claudecode-omc 5.6.8 → 5.9.1

package/src/cli/source.js

@@ -3,6 +3,7 @@ const { spawnSync } = require('child_process');
 const path = require('path');
 const fs = require('fs');
 const fsp = require('fs/promises');
+const crypto = require('crypto');
 const { readConfig, setActiveSource, recordSync, addSource, removeSource } = require('../config/sources');
 const { getProjectRoot, getSourceArtifactDir, getSyncTargetDir, getSyncTempDir, getSourceMetadataDir } = require('../config/paths');
 const { buildSourceCatalog } = require('../catalog/source-catalog');
@@ -26,6 +27,84 @@ function copyFileRecursive(src, dest) {
     .then(() => fsp.copyFile(src, dest));
 }
 
+// --- Provenance: content hashes + upstream commit, recorded per sync so drift
+// (local edits, upstream changes pulled in) can be detected later. This is what
+// separates a governed source from a blind copy.
+function hashFile(filePath) {
+  return 'sha256:' + crypto.createHash('sha256').update(fs.readFileSync(filePath)).digest('hex');
+}
+
+// Map of POSIX relative path → content hash for every file under dir (recursive,
+// so skill directories and flat .md files hash uniformly).
+function hashTree(dir) {
+  const out = {};
+  if (!fs.existsSync(dir)) return out;
+  const stat = fs.statSync(dir);
+  if (stat.isFile()) {
+    out[path.basename(dir)] = hashFile(dir);
+    return out;
+  }
+  const walk = (current, prefix) => {
+    for (const entry of fs.readdirSync(current, { withFileTypes: true }).sort((a, b) => a.name.localeCompare(b.name))) {
+      const abs = path.join(current, entry.name);
+      const rel = prefix ? `${prefix}/${entry.name}` : entry.name;
+      if (entry.isDirectory()) walk(abs, rel);
+      else if (entry.isFile()) out[rel] = hashFile(abs);
+    }
+  };
+  walk(dir, '');
+  return out;
+}
+
+// Strip any inline credentials (https://user:token@host/…) before a remote URL
+// is logged to stdout or persisted into bundle.json/provenance.json.
+function redactRemote(remote) {
+  try {
+    const u = new URL(remote);
+    if (u.username || u.password) { u.username = ''; u.password = ''; return u.toString(); }
+  } catch { /* non-URL (e.g. scp-style or local path) — return as-is */ }
+  return remote;
+}
+
+function diffHashTrees(recorded = {}, current = {}) {
+  const added = [];
+  const removed = [];
+  const changed = [];
+  for (const key of Object.keys(current)) {
+    if (!(key in recorded)) added.push(key);
+    else if (recorded[key] !== current[key]) changed.push(key);
+  }
+  for (const key of Object.keys(recorded)) {
+    if (!(key in current)) removed.push(key);
+  }
+  return { added: added.sort(), removed: removed.sort(), changed: changed.sort() };
+}
+
+// --- Lockfile: pins each source to an exact upstream commit for reproducible
+// syncs. Lives in-repo at .omc-curation/sources.lock.json so it ships and is
+// version-controlled alongside the curation it locks.
+function getLockPath(root) {
+  return path.join(root, '.omc-curation', 'sources.lock.json');
+}
+
+function readLock(root) {
+  try {
+    const data = JSON.parse(fs.readFileSync(getLockPath(root), 'utf8'));
+    return data && typeof data.sources === 'object' ? data : { sources: {} };
+  } catch {
+    return { sources: {} };
+  }
+}
+
+async function writeLock(root, lock) {
+  const lockPath = getLockPath(root);
+  await fsp.mkdir(path.dirname(lockPath), { recursive: true });
+  await fsp.writeFile(lockPath, JSON.stringify({
+    _comment: 'Pinned upstream commits for reproducible `source sync --frozen`. Update with `omc-manage source lock`.',
+    ...lock,
+  }, null, 2) + '\n', 'utf8');
+}
+
 function parseMappingFlag(mappingFlag) {
   if (!mappingFlag) return {};
 
@@ -46,8 +125,39 @@ function parseMappingFlag(mappingFlag) {
   return mapping;
 }
 
-async function syncRemoteSource(sourceName, sourceConfig, root) {
-  console.log(`  Syncing ${sourceName} from ${sourceConfig.remote} (${sourceConfig.ref})...`);
+// Fetch the source into tmpDir. With pinnedCommit, fetch that exact SHA for a
+// reproducible (frozen) checkout; otherwise shallow-clone the ref tip.
+function fetchSource(tmpDir, remote, ref, pinnedCommit) {
+  const opts = { encoding: 'utf8', timeout: 300000, stdio: ['ignore', 'pipe', 'pipe'] };
+  if (pinnedCommit) {
+    // Defense-in-depth: a pinned commit comes from the lockfile JSON. Require a
+    // bare hex SHA so a crafted value can't be read as a git option, and pass it
+    // after `--` so it's unambiguously a ref, never a flag.
+    if (!/^[0-9a-f]{7,40}$/i.test(pinnedCommit)) {
+      return { status: 1, stderr: `Invalid pinned commit (not a hex SHA): ${JSON.stringify(pinnedCommit)}` };
+    }
+    fs.mkdirSync(tmpDir, { recursive: true });
+    const steps = [
+      ['init', '-q', tmpDir],
+      ['-C', tmpDir, 'remote', 'add', 'origin', remote],
+      ['-C', tmpDir, 'fetch', '--depth', '1', 'origin', '--', pinnedCommit],
+      ['-C', tmpDir, 'checkout', '-q', 'FETCH_HEAD'],
+    ];
+    let last;
+    for (const args of steps) {
+      last = spawnSync('git', args, opts);
+      if (last.status !== 0) return last;
+    }
+    return last;
+  }
+  return spawnSync('git', [
+    'clone', '--depth', '1', '--branch', ref, '--single-branch', remote, tmpDir,
+  ], opts);
+}
+
+async function syncRemoteSource(sourceName, sourceConfig, root, pinnedCommit = null) {
+  const refLabel = pinnedCommit ? `${sourceConfig.ref} @ ${pinnedCommit.slice(0, 12)} (frozen)` : sourceConfig.ref;
+  console.log(`  Syncing ${sourceName} from ${redactRemote(sourceConfig.remote)} (${refLabel})...`);
 
   const tmpDir = getSyncTempDir(sourceName, root);
   try {
@@ -55,19 +165,21 @@ async function syncRemoteSource(sourceName, sourceConfig, root) {
       await fsp.rm(tmpDir, { recursive: true, force: true });
     }
 
-    const cloneResult = spawnSync('git', [
-      'clone', '--depth', '1', '--branch', sourceConfig.ref,
-      '--single-branch', sourceConfig.remote, tmpDir,
-    ], { encoding: 'utf8', timeout: 300000, stdio: ['ignore', 'pipe', 'pipe'] });
+    const cloneResult = fetchSource(tmpDir, sourceConfig.remote, sourceConfig.ref, pinnedCommit);
 
     if (cloneResult.status !== 0) {
       console.error(`  Clone failed: ${cloneResult.stderr || cloneResult.error}`);
       return false;
     }
 
+    // Resolve the exact upstream commit this sync pulled (provenance + lock).
+    const headResult = spawnSync('git', ['-C', tmpDir, 'rev-parse', 'HEAD'], { encoding: 'utf8' });
+    const commit = headResult.status === 0 ? headResult.stdout.trim() : null;
+
     // Copy each declared artifact type
     const artifacts = sourceConfig.artifacts || ['skills'];
     const mapping = sourceConfig.mapping || {};
+    const provenance = {};
 
     for (const artifactType of artifacts) {
       const srcSubdir = mapping[artifactType] || artifactType;
@@ -85,6 +197,7 @@ async function syncRemoteSource(sourceName, sourceConfig, root) {
         const count = fs.statSync(destPath).isDirectory()
           ? fs.readdirSync(destPath).length : 1;
         console.log(`    ${artifactType}: ${count} items`);
+        provenance[artifactType] = hashTree(destPath);
       }
     }
 
@@ -100,11 +213,13 @@ async function syncRemoteSource(sourceName, sourceConfig, root) {
     }
 
     await fsp.mkdir(metadataDir, { recursive: true });
+    const syncedAt = new Date().toISOString();
     await fsp.writeFile(path.join(metadataDir, 'bundle.json'), JSON.stringify({
-      syncedAt: new Date().toISOString(),
+      syncedAt,
       sourceName,
-      remote: sourceConfig.remote,
+      remote: redactRemote(sourceConfig.remote),
       ref: sourceConfig.ref,
+      commit,
       kind: sourceConfig.kind || 'content-repo',
       harnesses: sourceConfig.harnesses || ['claude'],
       artifacts: sourceConfig.artifacts || [],
@@ -112,6 +227,19 @@ async function syncRemoteSource(sourceName, sourceConfig, root) {
       profiles: sourceConfig.profiles || [],
     }, null, 2) + '\n', 'utf8');
 
+    // Provenance: per-file content hashes + the resolved commit, so `source drift`
+    // can later distinguish local edits from upstream changes.
+    await fsp.writeFile(path.join(metadataDir, 'provenance.json'), JSON.stringify({
+      syncedAt,
+      sourceName,
+      remote: redactRemote(sourceConfig.remote),
+      ref: sourceConfig.ref,
+      commit,
+      artifacts: provenance,
+    }, null, 2) + '\n', 'utf8');
+
+    if (commit) console.log(`    commit: ${commit.slice(0, 12)}`);
+
     return true;
   } finally {
     if (fs.existsSync(tmpDir)) {
@@ -219,17 +347,21 @@ async function source(args, flags = {}) {
 
       const root = getProjectRoot();
       const targetName = args[1]; // optional: specific source name
+      const lock = flags.frozen ? readLock(root) : { sources: {} };
+      if (flags.frozen) console.log('(frozen: syncing to locked commits)\n');
       let success = true;
 
       for (const [name, src] of Object.entries(config.sources)) {
         if (name === 'local') continue; // local is in-repo, no sync needed
         if (targetName && name !== targetName) continue;
-        if (!flags.all && !targetName && !flags[name]) {
-          // Default: sync all remote sources
-        }
-
         if (!src.remote) continue;
-        const ok = await syncRemoteSource(name, src, root);
+
+        let pinnedCommit = null;
+        if (flags.frozen) {
+          pinnedCommit = (lock.sources[name] || {}).commit || null;
+          if (!pinnedCommit) console.log(`  ${name}: no lock entry, syncing ref tip`);
+        }
+        const ok = await syncRemoteSource(name, src, root, pinnedCommit);
         if (!ok) success = false;
         console.log('');
       }
@@ -251,6 +383,13 @@ async function source(args, flags = {}) {
         console.log(`[${name}] (priority ${src.priority})`);
         console.log(`  kind: ${src.kind || 'content-repo'}`);
         console.log(`  installMode: ${src.installMode || 'auto'}`);
+        const bundlePath = path.join(getSourceMetadataDir(name, root), 'bundle.json');
+        if (fs.existsSync(bundlePath)) {
+          try {
+            const bundle = JSON.parse(fs.readFileSync(bundlePath, 'utf8'));
+            if (bundle.commit) console.log(`  commit: ${bundle.commit.slice(0, 12)}`);
+          } catch { /* ignore unreadable bundle metadata */ }
+        }
         if (src.appliedProfile) {
           console.log(`  appliedProfile: ${src.appliedProfile}`);
         }
@@ -286,6 +425,118 @@ async function source(args, flags = {}) {
       break;
     }
 
+    case 'lock': {
+      const root = getProjectRoot();
+      const targetName = args[1];
+      const lock = readLock(root);
+      let locked = 0;
+      const missing = [];
+
+      for (const [name, src] of Object.entries(config.sources)) {
+        if (targetName && name !== targetName) continue;
+        if (!src.remote) continue;
+        const bundlePath = path.join(getSourceMetadataDir(name, root), 'bundle.json');
+        let commit = null;
+        if (fs.existsSync(bundlePath)) {
+          try { commit = JSON.parse(fs.readFileSync(bundlePath, 'utf8')).commit || null; } catch { /* ignore */ }
+        }
+        if (!commit) { missing.push(name); continue; }
+        // Preserve lockedAt when the commit hasn't changed, to avoid timestamp
+        // churn in the version-controlled lockfile.
+        const prev = lock.sources[name];
+        const lockedAt = (prev && prev.commit === commit && prev.lockedAt) ? prev.lockedAt : new Date().toISOString();
+        lock.sources[name] = { commit, ref: src.ref || 'main', lockedAt };
+        locked += 1;
+      }
+
+      if (targetName && !config.sources[targetName]) {
+        const validNames = Object.keys(config.sources).join(', ');
+        throw new Error(`Invalid source. Use: ${validNames}`);
+      }
+
+      await writeLock(root, { sources: lock.sources });
+      console.log(`Locked ${locked} source(s) → ${path.relative(root, getLockPath(root))}`);
+      for (const [name, entry] of Object.entries(lock.sources)) {
+        if (!targetName || name === targetName) console.log(`  ${name}: ${entry.commit.slice(0, 12)} (${entry.ref})`);
+      }
+      if (missing.length > 0) {
+        console.log(`  unlocked (no synced commit): ${missing.join(', ')} — run "omc-manage source sync" first`);
+      }
+      break;
+    }
+
+    case 'drift': {
+      const root = getProjectRoot();
+      const targetName = args[1];
+      const report = {};
+      let anyDrift = false;
+      let anyChecked = false;
+
+      for (const [name, src] of Object.entries(config.sources)) {
+        if (targetName && name !== targetName) continue;
+        if (name === 'local') continue; // in-repo, nothing to compare against
+        const provPath = path.join(getSourceMetadataDir(name, root), 'provenance.json');
+        if (!fs.existsSync(provPath)) {
+          report[name] = { status: 'no-provenance' };
+          continue;
+        }
+        let prov;
+        try {
+          prov = JSON.parse(fs.readFileSync(provPath, 'utf8'));
+        } catch {
+          report[name] = { status: 'corrupt-provenance' };
+          anyDrift = true; // integrity problem — fail CI like drift
+          continue;
+        }
+        anyChecked = true;
+        const perType = {};
+        let sourceDrift = false;
+        for (const artifactType of Object.keys(prov.artifacts || {})) {
+          const dir = getSourceArtifactDir(name, artifactType, root);
+          const delta = diffHashTrees(prov.artifacts[artifactType], hashTree(dir));
+          if (delta.added.length || delta.removed.length || delta.changed.length) {
+            perType[artifactType] = delta;
+            sourceDrift = true;
+          }
+        }
+        report[name] = { status: sourceDrift ? 'drift' : 'clean', commit: prov.commit, syncedAt: prov.syncedAt, drift: perType };
+        if (sourceDrift) anyDrift = true;
+      }
+
+      if (targetName && !(targetName in report)) {
+        const validNames = Object.keys(config.sources).join(', ');
+        throw new Error(`Invalid source. Use: ${validNames}`);
+      }
+
+      if (flags.json) {
+        console.log(JSON.stringify(report, null, 2));
+      } else {
+        console.log('Drift Report');
+        console.log('============');
+        for (const [name, r] of Object.entries(report)) {
+          if (r.status === 'no-provenance') {
+            console.log(`○ ${name}: no provenance (run "omc-manage source sync ${name}")`);
+            continue;
+          }
+          if (r.status === 'corrupt-provenance') {
+            console.log(`✗ ${name}: corrupt provenance (re-sync to repair)`);
+            continue;
+          }
+          const marker = r.status === 'drift' ? '✗' : '✓';
+          console.log(`${marker} ${name}: ${r.status}${r.commit ? ` @ ${r.commit.slice(0, 12)}` : ''}`);
+          for (const [type, delta] of Object.entries(r.drift || {})) {
+            for (const f of delta.changed) console.log(`    ~ ${type}/${f}`);
+            for (const f of delta.added) console.log(`    + ${type}/${f}`);
+            for (const f of delta.removed) console.log(`    - ${type}/${f}`);
+          }
+        }
+        if (!anyChecked) console.log('(no synced sources with provenance)');
+      }
+
+      if (anyDrift) process.exitCode = 1;
+      break;
+    }
+
     case 'inspect': {
       const name = args[1];
       if (!name || !config.sources[name]) {
@@ -332,7 +583,7 @@ async function source(args, flags = {}) {
     }
 
     default:
-      throw new Error(`Unknown subcommand: ${cmd}. Use: list, add, remove, set, sync, status, or inspect`);
+      throw new Error(`Unknown subcommand: ${cmd}. Use: list, add, remove, set, sync, lock, status, drift, or inspect`);
   }
 }
 

package/src/config/sources.js

@@ -6,6 +6,46 @@ const os = require('os');
 const CONFIG_DIR = path.join(os.homedir(), '.omc-manage');
 const CONFIG_PATH = path.join(CONFIG_DIR, 'sources.json');
 
+// Package root (src/config/sources.js → ../../). Holds the shipped .omc-curation
+// selection files that drive distribution-repo allowlists.
+const PKG_ROOT = path.resolve(__dirname, '..', '..');
+
+// The unified governance manifest: single authoritative source for cross-source
+// policy (per-source priority + allowlist, and conflict resolution). Cached per
+// process. Returns {} when absent so callers can fall back to legacy config.
+let _governanceCache;
+function loadGovernance() {
+  if (_governanceCache !== undefined) return _governanceCache;
+  try {
+    const data = JSON.parse(fs.readFileSync(path.join(PKG_ROOT, '.omc-curation', 'governance.json'), 'utf8'));
+    if (data && typeof data === 'object') {
+      _governanceCache = data;
+      return data;
+    }
+  } catch { /* fall through */ }
+  // Don't cache a missing/unreadable result — a transient failure shouldn't
+  // poison the manifest for the rest of the process.
+  return {};
+}
+
+// Load a source's curated allowlist from the in-repo .omc-curation/<name>-selection.json.
+// This is the single source of truth shared by `plan apply` (maintainer) and the
+// end-user default config below — no hardcoded duplicate that could drift.
+function loadCurationAllowlist(sourceName) {
+  const selectionPath = path.join(PKG_ROOT, '.omc-curation', `${sourceName}-selection.json`);
+  try {
+    const data = JSON.parse(fs.readFileSync(selectionPath, 'utf8'));
+    if (!data || typeof data !== 'object') return undefined;
+    const allowlist = {};
+    for (const type of ['skills', 'agents', 'commands', 'hooks']) {
+      if (Array.isArray(data[type]) && data[type].length > 0) allowlist[type] = data[type];
+    }
+    return Object.keys(allowlist).length > 0 ? allowlist : undefined;
+  } catch {
+    return undefined;
+  }
+}
+
 const DEFAULT_DISTRIBUTION_MANIFESTS = [
   'package.json',
   '.claude-plugin/plugin.json',
@@ -55,6 +95,21 @@ function getDefaultConfig() {
         harnesses: ['claude'],
         profiles: DEFAULT_INSTALL_PROFILES,
       },
+      ecc: {
+        remote: 'https://github.com/affaan-m/everything-claude-code.git',
+        ref: 'main',
+        priority: 4,
+        artifacts: ['agents', 'commands', 'skills'],
+        kind: 'distribution-repo',
+        installMode: 'auto',
+        harnesses: ['claude'],
+        manifests: ['plugin.json', 'marketplace.json', '.claude-plugin/marketplace.json'],
+        // Allowlist is applied generically in normalizeSourceConfig from
+        // .omc-curation/ecc-selection.json (a fresh install gets the vetted
+        // slice, not all 251 skills / 63 agents) — same path as every source.
+        appliedProfile: 'claude-runtime',
+        profiles: DEFAULT_INSTALL_PROFILES,
+      },
       'anthropic-skills': {
         remote: 'https://github.com/anthropics/skills.git',
         ref: 'main',
@@ -114,7 +169,17 @@ function normalizeSourceConfig(name, source) {
     ? DEFAULT_DISTRIBUTION_MANIFESTS
     : []));
   source.profiles = dedupeStrings(source.profiles || DEFAULT_INSTALL_PROFILES);
-  source.allowlist = normalizeAllowlist(source.allowlist);
+
+  // Unified governance.json is the authoritative cross-source policy.
+  const govSource = (loadGovernance().sources || {})[name] || {};
+  // Priority: governance wins when it declares one (single source of truth).
+  if (typeof govSource.priority === 'number') source.priority = govSource.priority;
+  // Allowlist authority: explicit config (e.g. `plan apply`) > governance.json
+  // inline allowlist > per-source .omc-curation/<name>-selection.json > none
+  // (no allowlist → install everything).
+  source.allowlist = normalizeAllowlist(source.allowlist)
+    || normalizeAllowlist(govSource.allowlist)
+    || normalizeAllowlist(loadCurationAllowlist(name));
 
   if (source.role === 'reference' && !source.profiles.includes('reference-only')) {
     source.profiles.push('reference-only');
@@ -249,6 +314,7 @@ module.exports = {
   updateSource,
   getSourceAllowlist,
   filterItemsByAllowlist,
+  loadGovernance,
   normalizeConfig,
   normalizeSourceConfig,
   DEFAULT_DISTRIBUTION_MANIFESTS,

package/src/merge/content-patch.js

@@ -0,0 +1,84 @@
+'use strict';
+
+// Content-level patching for installed artifacts. A patch is declared inline in
+// governance.json under sources.<name>.patches["<type>/<artifact>"] and is
+// applied at install time, after the winning source is chosen and before the
+// file is written to ~/.claude. Markdown + YAML-frontmatter aware.
+//
+// Patch ops (all optional, applied in this order):
+//   frontmatter: { key: value }   merge/override scalar frontmatter keys
+//   replace:     [{ find, with }] literal string replacements in the body
+//   prepend:     "text"           prepended to the body
+//   append:      "text"           appended to the body
+
+function escapeRegExp(s) {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+
+function splitFrontmatter(content) {
+  // CRLF-tolerant: match \r?\n so Windows-authored artifacts are parsed as
+  // frontmatter rather than slipping through as body (which would then get a
+  // second, duplicate frontmatter block prepended by a frontmatter patch).
+  const m = content.match(/^---\r?\n([\s\S]*?)\r?\n---[ \t]*\r?\n?/);
+  if (!m) return { frontmatter: null, body: content };
+  // Normalize CRs in the frontmatter block (we re-emit it as \n-joined lines);
+  // the body is left byte-for-byte so user content keeps its own line endings.
+  return { frontmatter: m[1].replace(/\r/g, ''), body: content.slice(m[0].length) };
+}
+
+// Serialize a scalar for a simple `key: value` frontmatter line, quoting only
+// when the value would otherwise break a bare YAML scalar.
+function serializeScalar(value) {
+  if (typeof value === 'number' || typeof value === 'boolean') return String(value);
+  const s = String(value);
+  if (s === '' || s.trim() !== s || /[:#"'\n[\]{}&*!|>%@`]/.test(s)) {
+    return JSON.stringify(s); // valid double-quoted YAML, escapes as needed
+  }
+  return s;
+}
+
+// Line-based override of scalar frontmatter keys: replace the key's line if
+// present, else append it. Deliberately scalar-only — nested/list overrides
+// are out of scope and should use `replace`.
+function mergeFrontmatter(block, overrides) {
+  let next = block || '';
+  for (const [key, value] of Object.entries(overrides)) {
+    const line = `${key}: ${serializeScalar(value)}`;
+    const re = new RegExp(`^${escapeRegExp(key)}\\s*:.*$`, 'm');
+    if (re.test(next)) next = next.replace(re, line);
+    else next = next ? `${next}\n${line}` : line;
+  }
+  return next;
+}
+
+// Apply a patch spec to file content. Returns { content, warnings }.
+// Unknown/empty patch → content unchanged.
+function applyContentPatch(content, patch) {
+  const warnings = [];
+  if (!patch || typeof patch !== 'object') return { content, warnings };
+
+  let { frontmatter, body } = splitFrontmatter(content);
+
+  if (patch.frontmatter && typeof patch.frontmatter === 'object') {
+    frontmatter = mergeFrontmatter(frontmatter, patch.frontmatter);
+  }
+
+  if (Array.isArray(patch.replace)) {
+    for (const rule of patch.replace) {
+      if (!rule || typeof rule.find !== 'string' || rule.find === '') continue;
+      if (!body.includes(rule.find)) {
+        warnings.push(`replace target not found: ${JSON.stringify(rule.find.slice(0, 40))}`);
+        continue;
+      }
+      body = body.split(rule.find).join(rule.with == null ? '' : String(rule.with));
+    }
+  }
+
+  if (typeof patch.prepend === 'string') body = patch.prepend + body;
+  if (typeof patch.append === 'string') body = body + patch.append;
+
+  const out = frontmatter != null ? `---\n${frontmatter}\n---\n${body}` : body;
+  return { content: out, warnings };
+}
+
+module.exports = { applyContentPatch };

package/templates/merge-config.json

@@ -1,12 +1,5 @@
 {
-  "merge_strategy": "version-priority",
-  "auto_merge": true,
-  "allow_namespacing": false,
-  "sources": [
-    { "name": "local", "priority": 1 },
-    { "name": "oh-my-claudecode", "priority": 2 },
-    { "name": "superpowers", "priority": 3 }
-  ],
+  "_comment": "DEPRECATED — superseded by .omc-curation/governance.json (the unified authority for priority + allowlist + conflict). Kept only as a fallback for the conflict block (preferences/exclude) when governance.json declares none. Priority now lives solely in governance.json / the source config, not here.",
   "preferences": {},
   "exclude": {
     "skills": [

package/bundled/upstream/ecc/skills/strategic-compact/suggest-compact.sh

@@ -1,54 +0,0 @@
-#!/bin/bash
-# Strategic Compact Suggester
-# Runs on PreToolUse or periodically to suggest manual compaction at logical intervals
-#
-# Why manual over auto-compact:
-# - Auto-compact happens at arbitrary points, often mid-task
-# - Strategic compacting preserves context through logical phases
-# - Compact after exploration, before execution
-# - Compact after completing a milestone, before starting next
-#
-# Hook config (in ~/.claude/settings.json):
-# {
-#   "hooks": {
-#     "PreToolUse": [{
-#       "matcher": "Edit|Write",
-#       "hooks": [{
-#         "type": "command",
-#         "command": "~/.claude/skills/strategic-compact/suggest-compact.sh"
-#       }]
-#     }]
-#   }
-# }
-#
-# Criteria for suggesting compact:
-# - Session has been running for extended period
-# - Large number of tool calls made
-# - Transitioning from research/exploration to implementation
-# - Plan has been finalized
-
-# Track tool call count (increment in a temp file)
-# Use CLAUDE_SESSION_ID for session-specific counter (not $$ which changes per invocation)
-SESSION_ID="${CLAUDE_SESSION_ID:-${PPID:-default}}"
-COUNTER_FILE="/tmp/claude-tool-count-${SESSION_ID}"
-THRESHOLD=${COMPACT_THRESHOLD:-50}
-
-# Initialize or increment counter
-if [ -f "$COUNTER_FILE" ]; then
-  count=$(cat "$COUNTER_FILE")
-  count=$((count + 1))
-  echo "$count" > "$COUNTER_FILE"
-else
-  echo "1" > "$COUNTER_FILE"
-  count=1
-fi
-
-# Suggest compact after threshold tool calls
-if [ "$count" -eq "$THRESHOLD" ]; then
-  echo "[StrategicCompact] $THRESHOLD tool calls reached - consider /compact if transitioning phases" >&2
-fi
-
-# Suggest at regular intervals after threshold
-if [ "$count" -gt "$THRESHOLD" ] && [ $((count % 25)) -eq 0 ]; then
-  echo "[StrategicCompact] $count tool calls - good checkpoint for /compact if context is stale" >&2
-fi