/scripts → src}/lib/project-detect.js +2 -1
  164. package/{ecc/scripts → src}/lib/session-manager.d.ts +5 -1
  165. package/{ecc/scripts → src}/lib/session-manager.js +202 -92
  166. package/{ecc/scripts → src}/lib/utils.d.ts +23 -1
  167. package/{ecc/scripts → src}/lib/utils.js +91 -3
  168. package/{gsd/get-shit-done/bin/gsd-tools.cjs → src/pilot/bin/ccp-tools.cjs} +257 -86
  169. package/{gsd/get-shit-done → src/pilot}/bin/lib/commands.cjs +1 -1
  170. package/src/pilot/bin/lib/config.cjs +444 -0
  171. package/src/pilot/bin/lib/core.cjs +1190 -0
  172. package/src/pilot/bin/lib/init.cjs +1281 -0
  173. package/src/pilot/bin/lib/model-profiles.cjs +67 -0
  174. package/{gsd/get-shit-done → src/pilot}/bin/lib/phase.cjs +2 -2
  175. package/src/pilot/bin/lib/security.cjs +382 -0
  176. package/{gsd/get-shit-done → src/pilot}/bin/lib/state.cjs +1 -1
  177. package/src/pilot/bin/lib/uat.cjs +282 -0
  178. package/{gsd/get-shit-done → src/pilot}/bin/lib/verify.cjs +10 -10
  179. package/{gsd/get-shit-done → src/pilot}/references/continuation-format.md +16 -16
  180. package/{gsd/get-shit-done → src/pilot}/references/decimal-phase-calculation.md +5 -5
  181. package/{gsd/get-shit-done → src/pilot}/references/git-integration.md +5 -5
  182. package/{gsd/get-shit-done → src/pilot}/references/git-planning-commit.md +4 -4
  183. package/src/pilot/references/mcp-servers.json +153 -0
  184. package/{gsd/get-shit-done → src/pilot}/references/model-profile-resolution.md +2 -2
  185. package/{gsd/get-shit-done → src/pilot}/references/model-profiles.md +20 -20
  186. package/{gsd/get-shit-done → src/pilot}/references/phase-argument-parsing.md +4 -4
  187. package/{gsd/get-shit-done → src/pilot}/references/planning-config.md +15 -15
  188. package/{gsd/get-shit-done → src/pilot}/references/ui-brand.md +5 -5
  189. package/{gsd/get-shit-done → src/pilot}/references/verification-patterns.md +1 -1
  190. package/{gsd/get-shit-done → src/pilot}/templates/DEBUG.md +1 -1
  191. package/{gsd/get-shit-done → src/pilot}/templates/UAT.md +3 -3
  192. package/src/pilot/templates/UI-SPEC.md +100 -0
  193. package/{gsd/get-shit-done → src/pilot}/templates/VALIDATION.md +1 -1
  194. package/src/pilot/templates/claude-md.md +122 -0
  195. package/{gsd/get-shit-done → src/pilot}/templates/codebase/architecture.md +2 -2
  196. package/{gsd/get-shit-done → src/pilot}/templates/codebase/structure.md +13 -13
  197. package/{gsd/get-shit-done → src/pilot}/templates/context.md +4 -4
  198. package/src/pilot/templates/copilot-instructions.md +7 -0
  199. package/{gsd/get-shit-done → src/pilot}/templates/debug-subagent-prompt.md +4 -4
  200. package/src/pilot/templates/dev-preferences.md +21 -0
  201. package/{gsd/get-shit-done → src/pilot}/templates/discovery.md +2 -2
  202. package/src/pilot/templates/discussion-log.md +63 -0
  203. package/{gsd/get-shit-done → src/pilot}/templates/phase-prompt.md +12 -12
  204. package/{gsd/get-shit-done → src/pilot}/templates/planner-subagent-prompt.md +7 -7
  205. package/{gsd/get-shit-done → src/pilot}/templates/project.md +1 -1
  206. package/{gsd/get-shit-done → src/pilot}/templates/research.md +2 -2
  207. package/{gsd/get-shit-done → src/pilot}/templates/state.md +2 -2
  208. package/{gsd/get-shit-done → src/pilot}/templates/summary-complex.md +1 -1
  209. package/{gsd/get-shit-done → src/pilot}/workflows/add-phase.md +11 -11
  210. package/{gsd/get-shit-done → src/pilot}/workflows/add-tests.md +15 -15
  211. package/{gsd/get-shit-done → src/pilot}/workflows/add-todo.md +7 -7
  212. package/{gsd/get-shit-done → src/pilot}/workflows/audit-milestone.md +24 -16
  213. package/src/pilot/workflows/audit-uat.md +109 -0
  214. package/src/pilot/workflows/autonomous.md +891 -0
  215. package/{gsd/get-shit-done → src/pilot}/workflows/check-todos.md +10 -10
  216. package/{gsd/get-shit-done → src/pilot}/workflows/cleanup.md +3 -3
  217. package/{gsd/get-shit-done → src/pilot}/workflows/complete-milestone.md +19 -16
  218. package/{gsd/get-shit-done → src/pilot}/workflows/diagnose-issues.md +9 -4
  219. package/{gsd/get-shit-done → src/pilot}/workflows/discovery-phase.md +8 -8
  220. package/src/pilot/workflows/discuss-phase-assumptions.md +653 -0
  221. package/{gsd/get-shit-done → src/pilot}/workflows/discuss-phase.md +407 -49
  222. package/src/pilot/workflows/do.md +104 -0
  223. package/src/pilot/workflows/execute-phase.md +821 -0
  224. package/{gsd/get-shit-done → src/pilot}/workflows/execute-plan.md +79 -28
  225. package/src/pilot/workflows/fast.md +105 -0
  226. package/src/pilot/workflows/forensics.md +265 -0
  227. package/{gsd/get-shit-done → src/pilot}/workflows/health.md +34 -11
  228. package/src/pilot/workflows/help.md +775 -0
  229. package/{gsd/get-shit-done → src/pilot}/workflows/insert-phase.md +10 -10
  230. package/{gsd/get-shit-done → src/pilot}/workflows/list-phase-assumptions.md +4 -4
  231. package/src/pilot/workflows/manager.md +362 -0
  232. package/{gsd/get-shit-done → src/pilot}/workflows/map-codebase.md +27 -17
  233. package/src/pilot/workflows/milestone-summary.md +223 -0
  234. package/{gsd/get-shit-done → src/pilot}/workflows/new-milestone.md +135 -33
  235. package/{gsd/get-shit-done → src/pilot}/workflows/new-project.md +152 -79
  236. package/src/pilot/workflows/next.md +97 -0
  237. package/src/pilot/workflows/node-repair.md +92 -0
  238. package/src/pilot/workflows/note.md +156 -0
  239. package/src/pilot/workflows/pause-work.md +177 -0
  240. package/{gsd/get-shit-done → src/pilot}/workflows/plan-milestone-gaps.md +10 -11
  241. package/src/pilot/workflows/plan-phase.md +859 -0
  242. package/src/pilot/workflows/plant-seed.md +169 -0
  243. package/src/pilot/workflows/pr-branch.md +129 -0
  244. package/{gsd/get-shit-done → src/pilot}/workflows/progress.md +95 -34
  245. package/{gsd/get-shit-done → src/pilot}/workflows/quick.md +33 -21
  246. package/{gsd/get-shit-done → src/pilot}/workflows/remove-phase.md +14 -14
  247. package/{gsd/get-shit-done → src/pilot}/workflows/research-phase.md +18 -10
  248. package/{gsd/get-shit-done → src/pilot}/workflows/resume-project.md +37 -18
  249. package/src/pilot/workflows/session-report.md +146 -0
  250. package/{gsd/get-shit-done → src/pilot}/workflows/set-profile.md +7 -7
  251. package/{gsd/get-shit-done → src/pilot}/workflows/settings.md +75 -22
  252. package/src/pilot/workflows/ship.md +228 -0
  253. package/src/pilot/workflows/stats.md +60 -0
  254. package/{gsd/get-shit-done → src/pilot}/workflows/transition.md +57 -17
  255. package/src/pilot/workflows/ui-phase.md +302 -0
  256. package/src/pilot/workflows/ui-review.md +165 -0
  257. package/{gsd/get-shit-done → src/pilot}/workflows/update.md +88 -58
  258. package/{gsd/get-shit-done → src/pilot}/workflows/validate-phase.md +24 -17
  259. package/{gsd/get-shit-done → src/pilot}/workflows/verify-phase.md +26 -15
  260. package/{gsd/get-shit-done → src/pilot}/workflows/verify-work.md +89 -37
  261. package/{ecc → src}/rules/common/agents.md +1 -0
  262. package/{ecc → src}/rules/common/coding-style.md +21 -0
  263. package/src/skills/agentic-engineering/SKILL.md +63 -0
  264. package/src/skills/ai-first-engineering/SKILL.md +51 -0
  265. package/src/skills/ai-regression-testing/SKILL.md +385 -0
  266. package/src/skills/api-design/SKILL.md +523 -0
  267. package/src/skills/architecture-decision-records/SKILL.md +179 -0
  268. package/src/skills/backend-patterns/SKILL.md +598 -0
  269. package/src/skills/benchmark/SKILL.md +87 -0
  270. package/src/skills/blueprint/SKILL.md +90 -0
  271. package/src/skills/browser-qa/SKILL.md +81 -0
  272. package/src/skills/claude-api/SKILL.md +337 -0
  273. package/src/skills/codebase-onboarding/SKILL.md +233 -0
  274. package/src/skills/coding-standards/SKILL.md +530 -0
  275. package/src/skills/context-budget/SKILL.md +135 -0
  276. package/{ecc → src}/skills/continuous-learning-v2/SKILL.md +2 -2
  277. package/{ecc → src}/skills/continuous-learning-v2/agents/observer-loop.sh +1 -1
  278. package/src/skills/cpp-coding-standards/SKILL.md +723 -0
  279. package/src/skills/cpp-testing/SKILL.md +324 -0
  280. package/src/skills/database-migrations/SKILL.md +429 -0
  281. package/src/skills/deep-research/SKILL.md +155 -0
  282. package/src/skills/deployment-patterns/SKILL.md +427 -0
  283. package/src/skills/django-patterns/SKILL.md +734 -0
  284. package/src/skills/django-security/SKILL.md +593 -0
  285. package/src/skills/django-tdd/SKILL.md +729 -0
  286. package/src/skills/django-verification/SKILL.md +469 -0
  287. package/src/skills/docker-patterns/SKILL.md +364 -0
  288. package/src/skills/documentation-lookup/SKILL.md +90 -0
  289. package/src/skills/e2e-testing/SKILL.md +326 -0
  290. package/src/skills/exa-search/SKILL.md +103 -0
  291. package/src/skills/frontend-patterns/SKILL.md +642 -0
  292. package/src/skills/golang-patterns/SKILL.md +674 -0
  293. package/src/skills/golang-testing/SKILL.md +720 -0
  294. package/src/skills/java-coding-standards/SKILL.md +147 -0
  295. package/src/skills/jpa-patterns/SKILL.md +151 -0
  296. package/src/skills/kotlin-coroutines-flows/SKILL.md +284 -0
  297. package/src/skills/kotlin-exposed-patterns/SKILL.md +719 -0
  298. package/src/skills/kotlin-ktor-patterns/SKILL.md +689 -0
  299. package/src/skills/kotlin-patterns/SKILL.md +711 -0
  300. package/src/skills/kotlin-testing/SKILL.md +824 -0
  301. package/src/skills/laravel-patterns/SKILL.md +415 -0
  302. package/src/skills/laravel-security/SKILL.md +285 -0
  303. package/src/skills/laravel-tdd/SKILL.md +283 -0
  304. package/src/skills/laravel-verification/SKILL.md +179 -0
  305. package/src/skills/mcp-server-patterns/SKILL.md +67 -0
  306. package/src/skills/perl-patterns/SKILL.md +504 -0
  307. package/src/skills/perl-testing/SKILL.md +475 -0
  308. package/src/skills/postgres-patterns/SKILL.md +147 -0
  309. package/src/skills/prompt-optimizer/SKILL.md +397 -0
  310. package/src/skills/python-patterns/SKILL.md +750 -0
  311. package/src/skills/python-testing/SKILL.md +816 -0
  312. package/src/skills/rust-patterns/SKILL.md +499 -0
  313. package/src/skills/rust-testing/SKILL.md +500 -0
  314. package/src/skills/safety-guard/SKILL.md +69 -0
  315. package/src/skills/search-first/SKILL.md +161 -0
  316. package/src/skills/security-review/SKILL.md +495 -0
  317. package/src/skills/security-review/cloud-infrastructure-security.md +361 -0
  318. package/src/skills/security-scan/SKILL.md +165 -0
  319. package/src/skills/springboot-patterns/SKILL.md +314 -0
  320. package/src/skills/springboot-security/SKILL.md +272 -0
  321. package/src/skills/springboot-tdd/SKILL.md +158 -0
  322. package/src/skills/springboot-verification/SKILL.md +231 -0
  323. package/src/skills/tdd-workflow/SKILL.md +410 -0
  324. package/ecc/scripts/hooks/session-end-marker.js +0 -15
  325. package/gsd/LICENSE +0 -21
  326. package/gsd/commands-gsd/discuss-phase.md +0 -90
  327. package/gsd/commands-gsd/execute-phase.md +0 -41
  328. package/gsd/commands-gsd/join-discord.md +0 -18
  329. package/gsd/commands-gsd/reapply-patches.md +0 -123
  330. package/gsd/commands-gsd/set-profile.md +0 -34
  331. package/gsd/get-shit-done/bin/lib/config.cjs +0 -169
  332. package/gsd/get-shit-done/bin/lib/core.cjs +0 -492
  333. package/gsd/get-shit-done/bin/lib/init.cjs +0 -710
  334. package/gsd/get-shit-done/workflows/execute-phase.md +0 -459
  335. package/gsd/get-shit-done/workflows/help.md +0 -489
  336. package/gsd/get-shit-done/workflows/pause-work.md +0 -122
  337. package/gsd/get-shit-done/workflows/plan-phase.md +0 -560
  338. package/gsd/hooks/gsd-check-update.js +0 -81
  339. package/kit/CLAUDE.md +0 -43
  340. package/kit/commands/kit/update.md +0 -46
  341. package/kit/mcp.json +0 -10
  342. package/kit/rules/code-style.md +0 -24
  343. /package/{ecc → src}/agents/architect.md +0 -0
  344. /package/{ecc → src}/agents/code-reviewer.md +0 -0
  345. /package/{ecc → src}/agents/doc-updater.md +0 -0
  346. /package/{ecc → src}/agents/e2e-runner.md +0 -0
  347. /package/{ecc → src}/agents/security-reviewer.md +0 -0
  348. /package/{ecc → src}/agents/tdd-guide.md +0 -0
  349. /package/{ecc/rules → src/available-rules}/golang/coding-style.md +0 -0
  350. /package/{ecc/rules → src/available-rules}/golang/hooks.md +0 -0
  351. /package/{ecc/rules → src/available-rules}/golang/patterns.md +0 -0
  352. /package/{ecc/rules → src/available-rules}/golang/security.md +0 -0
  353. /package/{ecc/rules → src/available-rules}/golang/testing.md +0 -0
  354. /package/{ecc/rules → src/available-rules}/kotlin/coding-style.md +0 -0
  355. /package/{ecc/rules → src/available-rules}/kotlin/patterns.md +0 -0
  356. /package/{ecc/rules → src/available-rules}/kotlin/security.md +0 -0
  357. /package/{ecc/rules → src/available-rules}/kotlin/testing.md +0 -0
  358. /package/{ecc/rules → src/available-rules}/perl/coding-style.md +0 -0
  359. /package/{ecc/rules → src/available-rules}/perl/hooks.md +0 -0
  360. /package/{ecc/rules → src/available-rules}/perl/patterns.md +0 -0
  361. /package/{ecc/rules → src/available-rules}/perl/security.md +0 -0
  362. /package/{ecc/rules → src/available-rules}/perl/testing.md +0 -0
  363. /package/{ecc/rules → src/available-rules}/php/coding-style.md +0 -0
  364. /package/{ecc/rules → src/available-rules}/php/hooks.md +0 -0
  365. /package/{ecc/rules → src/available-rules}/php/patterns.md +0 -0
  366. /package/{ecc/rules → src/available-rules}/php/security.md +0 -0
  367. /package/{ecc/rules → src/available-rules}/php/testing.md +0 -0
  368. /package/{ecc/rules → src/available-rules}/python/coding-style.md +0 -0
  369. /package/{ecc/rules → src/available-rules}/python/hooks.md +0 -0
  370. /package/{ecc/rules → src/available-rules}/python/patterns.md +0 -0
  371. /package/{ecc/rules → src/available-rules}/python/security.md +0 -0
  372. /package/{ecc/rules → src/available-rules}/python/testing.md +0 -0
  373. /package/{ecc/rules → src/available-rules}/swift/coding-style.md +0 -0
  374. /package/{ecc/rules → src/available-rules}/swift/hooks.md +0 -0
  375. /package/{ecc/rules → src/available-rules}/swift/patterns.md +0 -0
  376. /package/{ecc/rules → src/available-rules}/swift/security.md +0 -0
  377. /package/{ecc/rules → src/available-rules}/swift/testing.md +0 -0
  378. /package/{ecc/rules → src/available-rules}/typescript/coding-style.md +0 -0
  379. /package/{ecc/rules → src/available-rules}/typescript/hooks.md +0 -0
  380. /package/{ecc/rules → src/available-rules}/typescript/patterns.md +0 -0
  381. /package/{ecc/rules → src/available-rules}/typescript/security.md +0 -0
  382. /package/{ecc/rules → src/available-rules}/typescript/testing.md +0 -0
  383. /package/{ecc → src}/commands/checkpoint.md +0 -0
  384. /package/{ecc → src}/commands/learn.md +0 -0
  385. /package/{ecc → src}/commands/model-route.md +0 -0
  386. /package/{ecc → src}/commands/resume-session.md +0 -0
  387. /package/{ecc → src}/commands/save-session.md +0 -0
  388. /package/{kit → src}/commands/setup-refresh.md +0 -0
  389. /package/{kit → src}/commands/tool-guide.md +0 -0
  390. /package/{ecc → src}/commands/verify.md +0 -0
  391. /package/{ecc → src}/contexts/dev.md +0 -0
  392. /package/{ecc → src}/contexts/research.md +0 -0
  393. /package/{ecc → src}/contexts/review.md +0 -0
  394. /package/{ecc → src}/examples/CLAUDE.md +0 -0
  395. /package/{ecc → src}/examples/django-api-CLAUDE.md +0 -0
  396. /package/{ecc → src}/examples/go-microservice-CLAUDE.md +0 -0
  397. /package/{ecc → src}/examples/rust-api-CLAUDE.md +0 -0
  398. /package/{ecc → src}/examples/saas-nextjs-CLAUDE.md +0 -0
  399. /package/{ecc → src}/examples/user-CLAUDE.md +0 -0
  400. /package/{ecc/scripts → src}/hooks/check-hook-enabled.js +0 -0
  401. /package/{ecc/scripts → src}/hooks/evaluate-session.js +0 -0
  402. /package/{ecc/scripts → src}/hooks/pre-compact.js +0 -0
  403. /package/{ecc/scripts → src}/hooks/suggest-compact.js +0 -0
  404. /package/{ecc/scripts → src}/lib/package-manager.d.ts +0 -0
  405. /package/{ecc/scripts → src}/lib/package-manager.js +0 -0
  406. /package/{ecc/scripts → src}/lib/resolve-formatter.js +0 -0
  407. /package/{ecc/scripts → src}/lib/session-aliases.d.ts +0 -0
  408. /package/{ecc/scripts → src}/lib/session-aliases.js +0 -0
  409. /package/{ecc/scripts → src}/lib/shell-split.js +0 -0
  410. /package/{gsd/get-shit-done → src/pilot}/bin/lib/frontmatter.cjs +0 -0
  411. /package/{gsd/get-shit-done → src/pilot}/bin/lib/milestone.cjs +0 -0
  412. /package/{gsd/get-shit-done → src/pilot}/bin/lib/roadmap.cjs +0 -0
  413. /package/{gsd/get-shit-done → src/pilot}/bin/lib/template.cjs +0 -0
  414. /package/{gsd/get-shit-done → src/pilot}/references/checkpoints.md +0 -0
  415. /package/{gsd/get-shit-done → src/pilot}/references/questioning.md +0 -0
  416. /package/{gsd/get-shit-done → src/pilot}/references/tdd.md +0 -0
  417. /package/{gsd/get-shit-done → src/pilot}/templates/codebase/concerns.md +0 -0
  418. /package/{gsd/get-shit-done → src/pilot}/templates/codebase/conventions.md +0 -0
  419. /package/{gsd/get-shit-done → src/pilot}/templates/codebase/integrations.md +0 -0
  420. /package/{gsd/get-shit-done → src/pilot}/templates/codebase/stack.md +0 -0
  421. /package/{gsd/get-shit-done → src/pilot}/templates/codebase/testing.md +0 -0
  422. /package/{gsd/get-shit-done → src/pilot}/templates/config.json +0 -0
  423. /package/{gsd/get-shit-done → src/pilot}/templates/continue-here.md +0 -0
  424. /package/{gsd/get-shit-done → src/pilot}/templates/milestone-archive.md +0 -0
  425. /package/{gsd/get-shit-done → src/pilot}/templates/milestone.md +0 -0
  426. /package/{gsd/get-shit-done → src/pilot}/templates/requirements.md +0 -0
  427. /package/{gsd/get-shit-done → src/pilot}/templates/research-project/ARCHITECTURE.md +0 -0
  428. /package/{gsd/get-shit-done → src/pilot}/templates/research-project/FEATURES.md +0 -0
  429. /package/{gsd/get-shit-done → src/pilot}/templates/research-project/PITFALLS.md +0 -0
  430. /package/{gsd/get-shit-done → src/pilot}/templates/research-project/STACK.md +0 -0
  431. /package/{gsd/get-shit-done → src/pilot}/templates/research-project/SUMMARY.md +0 -0
  432. /package/{gsd/get-shit-done → src/pilot}/templates/retrospective.md +0 -0
  433. /package/{gsd/get-shit-done → src/pilot}/templates/roadmap.md +0 -0
  434. /package/{gsd/get-shit-done → src/pilot}/templates/summary-minimal.md +0 -0
  435. /package/{gsd/get-shit-done → src/pilot}/templates/summary-standard.md +0 -0
  436. /package/{gsd/get-shit-done → src/pilot}/templates/summary.md +0 -0
  437. /package/{gsd/get-shit-done → src/pilot}/templates/user-setup.md +0 -0
  438. /package/{gsd/get-shit-done → src/pilot}/templates/verification-report.md +0 -0
  439. /package/{ecc → src}/rules/common/development-workflow.md +0 -0
  440. /package/{ecc → src}/rules/common/git-workflow.md +0 -0
  441. /package/{ecc → src}/rules/common/hooks.md +0 -0
  442. /package/{ecc → src}/rules/common/patterns.md +0 -0
  443. /package/{ecc → src}/rules/common/performance.md +0 -0
  444. /package/{ecc → src}/rules/common/security.md +0 -0
  445. /package/{ecc → src}/rules/common/testing.md +0 -0
  446. /package/{ecc → src}/skills/continuous-learning-v2/agents/observer.md +0 -0
  447. /package/{ecc → src}/skills/continuous-learning-v2/agents/start-observer.sh +0 -0
  448. /package/{ecc → src}/skills/continuous-learning-v2/config.json +0 -0
  449. /package/{ecc → src}/skills/continuous-learning-v2/hooks/observe.sh +0 -0
  450. /package/{ecc → src}/skills/continuous-learning-v2/scripts/detect-project.sh +0 -0
  451. /package/{ecc → src}/skills/continuous-learning-v2/scripts/instinct-cli.py +0 -0
  452. /package/{ecc → src}/skills/continuous-learning-v2/scripts/test_parse_instinct.py +0 -0
  453. /package/{ecc → src}/skills/strategic-compact/SKILL.md +0 -0
  454. /package/{ecc → src}/skills/strategic-compact/suggest-compact.sh +0 -0
  455. /package/{ecc/skills/verification-loop-SKILL.md → src/skills/verification-loop/SKILL.md} +0 -0
@@ -0,0 +1,67 @@
1
+ /**
2
+ * Mapping of CCP agent to model for each profile.
3
+ *
4
+ * This is the single source of truth for agent-to-model mappings.
5
+ * All modules that need MODEL_PROFILES should require this module
6
+ * rather than defining their own inline table.
7
+ */
8
+ const MODEL_PROFILES = {
9
+ 'ccp-planner': { quality: 'opus', balanced: 'opus', budget: 'sonnet' },
10
+ 'ccp-roadmapper': { quality: 'opus', balanced: 'sonnet', budget: 'sonnet' },
11
+ 'ccp-executor': { quality: 'opus', balanced: 'sonnet', budget: 'sonnet' },
12
+ 'ccp-phase-researcher': { quality: 'opus', balanced: 'sonnet', budget: 'haiku' },
13
+ 'ccp-project-researcher': { quality: 'opus', balanced: 'sonnet', budget: 'haiku' },
14
+ 'ccp-research-synthesizer': { quality: 'sonnet', balanced: 'sonnet', budget: 'haiku' },
15
+ 'ccp-debugger': { quality: 'opus', balanced: 'sonnet', budget: 'sonnet' },
16
+ 'ccp-codebase-mapper': { quality: 'sonnet', balanced: 'haiku', budget: 'haiku' },
17
+ 'ccp-verifier': { quality: 'sonnet', balanced: 'sonnet', budget: 'haiku' },
18
+ 'ccp-plan-checker': { quality: 'sonnet', balanced: 'sonnet', budget: 'haiku' },
19
+ 'ccp-integration-checker': { quality: 'sonnet', balanced: 'sonnet', budget: 'haiku' },
20
+ 'ccp-nyquist-auditor': { quality: 'sonnet', balanced: 'sonnet', budget: 'haiku' },
21
+ 'ccp-ui-researcher': { quality: 'opus', balanced: 'sonnet', budget: 'haiku' },
22
+ 'ccp-ui-checker': { quality: 'sonnet', balanced: 'sonnet', budget: 'haiku' },
23
+ 'ccp-ui-auditor': { quality: 'sonnet', balanced: 'sonnet', budget: 'haiku' },
24
+ };
25
+ const VALID_PROFILES = Object.keys(MODEL_PROFILES['ccp-planner']);
26
+
27
+ /**
28
+ * Formats the agent-to-model mapping as a human-readable table (in string format).
29
+ *
30
+ * @param {Object<string, string>} agentToModelMap - A mapping from agent to model
31
+ * @returns {string} A formatted table string
32
+ */
33
+ function formatAgentToModelMapAsTable(agentToModelMap) {
34
+ const agentWidth = Math.max('Agent'.length, ...Object.keys(agentToModelMap).map((a) => a.length));
35
+ const modelWidth = Math.max(
36
+ 'Model'.length,
37
+ ...Object.values(agentToModelMap).map((m) => m.length)
38
+ );
39
+ const sep = '\u2500'.repeat(agentWidth + 2) + '\u2524' + '\u2500'.repeat(modelWidth + 2);
40
+ const header = ' ' + 'Agent'.padEnd(agentWidth) + ' \u2502 ' + 'Model'.padEnd(modelWidth);
41
+ let agentToModelTable = header + '\n' + sep + '\n';
42
+ for (const [agent, model] of Object.entries(agentToModelMap)) {
43
+ agentToModelTable += ' ' + agent.padEnd(agentWidth) + ' \u2502 ' + model.padEnd(modelWidth) + '\n';
44
+ }
45
+ return agentToModelTable;
46
+ }
47
+
48
+ /**
49
+ * Returns a mapping from agent to model for the given model profile.
50
+ *
51
+ * @param {string} normalizedProfile - The normalized (lowercase and trimmed) profile name
52
+ * @returns {Object<string, string>} A mapping from agent to model for the given profile
53
+ */
54
+ function getAgentToModelMapForProfile(normalizedProfile) {
55
+ const agentToModelMap = {};
56
+ for (const [agent, profileToModelMap] of Object.entries(MODEL_PROFILES)) {
57
+ agentToModelMap[agent] = profileToModelMap[normalizedProfile];
58
+ }
59
+ return agentToModelMap;
60
+ }
61
+
62
+ module.exports = {
63
+ MODEL_PROFILES,
64
+ VALID_PROFILES,
65
+ formatAgentToModelMapAsTable,
66
+ getAgentToModelMapForProfile,
67
+ };
@@ -340,7 +340,7 @@ function cmdPhaseAdd(cwd, description, raw) {
340
340
  fs.writeFileSync(path.join(dirPath, '.gitkeep'), '');
341
341
 
342
342
  // Build phase entry
343
- const phaseEntry = `\n### Phase ${newPhaseNum}: ${description}\n\n**Goal:** [To be planned]\n**Requirements**: TBD\n**Depends on:** Phase ${maxPhase}\n**Plans:** 0 plans\n\nPlans:\n- [ ] TBD (run /gsd:plan-phase ${newPhaseNum} to break down)\n`;
343
+ const phaseEntry = `\n### Phase ${newPhaseNum}: ${description}\n\n**Goal:** [To be planned]\n**Requirements**: TBD\n**Depends on:** Phase ${maxPhase}\n**Plans:** 0 plans\n\nPlans:\n- [ ] TBD (run /ccp:plan-phase ${newPhaseNum} to break down)\n`;
344
344
 
345
345
  // Find insertion point: before last "---" or at end
346
346
  let updatedContent;
@@ -411,7 +411,7 @@ function cmdPhaseInsert(cwd, afterPhase, description, raw) {
411
411
  fs.writeFileSync(path.join(dirPath, '.gitkeep'), '');
412
412
 
413
413
  // Build phase entry
414
- const phaseEntry = `\n### Phase ${decimalPhase}: ${description} (INSERTED)\n\n**Goal:** [Urgent work - to be planned]\n**Requirements**: TBD\n**Depends on:** Phase ${afterPhase}\n**Plans:** 0 plans\n\nPlans:\n- [ ] TBD (run /gsd:plan-phase ${decimalPhase} to break down)\n`;
414
+ const phaseEntry = `\n### Phase ${decimalPhase}: ${description} (INSERTED)\n\n**Goal:** [Urgent work - to be planned]\n**Requirements**: TBD\n**Depends on:** Phase ${afterPhase}\n**Plans:** 0 plans\n\nPlans:\n- [ ] TBD (run /ccp:plan-phase ${decimalPhase} to break down)\n`;
415
415
 
416
416
  // Insert after the target phase section
417
417
  const headerPattern = new RegExp(`(#{2,4}\\s*Phase\\s+0*${afterPhaseEscaped}:[^\\n]*\\n)`, 'i');
@@ -0,0 +1,382 @@
1
+ /**
2
+ * Security — Input validation, path traversal prevention, and prompt injection guards
3
+ *
4
+ * This module centralizes security checks for CCP tooling. Because CCP generates
5
+ * markdown files that become LLM system prompts (agent instructions, workflow state,
6
+ * phase plans), any user-controlled text that flows into these files is a potential
7
+ * indirect prompt injection vector.
8
+ *
9
+ * Threat model:
10
+ * 1. Path traversal: user-supplied file paths escape the project directory
11
+ * 2. Prompt injection: malicious text in arguments/PRDs embeds LLM instructions
12
+ * 3. Shell metacharacter injection: user text interpreted by shell
13
+ * 4. JSON injection: malformed JSON crashes or corrupts state
14
+ * 5. Regex DoS: crafted input causes catastrophic backtracking
15
+ */
16
+ 'use strict';
17
+
18
+ const fs = require('fs');
19
+ const path = require('path');
20
+
21
+ // ─── Path Traversal Prevention ──────────────────────────────────────────────
22
+
23
+ /**
24
+ * Validate that a file path resolves within an allowed base directory.
25
+ * Prevents path traversal attacks via ../ sequences, symlinks, or absolute paths.
26
+ *
27
+ * @param {string} filePath - The user-supplied file path
28
+ * @param {string} baseDir - The allowed base directory (e.g., project root)
29
+ * @param {object} [opts] - Options
30
+ * @param {boolean} [opts.allowAbsolute=false] - Allow absolute paths (still must be within baseDir)
31
+ * @returns {{ safe: boolean, resolved: string, error?: string }}
32
+ */
33
+ function validatePath(filePath, baseDir, opts = {}) {
34
+ if (!filePath || typeof filePath !== 'string') {
35
+ return { safe: false, resolved: '', error: 'Empty or invalid file path' };
36
+ }
37
+
38
+ if (!baseDir || typeof baseDir !== 'string') {
39
+ return { safe: false, resolved: '', error: 'Empty or invalid base directory' };
40
+ }
41
+
42
+ // Reject null bytes (can bypass path checks in some environments)
43
+ if (filePath.includes('\0')) {
44
+ return { safe: false, resolved: '', error: 'Path contains null bytes' };
45
+ }
46
+
47
+ // Resolve symlinks in base directory to handle macOS /var -> /private/var
48
+ // and similar platform-specific symlink chains
49
+ let resolvedBase;
50
+ try {
51
+ resolvedBase = fs.realpathSync(path.resolve(baseDir));
52
+ } catch {
53
+ resolvedBase = path.resolve(baseDir);
54
+ }
55
+
56
+ let resolvedPath;
57
+
58
+ if (path.isAbsolute(filePath)) {
59
+ if (!opts.allowAbsolute) {
60
+ return { safe: false, resolved: '', error: 'Absolute paths not allowed' };
61
+ }
62
+ resolvedPath = path.resolve(filePath);
63
+ } else {
64
+ resolvedPath = path.resolve(baseDir, filePath);
65
+ }
66
+
67
+ // Resolve symlinks in the target path too
68
+ try {
69
+ resolvedPath = fs.realpathSync(resolvedPath);
70
+ } catch {
71
+ // File may not exist yet (e.g., about to be created) — use logical resolution
72
+ // but still resolve the parent directory if it exists
73
+ const parentDir = path.dirname(resolvedPath);
74
+ try {
75
+ const realParent = fs.realpathSync(parentDir);
76
+ resolvedPath = path.join(realParent, path.basename(resolvedPath));
77
+ } catch {
78
+ // Parent doesn't exist either — keep the resolved path as-is
79
+ }
80
+ }
81
+
82
+ // Normalize both paths and check containment
83
+ const normalizedBase = resolvedBase + path.sep;
84
+ const normalizedPath = resolvedPath + path.sep;
85
+
86
+ // The resolved path must start with the base directory
87
+ // (or be exactly the base directory)
88
+ if (resolvedPath !== resolvedBase && !normalizedPath.startsWith(normalizedBase)) {
89
+ return {
90
+ safe: false,
91
+ resolved: resolvedPath,
92
+ error: `Path escapes allowed directory: ${resolvedPath} is outside ${resolvedBase}`,
93
+ };
94
+ }
95
+
96
+ return { safe: true, resolved: resolvedPath };
97
+ }
98
+
99
+ /**
100
+ * Validate a file path and throw on traversal attempt.
101
+ * Convenience wrapper around validatePath for use in CLI commands.
102
+ */
103
+ function requireSafePath(filePath, baseDir, label, opts = {}) {
104
+ const result = validatePath(filePath, baseDir, opts);
105
+ if (!result.safe) {
106
+ throw new Error(`${label || 'Path'} validation failed: ${result.error}`);
107
+ }
108
+ return result.resolved;
109
+ }
110
+
111
+ // ─── Prompt Injection Detection ─────────────────────────────────────────────
112
+
113
+ /**
114
+ * Patterns that indicate prompt injection attempts in user-supplied text.
115
+ * These patterns catch common indirect prompt injection techniques where
116
+ * an attacker embeds LLM instructions in text that will be read by an agent.
117
+ *
118
+ * Note: This is defense-in-depth — not a complete solution. The primary defense
119
+ * is proper input/output boundaries in agent prompts.
120
+ */
121
+ const INJECTION_PATTERNS = [
122
+ // Direct instruction override attempts
123
+ /ignore\s+(all\s+)?previous\s+instructions/i,
124
+ /ignore\s+(all\s+)?above\s+instructions/i,
125
+ /disregard\s+(all\s+)?previous/i,
126
+ /forget\s+(all\s+)?(your\s+)?instructions/i,
127
+ /override\s+(system|previous)\s+(prompt|instructions)/i,
128
+
129
+ // Role/identity manipulation
130
+ /you\s+are\s+now\s+(?:a|an|the)\s+/i,
131
+ /act\s+as\s+(?:a|an|the)\s+(?!plan|phase|wave)/i, // allow "act as a plan"
132
+ /pretend\s+(?:you(?:'re| are)\s+|to\s+be\s+)/i,
133
+ /from\s+now\s+on,?\s+you\s+(?:are|will|should|must)/i,
134
+
135
+ // System prompt extraction
136
+ /(?:print|output|reveal|show|display|repeat)\s+(?:your\s+)?(?:system\s+)?(?:prompt|instructions)/i,
137
+ /what\s+(?:are|is)\s+your\s+(?:system\s+)?(?:prompt|instructions)/i,
138
+
139
+ // Hidden instruction markers (XML/HTML tags that mimic system messages)
140
+ // Note: <instructions> is excluded — CCP uses it as legitimate prompt structure
141
+ // Requires > to close the tag (not just whitespace) to avoid matching generic types like Promise<User | null>
142
+ /<\/?(?:system|assistant|human)>/i,
143
+ /\[SYSTEM\]/i,
144
+ /\[INST\]/i,
145
+ /<<\s*SYS\s*>>/i,
146
+
147
+ // Exfiltration attempts
148
+ /(?:send|post|fetch|curl|wget)\s+(?:to|from)\s+https?:\/\//i,
149
+ /(?:base64|btoa|encode)\s+(?:and\s+)?(?:send|exfiltrate|output)/i,
150
+
151
+ // Tool manipulation
152
+ /(?:run|execute|call|invoke)\s+(?:the\s+)?(?:bash|shell|exec|spawn)\s+(?:tool|command)/i,
153
+ ];
154
+
155
+ /**
156
+ * Scan text for potential prompt injection patterns.
157
+ * Returns an array of findings (empty = clean).
158
+ *
159
+ * @param {string} text - The text to scan
160
+ * @param {object} [opts] - Options
161
+ * @param {boolean} [opts.strict=false] - Enable stricter matching (more false positives)
162
+ * @returns {{ clean: boolean, findings: string[] }}
163
+ */
164
+ function scanForInjection(text, opts = {}) {
165
+ if (!text || typeof text !== 'string') {
166
+ return { clean: true, findings: [] };
167
+ }
168
+
169
+ const findings = [];
170
+
171
+ for (const pattern of INJECTION_PATTERNS) {
172
+ if (pattern.test(text)) {
173
+ findings.push(`Matched injection pattern: ${pattern.source}`);
174
+ }
175
+ }
176
+
177
+ if (opts.strict) {
178
+ // Check for suspicious Unicode that could hide instructions
179
+ // (zero-width chars, RTL override, homoglyph attacks)
180
+ if (/[\u200B-\u200F\u2028-\u202F\uFEFF\u00AD]/.test(text)) {
181
+ findings.push('Contains suspicious zero-width or invisible Unicode characters');
182
+ }
183
+
184
+ // Check for extremely long strings that could be prompt stuffing
185
+ if (text.length > 50000) {
186
+ findings.push(`Suspicious text length: ${text.length} chars (potential prompt stuffing)`);
187
+ }
188
+ }
189
+
190
+ return { clean: findings.length === 0, findings };
191
+ }
192
+
193
+ /**
194
+ * Sanitize text that will be embedded in agent prompts or planning documents.
195
+ * Strips known injection markers while preserving legitimate content.
196
+ *
197
+ * This does NOT alter user intent — it neutralizes control characters and
198
+ * instruction-mimicking patterns that could hijack agent behavior.
199
+ *
200
+ * @param {string} text - Text to sanitize
201
+ * @returns {string} Sanitized text
202
+ */
203
+ function sanitizeForPrompt(text) {
204
+ if (!text || typeof text !== 'string') return text;
205
+
206
+ let sanitized = text;
207
+
208
+ // Strip zero-width characters that could hide instructions
209
+ sanitized = sanitized.replace(/[\u200B-\u200F\u2028-\u202F\uFEFF\u00AD]/g, '');
210
+
211
+ // Neutralize XML/HTML tags that mimic system boundaries
212
+ // Replace < > with full-width equivalents to prevent tag interpretation
213
+ // Note: <instructions> is excluded — CCP uses it as legitimate prompt structure
214
+ sanitized = sanitized.replace(/<(\/?)(?:system|assistant|human)>/gi,
215
+ (_, slash) => `\uFF1C${slash || ''}system-text\uFF1E`);
216
+
217
+ // Neutralize [SYSTEM] / [INST] markers
218
+ sanitized = sanitized.replace(/\[(SYSTEM|INST)\]/gi, '[$1-TEXT]');
219
+
220
+ // Neutralize <<SYS>> markers
221
+ sanitized = sanitized.replace(/<<\s*SYS\s*>>/gi, '\u00ABSYS-TEXT\u00BB');
222
+
223
+ return sanitized;
224
+ }
225
+
226
+ /**
227
+ * Sanitize text that will be displayed back to the user.
228
+ * Removes protocol-like leak markers that should never surface in checkpoints.
229
+ *
230
+ * @param {string} text - Text to sanitize
231
+ * @returns {string} Sanitized text
232
+ */
233
+ function sanitizeForDisplay(text) {
234
+ if (!text || typeof text !== 'string') return text;
235
+
236
+ let sanitized = sanitizeForPrompt(text);
237
+
238
+ const protocolLeakPatterns = [
239
+ /^\s*(?:assistant|user|system)\s+to=[^:\s]+:[^\n]+$/i,
240
+ /^\s*<\|(?:assistant|user|system)[^|]*\|>\s*$/i,
241
+ ];
242
+
243
+ sanitized = sanitized
244
+ .split('\n')
245
+ .filter(line => !protocolLeakPatterns.some(pattern => pattern.test(line)))
246
+ .join('\n');
247
+
248
+ return sanitized;
249
+ }
250
+
251
+ // ─── Shell Safety ───────────────────────────────────────────────────────────
252
+
253
+ /**
254
+ * Validate that a string is safe to use as a shell argument when quoted.
255
+ * This is a defense-in-depth check — callers should always use array-based
256
+ * exec (spawnSync) where possible.
257
+ *
258
+ * @param {string} value - The value to check
259
+ * @param {string} label - Description for error messages
260
+ * @returns {string} The validated value
261
+ */
262
+ function validateShellArg(value, label) {
263
+ if (!value || typeof value !== 'string') {
264
+ throw new Error(`${label || 'Argument'}: empty or invalid value`);
265
+ }
266
+
267
+ // Reject null bytes
268
+ if (value.includes('\0')) {
269
+ throw new Error(`${label || 'Argument'}: contains null bytes`);
270
+ }
271
+
272
+ // Reject command substitution attempts
273
+ if (/[$`]/.test(value) && /\$\(|`/.test(value)) {
274
+ throw new Error(`${label || 'Argument'}: contains potential command substitution`);
275
+ }
276
+
277
+ return value;
278
+ }
279
+
280
+ // ─── JSON Safety ────────────────────────────────────────────────────────────
281
+
282
+ /**
283
+ * Safely parse JSON with error handling and optional size limits.
284
+ * Wraps JSON.parse to prevent uncaught exceptions from malformed input.
285
+ *
286
+ * @param {string} text - JSON string to parse
287
+ * @param {object} [opts] - Options
288
+ * @param {number} [opts.maxLength=1048576] - Maximum input length (1MB default)
289
+ * @param {string} [opts.label='JSON'] - Description for error messages
290
+ * @returns {{ ok: boolean, value?: any, error?: string }}
291
+ */
292
+ function safeJsonParse(text, opts = {}) {
293
+ const maxLength = opts.maxLength || 1048576;
294
+ const label = opts.label || 'JSON';
295
+
296
+ if (!text || typeof text !== 'string') {
297
+ return { ok: false, error: `${label}: empty or invalid input` };
298
+ }
299
+
300
+ if (text.length > maxLength) {
301
+ return { ok: false, error: `${label}: input exceeds ${maxLength} byte limit (got ${text.length})` };
302
+ }
303
+
304
+ try {
305
+ const value = JSON.parse(text);
306
+ return { ok: true, value };
307
+ } catch (err) {
308
+ return { ok: false, error: `${label}: parse error — ${err.message}` };
309
+ }
310
+ }
311
+
312
+ // ─── Phase/Argument Validation ──────────────────────────────────────────────
313
+
314
+ /**
315
+ * Validate a phase number argument.
316
+ * Phase numbers must match: integer, decimal (2.1), or letter suffix (12A).
317
+ * Rejects arbitrary strings that could be used for injection.
318
+ *
319
+ * @param {string} phase - The phase number to validate
320
+ * @returns {{ valid: boolean, normalized?: string, error?: string }}
321
+ */
322
+ function validatePhaseNumber(phase) {
323
+ if (!phase || typeof phase !== 'string') {
324
+ return { valid: false, error: 'Phase number is required' };
325
+ }
326
+
327
+ const trimmed = phase.trim();
328
+
329
+ // Standard numeric: 1, 01, 12A, 12.1, 12A.1.2
330
+ if (/^\d{1,4}[A-Z]?(?:\.\d{1,3})*$/i.test(trimmed)) {
331
+ return { valid: true, normalized: trimmed };
332
+ }
333
+
334
+ // Custom project IDs: PROJ-42, AUTH-101 (uppercase alphanumeric with hyphens)
335
+ if (/^[A-Z][A-Z0-9]*(?:-[A-Z0-9]+){1,4}$/i.test(trimmed) && trimmed.length <= 30) {
336
+ return { valid: true, normalized: trimmed };
337
+ }
338
+
339
+ return { valid: false, error: `Invalid phase number format: "${trimmed}"` };
340
+ }
341
+
342
+ /**
343
+ * Validate a STATE.md field name to prevent injection into regex patterns.
344
+ * Field names must be alphanumeric with spaces, hyphens, underscores, or dots.
345
+ *
346
+ * @param {string} field - The field name to validate
347
+ * @returns {{ valid: boolean, error?: string }}
348
+ */
349
+ function validateFieldName(field) {
350
+ if (!field || typeof field !== 'string') {
351
+ return { valid: false, error: 'Field name is required' };
352
+ }
353
+
354
+ // Allow typical field names: "Current Phase", "active_plan", "Phase 1.2"
355
+ if (/^[A-Za-z][A-Za-z0-9 _.\-/]{0,60}$/.test(field)) {
356
+ return { valid: true };
357
+ }
358
+
359
+ return { valid: false, error: `Invalid field name: "${field}"` };
360
+ }
361
+
362
+ module.exports = {
363
+ // Path safety
364
+ validatePath,
365
+ requireSafePath,
366
+
367
+ // Prompt injection
368
+ INJECTION_PATTERNS,
369
+ scanForInjection,
370
+ sanitizeForPrompt,
371
+ sanitizeForDisplay,
372
+
373
+ // Shell safety
374
+ validateShellArg,
375
+
376
+ // JSON safety
377
+ safeJsonParse,
378
+
379
+ // Input validation
380
+ validatePhaseNumber,
381
+ validateFieldName,
382
+ };
@@ -637,7 +637,7 @@ function buildStateFrontmatter(bodyContent, cwd) {
637
637
  normalizedStatus = 'executing';
638
638
  }
639
639
 
640
- const fm = { gsd_state_version: '1.0' };
640
+ const fm = { ccp_state_version: '1.0' };
641
641
 
642
642
  if (milestone) fm.milestone = milestone;
643
643
  if (milestoneName) fm.milestone_name = milestoneName;