codymaster 4.4.3 → 4.4.5

package/CHANGELOG.md

@@ -4,6 +4,23 @@ All notable changes to this project will be documented in this file.
 
 Categories: 🚀 **Improvements** | 🐛 **Bug Fixes** | 🔒 **Security**
 
+## [4.4.3] - 2026-03-29
+
+### 🚀 Improvements — The Self-Healing Update
+
+- **68+ Skill Milestone** — CodyMaster arsenal grows from 60+ to 68+ battle-tested skills with 8 new capabilities.
+- **🧬 Self-Healing AI Pipeline** — Skills now monitor, score, and auto-repair themselves:
+  - `cm-skill-health` — Real-time quality monitoring with SQLite-backed metrics dashboard (invocations, success rate, token usage, health scores).
+  - `cm-skill-evolution` — 3-mode evolution engine (FIX/DERIVED/CAPTURED) with version DAG and lineage tracking. Auto-patches degraded skills.
+  - `cm-skill-search` — BM25 + health-score ranking for intelligent skill discovery.
+  - `cm-skill-share` — Export/import skills across teams and machines with version integrity.
+- **🏢 cm-frappe-agent** — Full-stack Frappe/ERPNext development agent with 7-layer architecture: doctypes, workflows, REST APIs, permissions, fixtures, performance optimization, and production deploys.
+- **🚀 Growth Hacking Engine** — `cm-growth-hacking` generates complete conversion systems (Bottom Sheet + Calendar CTA + Tracking) with industry auto-detection.
+- **cm-auto-publisher** — Publishing automation bridge: AI agents → Content Factory Router → any Astro site.
+- **cm-clean-code** — TRIZ-powered code hygiene gate: dead code detection, duplicate elimination, naming analysis.
+- **cm-reactor** — Strategic codebase re-direction when requirements change or tech debt blocks progress.
+- **Documentation Overhaul** — README (all 6 languages), CHANGELOG, and new Self-Healing AI deep-dive doc updated.
+
 ## [4.4.2] - 2026-03-29
 
 ### 🚀 Improvements

package/README.md

@@ -6,11 +6,11 @@
 
 ### Your AI Agent is smart. CodyMaster makes it *wise*.
 
-**60+ Skills · 11 Commands · 1 Plugin · 7+ Platforms · 6 Languages**
+**68+ Skills · 11 Commands · 1 Plugin · 7+ Platforms · 6 Languages**
 
 <p align="center">
-  <img alt="Version" src="https://img.shields.io/badge/version-4.3.0-blue.svg?cacheSeconds=2592000" />
-  <img alt="Skills" src="https://img.shields.io/badge/skills-60+-success.svg" />
+  <img alt="Version" src="https://img.shields.io/badge/version-4.4.3-blue.svg?cacheSeconds=2592000" />
+  <img alt="Skills" src="https://img.shields.io/badge/skills-68+-success.svg" />
   <img alt="Platforms" src="https://img.shields.io/badge/platforms-7+-orange.svg" />
   <img alt="Open Source" src="https://img.shields.io/badge/license-MIT-purple.svg" />
   <a href="https://github.com/tody-agent/codymaster#readme" target="_blank">
@@ -58,29 +58,30 @@ But then reality hits:
 
 ## 🟢 The Solution: An Entire Senior Team in One Kit
 
-CodyMaster isn't just "another AI skills pack." It's **10+ years of product management experience + 6 months of battle-tested vibe coding**, distilled into 60+ interconnected skills that work as a **single integrated system**.
+CodyMaster isn't just "another AI skills pack." It's **10+ years of product management experience + 6 months of battle-tested vibe coding**, distilled into 68+ interconnected skills that work as a **single integrated system**.
 
 When you install CodyMaster, you're not adding skills.
 **You're hiring an entire senior team:**
 
 ```mermaid
 graph TD
-    A["🧠 CodyMaster Kit"] --> B["👨‍💻 Senior Developer<br/><i>cm-tdd · cm-debugging · cm-code-review</i>"]
+    A["🧠 CodyMaster Kit"] --> B["👨‍💻 Senior Developer<br/><i>cm-tdd · cm-debugging · cm-code-review · cm-clean-code</i>"]
     A --> C["🎨 UX Lead<br/><i>cm-design-system · cm-ux-master · cm-ui-preview</i>"]
     A --> D["📋 Product Manager<br/><i>cm-planning · cm-brainstorm-idea · cm-jtbd</i>"]
     A --> E["🔒 DevOps Engineer<br/><i>cm-safe-deploy · cm-secret-shield · cm-security-gate · cm-identity-guard</i>"]
-    A --> F["📝 Technical Writer<br/><i>cm-dockit · cm-content-factory</i>"]
-    A --> G["📈 Growth Marketer<br/><i>cm-ads-tracker · cro-methodology</i>"]
+    A --> F["📝 Technical Writer<br/><i>cm-dockit · cm-content-factory · cm-auto-publisher</i>"]
+    A --> G["📈 Growth Marketer<br/><i>cm-ads-tracker · cm-cro-methodology · cm-growth-hacking</i>"]
+    A --> H["🏭 Enterprise Dev<br/><i>cm-frappe-agent · cm-booking-calendar · cm-google-form</i>"]
     style A fill:#fbc531,stroke:#e1b12c,color:#2f3640,stroke-width:3px
     classDef team fill:#2f3640,stroke:#dcdde1,stroke-width:1px,color:#fff;
-    class B,C,D,E,F,G team;
+    class B,C,D,E,F,G,H team;
 ```
 
 ---
 
 ## ⚡ What Makes CodyMaster Different
 
-Other skill packs give you loose tools. CodyMaster gives you an **interconnected operating system** for your AI. CodyMaster provides 60+ skills that chain, share memory, and communicate.
+Other skill packs give you loose tools. CodyMaster gives you an **interconnected operating system** for your AI — 68+ skills that chain, share memory, and communicate like a real team.
 
 ### 🔄 Full Lifecycle Coverage (Idea → Production)
 
@@ -174,20 +175,39 @@ Need to scale content? **`cm-content-factory`** is a self-learning, multi-agent
 
 Track it all on the **Visual Dashboard** (`cm-dashboard`): No more guessing. Track every task, every agent, every deployment on a real-time Kanban board. Pipeline progress, token tracker, event log — all on one screen.
 
+### 🧬 Self-Healing AI (Skills That Fix Themselves)
+
+CodyMaster doesn't just run skills — it **watches them, scores them, and heals them automatically.**
+
+- **`cm-skill-health`** monitors every invocation: success rate, token usage, error patterns.
+- **`cm-skill-evolution`** auto-patches degraded skills (Mode: FIX) when health scores drop below threshold.
+- **`cm-skill-search`** uses BM25 ranking to find the right skill for any task.
+- **`cm-skill-share`** exports & imports skills across teams and machines.
+
+> **Think of it like an immune system for your AI toolkit.** Skills that break get healed. Skills that work well get reinforced. Dead skills get archived.
+
+### 🏢 Enterprise-Ready: Frappe/ERPNext Full-Stack
+
+Building on Frappe Framework? **`cm-frappe-agent`** is a 7-layer architecture agent covering the entire Frappe lifecycle — from `bench new-app` to production deploys. Custom doctypes, workflows, REST APIs, permissions, fixtures, and performance optimization — all battle-tested.
+
+### 🚀 Growth Hacking Engine
+
+Need popups, booking flows, or lead capture? **`cm-growth-hacking`** generates complete conversion systems: Bottom Sheet + Calendar CTA + Tracking. Auto-detects industry, selects the right pattern, wires up **`cm-booking-calendar`** for appointments and **`cm-ads-tracker`** for pixel tracking. Zero dependencies.
+
 ---
 
 ## 🆚 Scattered Skills vs CodyMaster
 
 |                            | 😵 15 Random Skills                         | 🧠 CodyMaster                                                         |
 | -------------------------- | ------------------------------------------- | --------------------------------------------------------------------- |
-| **Integration**      | Each skill is standalone, no shared context | 60+ skills that chain, share memory, and communicate                   |
+| **Integration**      | Each skill is standalone, no shared context | 68+ skills that chain, share memory, and communicate                   |
 | **Lifecycle**        | Covers coding only                          | Covers Idea → Design → Code → Test → Deploy → Docs → Learn      |
 | **Memory**           | Forgets everything between sessions         | 5-tier Unified Brain: Sensory → Working → Long-term → Semantic → Structural + Cloud Brain  |
 | **Safety**           | YOLO deploys                                | 4-layer protection: TDD → Security → Isolation → Multi-gate deploy |
 | **Design**           | Random UI every time                        | Extracts & enforces design system + visual preview                    |
 | **Documentation**    | "Maybe write a README later"                | Auto-generates complete docs, SOPs, API refs from code                |
-| **Self-improvement** | Static — what you install is what you get  | Learns from mistakes, auto-discovers new skills, gets smarter daily   |
-| **Maintenance**      | Update 15 repos separately                  | One `git pull` updates everything                                   |
+| **Self-improvement** | Static — what you install is what you get  | Self-healing: monitors health → auto-patches → reinforces winners   |
+| **Maintenance**      | Update 15 repos separately                  | One `npm i -g codymaster` updates everything                        |
 
 ---
 
@@ -218,7 +238,7 @@ If you prefer:
 
 ### 1. Install AI Skills (All Platforms)
 
-One command installs all 60+ skills to your environment. Supports Claude Code, Gemini CLI, Cursor, Aider, Windsurf, Cline, OpenCode, and more:
+One command installs all 68+ skills to your environment. Supports Claude Code, Gemini CLI, Cursor, Aider, Windsurf, Cline, OpenCode, and more:
 
 ```bash
 bash <(curl -fsSL https://raw.githubusercontent.com/tody-agent/codymaster/main/install.sh) --all
@@ -256,16 +276,18 @@ The CLI will greet you and keep you organized on your long coding sessions!
 
 ---
 
-## 🧰 The 60+ Skill Arsenal
+## 🧰 The 68+ Skill Arsenal
 
 | Domain                    | Skills                                                                                                                                                          |
 | ------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| 🔧**Engineering**   | `cm-tdd` `cm-debugging` `cm-quality-gate` `cm-test-gate` `cm-code-review`                                                                             |
-| ⚙️**Operations**  | `cm-safe-deploy` `cm-identity-guard` `cm-secret-shield` `cm-security-gate` `cm-git-worktrees` `cm-terminal` `cm-safe-i18n`                                             |
-| 🎨**Product & UX**  | `cm-planning` `cm-design-system` `cm-ux-master` `cm-ui-preview` `cm-project-bootstrap` `cm-jtbd` `cm-brainstorm-idea` `cm-dockit` `cm-readit` |
-| 📈**Growth/CRO**    | `cm-content-factory` `cm-ads-tracker` `cro-methodology`                                                                                                   |
-| 🎯**Orchestration** | `cm-execution` `cm-continuity` `cm-skill-chain` `cm-skill-mastery` `cm-skill-index` `cm-deep-search` `cm-how-it-work` `cm-notebooklm`             |
-| 🖥️**Workflow**    | `cm-start` `cm-dashboard` `cm-status`                                                                                                                     |
+| 🔧 **Engineering**   | `cm-tdd` `cm-debugging` `cm-quality-gate` `cm-test-gate` `cm-code-review` `cm-clean-code`                                                                             |
+| ⚙️ **Operations**  | `cm-safe-deploy` `cm-identity-guard` `cm-secret-shield` `cm-security-gate` `cm-git-worktrees` `cm-terminal` `cm-safe-i18n`                                             |
+| 🎨 **Product & UX**  | `cm-planning` `cm-design-system` `cm-ux-master` `cm-ui-preview` `cm-project-bootstrap` `cm-jtbd` `cm-brainstorm-idea` `cm-dockit` `cm-readit` |
+| 📈 **Growth & CRO**    | `cm-content-factory` `cm-auto-publisher` `cm-ads-tracker` `cm-cro-methodology` `cm-growth-hacking` `cm-booking-calendar` `cm-google-form`                                                                                                   |
+| 🏢 **Enterprise**  | `cm-frappe-agent` `cm-reactor` `cm-notebooklm`                                                                                                  |
+| 🧬 **Self-Healing**   | `cm-skill-health` `cm-skill-evolution` `cm-skill-search` `cm-skill-share` `cm-skill-chain` `cm-skill-mastery` `cm-skill-index`             |
+| 🎯 **Orchestration** | `cm-execution` `cm-continuity` `cm-deep-search` `cm-codeintell` `cm-how-it-work`             |
+| 🖥️ **Workflow**    | `cm-start` `cm-dashboard` `cm-status`                                                                                                                     |
 
 ---
 
@@ -277,7 +299,7 @@ cm task add "..." → Add a task
 cm task list      → View tasks
 cm status         → Project health
 cm dashboard      → Open Mission Control
-cm list           → Browse 60+ skills
+cm list           → Browse 68+ skills
 cm profile        → Your stats & achievements
 cm deploy <env>   → Record deployment
 ```
@@ -298,7 +320,7 @@ cm deploy <env>   → Record deployment
 
 **Tody Le** — Head of Product with 10+ years of experience. Can't write code. Used AI to build real products for 6 months straight. Every skill in this kit was born from a real failure that cost real time and real tears.
 
-> *"60+ skills. Each skill is a lesson. Each lesson is a sleepless night. And now, you don't have to go through those nights."*
+> *"68+ skills. Each skill is a lesson. Each lesson is a sleepless night. And now, you don't have to go through those nights."*
 
 📖 [Read the full story →](https://cody.todyle.com/story)
 
@@ -308,7 +330,7 @@ cm deploy <env>   → Record deployment
 
 - 🌍 [Website](https://cody.todyle.com) — Overview & demos
 - 📖 [Documentation](https://cody.todyle.com/docs) — Full deep-dive
-- 🛠️ [Skills Reference](skills/) — Browse all 60+ SKILL.md files
+- 🛠️ [Skills Reference](skills/) — Browse all 68+ SKILL.md files
 - 📖 [Our Story](https://cody.todyle.com/story) — Why this exists
 
 ---

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "codymaster",
-  "version": "4.4.3",
-  "description": "65 Skills. Ship 10x faster. AI-powered coding skill kit for Claude, Cursor, Gemini & more.",
+  "version": "4.4.5",
+  "description": "68+ Skills. Ship 10x faster. AI-powered coding skill kit for Claude, Cursor, Gemini & more.",
   "main": "dist/index.js",
   "repository": {
     "type": "git",
@@ -73,5 +73,8 @@
     "ts-node": "^10.9.2",
     "typescript": "^5.9.3",
     "vitest": "^4.1.0"
+  },
+  "overrides": {
+    "path-to-regexp": "^8.4.0"
   }
 }

package/skills/cm-quality-gate/SKILL.md

@@ -186,7 +186,17 @@ After ANY gate fails, **FIRST run Memory Integrity Check:**
 | `cm-identity-guard` | Verify identity before using quality gate to ship |
 | `cm-tdd` | TDD creates the logic for Layer 3 |
 | `cm-safe-i18n` | Leverages Layer 4 for parity checks |
+| `cm-security-gate` | **PRE-REQUISITE for production:** Security scan (Snyk + Aikido) PASS must be in deployment evidence. No production deploy without security clearance. |
+
+## Evidence Requirements for Production Deploy
+
+| Evidence | Command | Required |
+|----------|---------|----------|
+| Test suite passes | `npm run test:gate` | ✅ Always |
+| Build succeeds | `npm run build` | ✅ Always |
+| Security scan passes | `snyk test && aikido-api-client scan-release ...` | ✅ For production / public releases |
+| i18n parity | Included in test:gate | ✅ If multilingual |
 
 ## The Bottom Line
 
-**Test before deploy. Evidence before claims. Safety before shipping. Non-negotiable.**
+**Test before deploy. Scan before release. Evidence before claims. Safety before shipping. Non-negotiable.**

package/skills/cm-safe-deploy/SKILL.md

@@ -31,12 +31,13 @@ SYNTAX CHECK IS GATE 1. IF IT FAILS, NOTHING ELSE RUNS.
 - After a production incident caused by untested code
 - Adding CI/CD to an existing project
 
-## The 7-Gate Pipeline
+## The 8-Gate Pipeline
 
 ```dot
 digraph pipeline {
     rankdir=LR;
     gate0 [label="Gate 0\nSecret\nHygiene", shape=box, style=filled, fillcolor="#ffc0cb"];
+    gate05 [label="Gate 0.5\nSecurity\nScan", shape=box, style=filled, fillcolor="#f0b3ff"];
     gate1 [label="Gate 1\nSyntax", shape=box, style=filled, fillcolor="#ffcccc"];
     gate2 [label="Gate 2\nTest\nSuite", shape=box, style=filled, fillcolor="#ffe0cc"];
     gate3 [label="Gate 3\ni18n\nParity", shape=box, style=filled, fillcolor="#e0ccff"];
@@ -45,8 +46,10 @@ digraph pipeline {
     gate6 [label="Gate 6\nDeploy +\nSmoke", shape=box, style=filled, fillcolor="#cce5ff"];
     fail [label="STOP\nFix first", shape=box, style=filled, fillcolor="#ff9999"];
 
-    gate0 -> gate1 [label="pass"];
+    gate0 -> gate05 [label="pass"];
     gate0 -> fail [label="fail"];
+    gate05 -> gate1 [label="pass"];
+    gate05 -> fail [label="fail"];
     gate1 -> gate2 [label="pass"];
     gate1 -> fail [label="fail"];
     gate2 -> gate3 [label="pass"];
@@ -165,6 +168,39 @@ wrangler secret put SUPABASE_SERVICE_KEY
 
 ---
 
+### Gate 0.5: Security Scan (Snyk + Aikido — Parallel)
+
+> [!IMPORTANT]
+> **CodyMaster internal:** This gate is MANDATORY. Both Snyk and Aikido must pass.
+> **User projects:** This gate is SUGGESTED by default. Becomes MANDATORY if CVEs or risk flags were detected during development.
+
+**Run both scanners in parallel:**
+
+```bash
+# Snyk — dependency vulnerabilities
+snyk test
+
+# Aikido — SAST + dependencies + secrets + IaC
+aikido-api-client scan-release <repo> $(git rev-parse HEAD) \
+  --minimum-severity-level="HIGH"
+```
+
+**For CodyMaster (maximum strictness):**
+```bash
+aikido-api-client scan-release <repo> $(git rev-parse HEAD) \
+  --minimum-severity-level="HIGH" \
+  --fail-on-sast-scan \
+  --fail-on-secrets-scan
+```
+
+**Gate decision:**
+- Both pass → proceed to Gate 1
+- Either fails → **STOP. Fix before continuing.** Invoke `cm-security-gate` for remediation.
+
+> See `cm-security-gate` for full setup, flag reference, and remediation workflow.
+
+---
+
 ### Gate 1: Syntax Validation (FAST FAIL)
 
 > [!IMPORTANT]

package/skills/cm-security-gate/SKILL.md

@@ -1,10 +1,23 @@
 ---
-description: Pre-production security audit. Run vulnerability scans using Snyk and set up automated GitHub security checks with Jules.
+description: Pre-production security audit and vulnerability scanning. Run Snyk + Aikido dependency scans, OWASP analysis, and set up automated GitHub security checks with Jules. Use when asked to 'run security check', 'security audit', 'kiểm tra bảo mật', 'vulnerability scan', 'Snyk', 'OWASP', or before open-sourcing / commercializing a project.
 ---
-# cm-security-gate — Pre-production Vulnerability Audit
+# cm-security-gate — Mandatory Security Audit & Vulnerability Gate
 
 > **No code goes public without a security pass.**
-> This skill is the **SUPPLEMENTARY FINAL GATE** before making a project public, commercializing, or open-sourcing.
+> **No CodyMaster release ships without Snyk + Aikido green.**
+
+## Enforcement Policy
+
+| Context | Level | What Happens |
+|---------|-------|-------------|
+| **CodyMaster internal** | 🔴 MANDATORY | Both Snyk + Aikido MUST pass. No deploy, no PR merge without green. |
+| **User projects (normal)** | 🟡 SUGGESTED | Recommend scanning, provide easy commands. User may skip. |
+| **User projects (risk detected)** | 🔴 ESCALATED MANDATORY | If CVEs found, errors hit, or risk flags raised → block until resolved. |
+
+> [!CAUTION]
+> **The Escalation Rule:** When a user encounters security errors, CVE warnings, or suspicious dependency behavior during development, the agent MUST escalate from "suggested" to "mandatory" — triggering the full Snyk + Aikido scan before any further deploy or push.
+
+---
 
 ## When to Use
 
@@ -13,23 +26,56 @@ description: Pre-production security audit. Run vulnerability scans using Snyk a
 - Preparing to open-source a repository or launch a commercial product
 - Adding major third-party dependencies
 - The project is graduating from alpha/beta to a wider release
+- A user encounters CVE warnings, npm audit alerts, or suspicious dependency behavior
+- Before any CodyMaster release or PR merge
 
 **Skip when:**
-- Doing quick local prototyping
-- Exploring ideas without real user data or production intent
+- Doing quick local prototyping with no real user data
+- Exploring ideas without production intent
 
 ---
 
 ## Core Capabilities
 
-1. **Snyk CLI & Aikido CLI Integration:** Scans for known vulnerabilities in open-source dependencies (e.g., `npm`, `pip`, `yarn`, `cargo`) and performs parallel release/PR scanning (SAST, IaC, Secrets).
-2. **Jules CI/CD Recommendation:** Recommends integrating continuous automated security analysis via GitHub.
+1. **Aikido MCP Server:** Real-time scanning of AI-generated code inside the IDE (vulnerabilities + secrets)
+2. **Snyk CLI:** Dependency vulnerability scanning (`npm`, `pip`, `yarn`, `cargo`)
+3. **Aikido CLI:** SAST, IaC, Secrets, and Dependency scanning with release/PR gating
+4. **Continuous Monitoring:** Snyk dashboard + Aikido dashboard for ongoing protection
+5. **Jules CI/CD:** Automated security analysis via GitHub on every commit
 
 ---
 
 ## The Process
 
-### Phase 1: Preparation (Tooling Check)
+### Phase 0: Aikido MCP Setup (IDE-Level Real-Time Scanning)
+
+> [!IMPORTANT]
+> **One-time setup.** Once configured, every AI coding session automatically scans generated code for vulnerabilities and hardcoded secrets — BEFORE the code is even committed.
+
+**Step 1:** Create a Personal Access Token at [Aikido Settings → IDE → MCP](https://app.aikido.dev/settings/integrations/ide/mcp)
+
+**Step 2:** Install Aikido MCP server:
+```bash
+# For Antigravity / Gemini CLI
+gemini mcp add aikido \
+  --env AIKIDO_API_KEY=YOUR_TOKEN \
+  npx -y @aikidosec/mcp
+```
+
+**Step 3:** Download the Aikido agent rule:
+```bash
+mkdir -p ~/.gemini/skills/
+curl -fsSL "https://gist.githubusercontent.com/kidk/aa48cad6db80ba4a38493016aae67712/raw/3644397b7df43423e3da06434491b40bbb79dd47/aikido-rule.txt" \
+  -o ~/.gemini/skills/aikido-rule.txt
+```
+
+**Step 4:** Restart Antigravity IDE. Aikido MCP is now active.
+
+> **What this gives you:** Deterministic, independent security checks on EVERY AI-generated snippet. Not a replacement for CLI scanning — this is the first line of defense, catching issues at write-time.
+
+---
+
+### Phase 1: Preparation (CLI Tooling Check)
 
 Verify if the Snyk CLI and Aikido CLI are available:
 ```bash
@@ -37,19 +83,24 @@ which snyk
 which aikido-api-client
 ```
 
-**If Snyk is NOT installed**, provide installation instructions before proceeding:
+**If Snyk is NOT installed:**
 - **macOS (Homebrew):** `brew tap snyk/tap && brew install snyk`
 - **npm:** `npm install -g snyk`
-- Ensure the user authenticates via `snyk auth` after installation.
+- Authenticate: `snyk auth`
 
-**If Aikido CLI is NOT installed**, provide installation instructions:
+**If Aikido CLI is NOT installed:**
 - **npm:** `npm install -g @aikidosec/ci-api-client`
-- Tell the user to authenticate globally: `aikido-api-client apikey <API-KEY>`
-- *Note: API keys are found at [Aikido Integration Settings](https://app.aikido.dev/settings/integrations/continuous-integration).*
+- Set API key: `aikido-api-client apikey <API-KEY>`
+- *API keys: [Aikido CI Integration Settings](https://app.aikido.dev/settings/integrations/continuous-integration)*
+
+> [!WARNING]
+> **Two different API keys!** Aikido MCP (real-time IDE scanning) uses a *Personal Access Token*. Aikido CLI (release/PR gating) uses a *CI API key*. Don't mix them.
+
+---
 
 ### Phase 2: Execution (Parallel Vulnerability Scan)
 
-Execute security scanning using both tools. They should be run in parallel to save time.
+Execute both tools **in parallel** to save time:
 
 **1. Snyk Dependency Scan:**
 ```bash
@@ -58,20 +109,66 @@ snyk test
 
 **2. Aikido Release Scan:**
 ```bash
-aikido-api-client scan-release <repository_id or repository_name> <commit_id> --minimum-severity-level="HIGH"
+aikido-api-client scan-release <repository_id_or_name> <commit_id> \
+  --minimum-severity-level="HIGH"
 ```
-*(Tip: You can add `--fail-on-secrets-scan` or `--fail-on-sast-scan` depending on the project type).*
 
-Analyze the output from both tools:
+#### Aikido Scan Flags Reference
+
+| Flag | Purpose |
+|------|---------|
+| `--minimum-severity-level` | `LOW`, `MEDIUM`, `HIGH`, `CRITICAL` — set the minimum severity that triggers a failure |
+| `--fail-on-sast-scan` | Fail if SAST (Static Analysis) issues are found |
+| `--fail-on-iac-scan` | Fail if Infrastructure as Code misconfigurations are found |
+| `--fail-on-secrets-scan` | Fail if hardcoded secrets are detected |
+
+#### CodyMaster Internal (Maximum Strictness)
+```bash
+aikido-api-client scan-release <repo> <commit> \
+  --minimum-severity-level="HIGH" \
+  --fail-on-sast-scan \
+  --fail-on-secrets-scan
+```
+
+#### User Projects (Standard)
+```bash
+aikido-api-client scan-release <repo> <commit> \
+  --minimum-severity-level="HIGH"
+```
+
+#### Analyzing Results
 - **Critical/High:** Must be resolved before making the project public.
 - **Medium/Low:** Document as technical debt or evaluate for false positives.
 - Run `snyk monitor` if the user wants continuous monitoring on the Snyk dashboard.
 
-### Phase 2.5: Vulnerability Remediation (Skill Discovery)
+---
+
+### Phase 2.5: PR Gating (GitHub Integration)
+
+For projects with CI/CD pipelines, add Aikido PR gating to block merging PRs with security issues:
+
+```bash
+# In GitHub Actions or CI script
+aikido-api-client scan-pr <repository_id_or_name> <base_commit_id> <head_commit_id> \
+  --minimum-severity-level="HIGH"
+```
+
+**package.json integration:**
+```json
+{
+  "scripts": {
+    "test:security": "snyk test && aikido-api-client scan-release $npm_package_name $(git rev-parse HEAD) --minimum-severity-level=HIGH",
+    "test:security:strict": "snyk test && aikido-api-client scan-release $npm_package_name $(git rev-parse HEAD) --minimum-severity-level=HIGH --fail-on-dependency-scan --fail-on-sast-scan --fail-on-secrets-scan"
+  }
+}
+```
+
+---
+
+### Phase 3: Vulnerability Remediation (Skill Discovery)
 
-If vulnerabilities are detected (e.g., CSRF, XSS, prototype pollution, outdated dependencies), **DO NOT just list the errors**. CodyMaster must actively search for and suggest specialized remediation skills to the user to fix the vulnerabilities.
+If vulnerabilities are detected, **DO NOT just list errors**. CodyMaster must actively search for remediation skills:
 
-**Message to user:**
 > 🚨 **Vulnerabilities Detected: Initiating Remediation**
 > 
 > Security issues were found. To systematically patch these risks, we need specialized weapons. I suggest finding and installing a dedicated remediation skill for your stack:
@@ -80,26 +177,48 @@ If vulnerabilities are detected (e.g., CSRF, XSS, prototype pollution, outdated
 > ```
 > *(Once you discover and install the appropriate security patch skills, we will use them to eradicate the vulnerabilities and eliminate all security risks).*
 
-### Phase 2.6: Knowledge Retention (Memory Sync)
+---
+
+### Phase 4: Knowledge Retention (Memory Sync)
 
-Once the vulnerabilities have been successfully remediated, the exact root causes and their corresponding fixes **MUST** be memorized so that CodyMaster does not repeat the same mistakes in the future.
+Once vulnerabilities are remediated, the root causes and fixes **MUST** be memorized:
 
 **Action Required:**
-- Trigger the `cm-continuity` skill to log the security flaw and the applied fix into `CONTINUITY.md` under a "Security Lessons" or "Hard Lessons" section. 
-- If the project uses cloud memory, suggest tracking this in `cm-notebooklm` to sync this critical security knowledge to the permanent AI brain.
+- Trigger `cm-continuity` to log flaw + fix into `CONTINUITY.md` → "Security Lessons" section.
+- If cloud memory is available, sync to `cm-notebooklm` for permanent retention.
 
-### Phase 3: Automation Handoff (Jules Integration)
+---
 
-After the manual Snyk scan is complete and the results are presented to the user, **ALWAYS** provide the following suggestion to automate future security checks:
+### Phase 5: Automation Handoff (Jules + Continuous Monitoring)
 
-> 🛡️ **Next Step: Automated Security Checks via Jules**
+> 🛡️ **Next Step: Automated Security Checks**
 > 
-> Once your project is ready for commercial or public release, manual checks aren't enough. It's highly recommended to automate security scanning on every commit and Pull Request.
+> Manual checks aren't enough for production. Automate on every commit and PR:
 >
-> Please use **Google Jules** for automated GitHub security analysis:
+> **Option A — Google Jules** (GitHub automated analysis):
 > 👉 [http://jules.google.com/](http://jules.google.com/)
 >
-> Integrating Jules will automatically catch vulnerabilities in your codebase, ensuring your commercial product remains secure as it scales.
+> **Option B — Snyk Continuous Monitoring:**
+> ```bash
+> snyk monitor
+> ```
+>
+> **Option C — Aikido Dashboard** (full visibility):
+> 👉 [https://app.aikido.dev/](https://app.aikido.dev/)
+
+---
+
+## Escalation Protocol
+
+When the agent detects ANY of these signals, enforcement escalates from SUGGESTED → MANDATORY:
+
+| Signal | Action |
+|--------|--------|
+| `npm audit` reports HIGH/CRITICAL | Trigger full Snyk + Aikido scan |
+| User mentions "security error" or "hack" | Trigger full scan before proceeding |
+| New major dependency added (e.g., new ORM, auth lib) | Suggest scan, escalate if dep has known CVEs |
+| Pre-deploy / pre-PR-merge | Check if scan was run in this session, block if not (CodyMaster only) |
+| `.snyk` policy file has expired ignores | Re-scan and update policy |
 
 ---
 
@@ -107,8 +226,13 @@ After the manual Snyk scan is complete and the results are presented to the user
 
 | Skill | Relationship |
 |-------|-------------|
-| `cm-quality-gate` | PRE-REQUISITE: Code should pass functional tests before security audits. |
-| `cm-secret-shield`| COMPLEMENTARY: Secret Shield catches hardcoded tokens; `cm-security-gate` catches vulnerable dependencies. Both are needed for public releases. |
-| `cm-safe-deploy`  | POST-REQUISITE: Security gates should ideally be part of the automated deployment pipeline. |
-| `cm-continuity`   | MEMORY LOGGING: Records discovered vulnerabilities and their fixes into the local working memory to prevent future recurrences. |
+| `cm-quality-gate` | PRE-REQUISITE: Code should pass functional tests before security audits. Security scan PASS is required evidence for production deploy. |
+| `cm-secret-shield`| COMPLEMENTARY: Secret Shield catches hardcoded tokens at write/commit time; `cm-security-gate` catches vulnerable dependencies and SAST issues. Both are needed. |
+| `cm-safe-deploy`  | INTEGRATED: Security scan is Gate 0.5 in the deploy pipeline (between Secret Hygiene and Syntax). |
+| `cm-test-gate`    | INTEGRATED: `test:security` script pattern uses Snyk + Aikido CLI for automated scanning in the test suite. |
+| `cm-continuity`   | MEMORY: Records discovered vulnerabilities and fixes into working memory. |
 | `cm-notebooklm`   | LONG-TERM MEMORY: Syncs critical security lessons to the permanent cloud AI brain. |
+
+## The Bottom Line
+
+**Scan before deploy. Remediate before release. Memorize before repeating. Non-negotiable.**

package/skills/cm-test-gate/SKILL.md

@@ -199,11 +199,14 @@ Wire these tests into `package.json` to make them easily executable by CI or oth
   "scripts": {
     "test": "vitest",
     "test:gate": "vitest run --reporter=verbose",
+    "test:security": "snyk test && aikido-api-client scan-release $npm_package_name $(git rev-parse HEAD) --minimum-severity-level=HIGH",
     "test:watch": "vitest watch"
   }
 }
 ```
 
+> **Security Gate Check:** The `test:security` script runs the Snyk dependency check and the Aikido release scan in parallel. See `cm-security-gate` for advanced SAST/IaC flags.
+
 ### Phase 4: Secret Hygiene and Ignore Configuration
 
 **NEVER commit `.env` or `.dev.vars`.** Ensure tests do not expose actual production secrets.