codymaster 4.6.0 → 5.2.0

package/dist/storage-backend.js

@@ -1,16 +1,9 @@
 "use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.VikingBackend = exports.SqliteBackend = void 0;
+exports.SqliteBackend = void 0;
 exports.getBackend = getBackend;
-const fs_1 = __importDefault(require("fs"));
-const path_1 = __importDefault(require("path"));
 const context_db_1 = require("./context-db");
-const viking_backend_1 = require("./backends/viking-backend");
-Object.defineProperty(exports, "VikingBackend", { enumerable: true, get: function () { return viking_backend_1.VikingBackend; } });
-const viking_http_client_1 = require("./backends/viking-http-client");
+const cm_config_1 = require("./cm-config");
 // ─── SqliteBackend ────────────────────────────────────────────────────────────
 /**
  * Default backend — thin wrapper around context-db.ts (better-sqlite3 + FTS5).
@@ -37,65 +30,18 @@ class SqliteBackend {
     }
     writeSkillOutput(o) { (0, context_db_1.writeSkillOutput)(this.dbPath, o); }
     getSkillOutputs(sessionId) { return (0, context_db_1.getSkillOutputs)(this.dbPath, sessionId); }
+    recordExecutionAnalysis(a) { (0, context_db_1.recordExecutionAnalysis)(this.dbPath, a); }
+    getExecutionAnalyses(limit = 20) { return (0, context_db_1.getExecutionAnalyses)(this.dbPath, limit); }
+    getSkillMetric(skill) { return (0, context_db_1.getSkillMetric)(this.dbPath, skill); }
+    listSkillMetrics(limit = 50) { return (0, context_db_1.listSkillMetrics)(this.dbPath, limit); }
 }
 exports.SqliteBackend = SqliteBackend;
-/**
- * Minimal YAML parser — reads `storage.backend` and `storage.viking.*` keys.
- * Avoids adding a js-yaml dependency for a handful of config fields.
- *
- * Supported format:
- *   storage:
- *     backend: viking
- *     viking:
- *       host: localhost
- *       port: 1933
- *       workspace: codymaster
- *       timeout: 60000
- */
-function loadStorageConfig(projectPath) {
-    var _a;
-    const configPath = path_1.default.join(projectPath, '.cm', 'config.yaml');
-    if (!fs_1.default.existsSync(configPath))
-        return {};
-    try {
-        const raw = fs_1.default.readFileSync(configPath, 'utf-8');
-        // Extract storage.backend
-        const backendMatch = raw.match(/^storage:\s*\n(?:[ \t]+\S[^\n]*\n)*?[ \t]+backend:\s*(\S+)/m);
-        const backend = (_a = backendMatch === null || backendMatch === void 0 ? void 0 : backendMatch[1]) === null || _a === void 0 ? void 0 : _a.trim();
-        // Extract storage.viking.* keys
-        const vikingBlock = raw.match(/[ \t]+viking:\s*\n((?:[ \t]{4,}[^\n]+\n?)*)/m);
-        let viking;
-        if (vikingBlock === null || vikingBlock === void 0 ? void 0 : vikingBlock[1]) {
-            viking = {};
-            for (const line of vikingBlock[1].split('\n')) {
-                const kv = line.match(/[ \t]+(\w+):\s*(\S+)/);
-                if (!kv)
-                    continue;
-                const [, key, val] = kv;
-                if (key === 'host')
-                    viking.host = val;
-                if (key === 'workspace')
-                    viking.workspace = val;
-                if (key === 'port')
-                    viking.port = parseInt(val, 10);
-                if (key === 'timeout')
-                    viking.timeout = parseInt(val, 10);
-            }
-        }
-        if (!backend)
-            return {};
-        return { storage: Object.assign({ backend }, (viking ? { viking } : {})) };
-    }
-    catch (_b) {
-        return {};
-    }
-}
 // ─── Factory ─────────────────────────────────────────────────────────────────
 /**
  * Returns the configured StorageBackend for the given project.
  *
- * Reads `.cm/config.yaml → storage.backend` (default: `sqlite`).
- * For `viking` backend, reads `storage.viking.*` for connection config.
+ * Reads `.cm/config.yaml → storage.backend` via `loadCmConfig` (default: `sqlite`).
+ * Legacy `storage.backend: viking` configs are warned and routed back to sqlite.
  *
  * Usage:
  *   const backend = getBackend('/path/to/project');
@@ -103,13 +49,14 @@ function loadStorageConfig(projectPath) {
  *   const results = backend.queryLearnings('i18n locale');
  */
 function getBackend(projectPath) {
-    var _a, _b, _c;
-    const config = loadStorageConfig(projectPath);
-    const engine = (_b = (_a = config === null || config === void 0 ? void 0 : config.storage) === null || _a === void 0 ? void 0 : _a.backend) !== null && _b !== void 0 ? _b : 'sqlite';
+    var _a, _b;
+    const cfg = (0, cm_config_1.loadCmConfig)(projectPath);
+    const engine = ((_b = (_a = cfg.storage) === null || _a === void 0 ? void 0 : _a.backend) !== null && _b !== void 0 ? _b : 'sqlite').toLowerCase();
     switch (engine) {
         case 'viking': {
-            const vikingConfig = Object.assign(Object.assign({}, viking_http_client_1.DEFAULT_VIKING_CONFIG), (_c = config === null || config === void 0 ? void 0 : config.storage) === null || _c === void 0 ? void 0 : _c.viking);
-            return new viking_backend_1.VikingBackend(vikingConfig);
+            console.warn('[CodyMaster] storage.backend: viking has been removed. ' +
+                'Falling back to sqlite for the supported default path.');
+            return new SqliteBackend(projectPath);
         }
         case 'sqlite':
         default:

package/dist/token-budget.js

@@ -8,6 +8,10 @@ exports.loadBudget = loadBudget;
 exports.checkBudget = checkBudget;
 exports.estimateTokens = estimateTokens;
 exports.generateBudgetReport = generateBudgetReport;
+exports.getDefaultTierBudgets = getDefaultTierBudgets;
+exports.checkTierBudget = checkTierBudget;
+exports.generateTierReport = generateTierReport;
+exports.formatSavingsReport = formatSavingsReport;
 const fs_1 = __importDefault(require("fs"));
 const path_1 = __importDefault(require("path"));
 // ─── Constants ──────────────────────────────────────────────────────────────
@@ -106,3 +110,87 @@ function generateBudgetReport(budget) {
     lines.push(`${'TOTAL'.padEnd(25)} ${sum.toLocaleString().padStart(10)} ${(((sum / total) * 100).toFixed(2) + '%').padStart(10)}`);
     return lines.join('\n');
 }
+// ─── Per-Tier Budgets (Smart Brain Router integration) ───────────────────────
+/**
+ * Default per-tier token budgets for the 5-Tier Brain architecture.
+ * Used by SmartBrainRouter to enforce tier-level spending limits.
+ */
+function getDefaultTierBudgets() {
+    return [
+        { tier: 1, label: 'Sensory', soft: 0, hard: 0 }, // Always on, zero cost
+        { tier: 2, label: 'Working', soft: 500, hard: 1000 }, // CONTINUITY.md
+        { tier: 3, label: 'Long-term', soft: 500, hard: 3000 }, // Learnings/decisions
+        { tier: 4, label: 'Semantic', soft: 0, hard: 2000 }, // qmd vector search
+        { tier: 5, label: 'Structural', soft: 0, hard: 4000 }, // CodeGraph AST
+    ];
+}
+/**
+ * Check if a tier's token usage is within budget.
+ */
+function checkTierBudget(tierBudgets, tier, tokenCount, enforcement = 'soft') {
+    const budget = tierBudgets.find(tb => tb.tier === tier);
+    if (!budget) {
+        return { allowed: false, remaining: 0, suggestion: `Unknown tier ${tier}` };
+    }
+    const limit = enforcement === 'hard' ? budget.hard : budget.soft;
+    if (limit === 0) {
+        // Tier is disabled by default (soft=0), but allowed up to hard limit
+        if (tokenCount <= budget.hard) {
+            return { allowed: true, remaining: budget.hard - tokenCount };
+        }
+        return {
+            allowed: false,
+            remaining: budget.hard - tokenCount,
+            suggestion: `Tier ${tier} (${budget.label}) exceeds hard limit of ${budget.hard} tokens.`,
+        };
+    }
+    const remaining = limit - tokenCount;
+    if (remaining >= 0) {
+        return { allowed: true, remaining };
+    }
+    return {
+        allowed: enforcement !== 'hard',
+        remaining,
+        suggestion: `Tier ${tier} (${budget.label}) over by ~${Math.abs(remaining)} tokens. Consider L0 loading.`,
+    };
+}
+/**
+ * Generate a tier-level budget report.
+ */
+function generateTierReport(tierBudgets) {
+    const lines = [
+        `Brain Tier Budget Report`,
+        '─'.repeat(60),
+        `${'Tier'.padEnd(6)} ${'Label'.padEnd(12)} ${'Soft'.padStart(8)} ${'Hard'.padStart(8)} ${'Status'.padStart(10)}`,
+        '─'.repeat(60),
+    ];
+    for (const tb of tierBudgets) {
+        const status = tb.soft === 0 ? 'off/demand' : 'active';
+        lines.push(`${String(tb.tier).padEnd(6)} ${tb.label.padEnd(12)} ${tb.soft.toLocaleString().padStart(8)} ${tb.hard.toLocaleString().padStart(8)} ${status.padStart(10)}`);
+    }
+    const totalSoft = tierBudgets.reduce((s, tb) => s + tb.soft, 0);
+    const totalHard = tierBudgets.reduce((s, tb) => s + tb.hard, 0);
+    lines.push('─'.repeat(60));
+    lines.push(`${'TOTAL'.padEnd(18)} ${totalSoft.toLocaleString().padStart(8)} ${totalHard.toLocaleString().padStart(8)}`);
+    return lines.join('\n');
+}
+/**
+ * Format token savings report for CLI display.
+ */
+function formatSavingsReport(savings) {
+    const lines = [
+        `💰 Token Savings Report`,
+        '─'.repeat(50),
+        `Brain routing:       ~${savings.brainRoutingSaved.toLocaleString()} tokens saved`,
+        `Cache hits:          ~${savings.cacheHitsSaved.toLocaleString()} tokens saved`,
+        `Progressive loading: ~${savings.progressiveLoadSaved.toLocaleString()} tokens saved`,
+        '─'.repeat(50),
+        `Total saved:         ~${savings.totalSaved.toLocaleString()} tokens`,
+        `Tasks this session:  ${savings.sessionTasks}`,
+    ];
+    if (savings.sessionTasks > 0) {
+        const avgSaved = Math.round(savings.totalSaved / savings.sessionTasks);
+        lines.push(`Avg saved per task:  ~${avgSaved.toLocaleString()} tokens`);
+    }
+    return lines.join('\n');
+}

package/dist/utils/cli-utils.js

@@ -0,0 +1,76 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.padRight = padRight;
+exports.openUrl = openUrl;
+exports.formatTimeAgoCli = formatTimeAgoCli;
+exports.progressBar = progressBar;
+exports.isDashboardRunning = isDashboardRunning;
+const fs_1 = __importDefault(require("fs"));
+const os_1 = __importDefault(require("os"));
+const child_process_1 = require("child_process");
+const chalk_1 = __importDefault(require("chalk"));
+/**
+ * Pads a string on the right with spaces.
+ */
+function padRight(str, len) {
+    if (str.length >= len)
+        return str;
+    return str + ' '.repeat(len - str.length);
+}
+/**
+ * Opens a URL in the default browser.
+ */
+function openUrl(url) {
+    const plat = os_1.default.platform();
+    const command = plat === 'darwin' ? 'open' : plat === 'win32' ? 'start' : 'xdg-open';
+    (0, child_process_1.exec)(`${command} "${url}"`);
+}
+/**
+ * Formats a date string relative to now (e.g. "2m ago", "1h ago").
+ */
+function formatTimeAgoCli(dateStr) {
+    const date = new Date(dateStr);
+    const now = new Date();
+    const seconds = Math.floor((now.getTime() - date.getTime()) / 1000);
+    if (seconds < 60)
+        return `${seconds}s ago`;
+    const minutes = Math.floor(seconds / 60);
+    if (minutes < 60)
+        return `${minutes}m ago`;
+    const hours = Math.floor(minutes / 60);
+    if (hours < 24)
+        return `${hours}h ago`;
+    const days = Math.floor(hours / 24);
+    return `${days}d ago`;
+}
+/**
+ * Generates a green/gray progress bar string.
+ */
+function progressBar(pct) {
+    const total = 12;
+    const filled = Math.max(0, Math.min(total, Math.round((pct / 100) * total)));
+    return chalk_1.default.green('█'.repeat(filled)) + chalk_1.default.gray('░'.repeat(total - filled));
+}
+/**
+ * Returns true if the dashboard is running (via PID file).
+ */
+function isDashboardRunning(pidFile) {
+    try {
+        if (!fs_1.default.existsSync(pidFile))
+            return false;
+        const pidInput = fs_1.default.readFileSync(pidFile, 'utf-8').trim();
+        if (!pidInput)
+            return false;
+        const pid = parseInt(pidInput);
+        if (isNaN(pid))
+            return false;
+        process.kill(pid, 0);
+        return true;
+    }
+    catch (_a) {
+        return false;
+    }
+}

package/dist/utils/skill-utils.js

@@ -0,0 +1,32 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getAvailableSkills = getAvailableSkills;
+exports.getSkillCount = getSkillCount;
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+/**
+ * Discovers and returns a list of available 'cm-' skills.
+ */
+function getAvailableSkills() {
+    try {
+        const rootDir = path_1.default.resolve(__dirname, '..', '..');
+        const skillsDir = path_1.default.join(rootDir, 'skills');
+        if (!fs_1.default.existsSync(skillsDir)) {
+            return [];
+        }
+        return fs_1.default.readdirSync(skillsDir)
+            .filter(f => f.startsWith('cm-') && fs_1.default.statSync(path_1.default.join(skillsDir, f)).isDirectory());
+    }
+    catch (_a) {
+        return [];
+    }
+}
+/**
+ * Returns the count of available 'cm-' skills.
+ */
+function getSkillCount() {
+    return getAvailableSkills().length;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codymaster",
-  "version": "4.6.0",
+  "version": "5.2.0",
   "description": "68+ Skills. Ship 10x faster. AI-powered coding skill kit for Claude, Cursor, Gemini & more.",
   "main": "dist/index.js",
   "repository": {
@@ -19,15 +19,23 @@
     "build": "tsc",
     "start": "ts-node src/index.ts",
     "test:gate": "vitest run --reporter=verbose",
+    "test:gate:kit": "npm run build && npm run validate:skills && npm run check:skills && vitest run --reporter=verbose",
     "gate:secrets": "node scripts/gate-0-secrets.js",
+    "gate:hygiene": "node scripts/gate-0-repo-hygiene.js",
     "gate:fix": "node scripts/security-fixer.js --fix",
     "gate:check": "node scripts/security-fixer.js",
     "gate:syntax": "node scripts/gate-1-syntax.js",
     "gate:dist": "node scripts/gate-5-dist-verify.js",
     "gate:smoke": "node scripts/gate-6-smoke-test.js",
-    "deploy": "npm run gate:secrets && npm run gate:syntax && npm run test:gate && npm run gate:dist && npm run gate:smoke",
-    "deploy:dry": "npm run gate:secrets && npm run gate:syntax && npm run test:gate && npm run gate:dist && echo '✅ All gates passed. Ready to deploy.'",
-    "postinstall": "node scripts/postinstall.js"
+    "deploy": "npm run gate:secrets && npm run gate:hygiene && npm run gate:syntax && npm run test:gate:kit && npm run gate:dist && npm run gate:smoke",
+    "deploy:dry": "npm run gate:secrets && npm run gate:hygiene && npm run gate:syntax && npm run test:gate:kit && npm run gate:dist && echo '✅ All gates passed. Ready to deploy.'",
+    "postinstall": "node scripts/postinstall.js",
+    "validate:skills": "node scripts/validate-skills.mjs",
+    "build:skills": "node scripts/build-skills.mjs",
+    "check:skills": "node scripts/build-skills.mjs --check",
+    "docs:dev": "vitepress dev docs",
+    "docs:build": "vitepress build docs",
+    "docs:preview": "vitepress preview docs"
   },
   "keywords": [
     "ai",
@@ -52,8 +60,7 @@
     "commands/",
     "public/",
     "README.md",
-    "CHANGELOG.md",
-    "install.sh"
+    "CHANGELOG.md"
   ],
   "publishConfig": {
     "access": "public"
@@ -65,7 +72,8 @@
     "chokidar": "^5.0.0",
     "commander": "^14.0.3",
     "express": "^5.2.1",
-    "prompts": "^2.4.2"
+    "prompts": "^2.4.2",
+    "yaml": "^2.8.3"
   },
   "devDependencies": {
     "@types/better-sqlite3": "^7.6.13",
@@ -74,8 +82,10 @@
     "@types/prompts": "^2.4.9",
     "acorn": "^8.16.0",
     "jsdom": "^29.0.1",
+    "playwright": "^1.50.0",
     "ts-node": "^10.9.2",
     "typescript": "^5.9.3",
+    "vitepress": "^1.6.4",
     "vitest": "^4.1.0"
   },
   "overrides": {

package/scripts/build-skills.mjs

@@ -0,0 +1,51 @@
+#!/usr/bin/env node
+/**
+ * Generate SKILL.md from SKILL.md.tmpl + meta.json when present.
+ * Usage: node scripts/build-skills.mjs [--check]
+ */
+import fs from 'fs';
+import path from 'path';
+import { fileURLToPath } from 'url';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const skillsRoot = path.join(__dirname, '..', 'skills');
+const check = process.argv.includes('--check');
+
+function render(tmpl, vars) {
+  return tmpl.replace(/\{\{(\w+)\}\}/g, (_, k) => (vars[k] != null ? String(vars[k]) : `{{${k}}}`));
+}
+
+let tmplCount = 0;
+if (!fs.existsSync(skillsRoot)) process.exit(0);
+
+for (const dir of fs.readdirSync(skillsRoot, { withFileTypes: true })) {
+  if (!dir.isDirectory()) continue;
+  const folder = path.join(skillsRoot, dir.name);
+  const tmplPath = path.join(folder, 'SKILL.md.tmpl');
+  const metaPath = path.join(folder, 'meta.json');
+  const outPath = path.join(folder, 'SKILL.md');
+  if (!fs.existsSync(tmplPath)) continue;
+
+  tmplCount++;
+  const tmpl = fs.readFileSync(tmplPath, 'utf8');
+  let meta = {};
+  if (fs.existsSync(metaPath)) {
+    meta = JSON.parse(fs.readFileSync(metaPath, 'utf8'));
+  }
+  const out = render(tmpl, meta);
+  if (check) {
+    const cur = fs.existsSync(outPath) ? fs.readFileSync(outPath, 'utf8') : '';
+    if (cur !== out) {
+      console.error(`check failed: ${outPath} out of date (run npm run build:skills)`);
+      process.exit(2);
+    }
+  } else {
+    fs.writeFileSync(outPath, out, 'utf8');
+  }
+}
+
+if (tmplCount === 0) {
+  console.log('build-skills: no SKILL.md.tmpl under skills/ (OK)');
+} else {
+  console.log(check ? `build-skills: --check OK (${tmplCount})` : `build-skills: wrote ${tmplCount} skill(s)`);
+}

package/scripts/gate-0-repo-hygiene.js

@@ -0,0 +1,75 @@
+#!/usr/bin/env node
+/**
+ * Gate 0b: Repo Hygiene
+ * Ensures tracked files and git remote URLs are safe before push/deploy.
+ */
+const { execFileSync } = require('child_process');
+
+const FORBIDDEN_TRACKED_PATTERNS = [
+  /^\.DS_Store$/,
+  /^\.env(\..+)?$/,
+  /^\.dev\.vars(\..+)?$/,
+  /^.*\.(pem|key|p12|pfx)$/i,
+  /^.*\.(log|tmp|bak|swp)$/i,
+];
+
+function run(command, args) {
+  return execFileSync(command, args, { encoding: 'utf-8' }).trim();
+}
+
+function hasEmbeddedCredentials(remoteUrl) {
+  return /^https?:\/\/[^/\s]+@/i.test(remoteUrl);
+}
+
+function getTrackedFiles() {
+  const out = run('git', ['ls-files']);
+  if (!out) return [];
+  return out.split('\n').filter(Boolean);
+}
+
+function checkTrackedFiles() {
+  const tracked = getTrackedFiles();
+  return tracked.filter((file) =>
+    !file.endsWith('.example') &&
+    FORBIDDEN_TRACKED_PATTERNS.some((pattern) => pattern.test(file)),
+  );
+}
+
+function checkOriginRemote() {
+  try {
+    return run('git', ['remote', 'get-url', 'origin']);
+  } catch (_error) {
+    return '';
+  }
+}
+
+function main() {
+  const failures = [];
+
+  const originUrl = checkOriginRemote();
+  if (originUrl && hasEmbeddedCredentials(originUrl)) {
+    failures.push(
+      [
+        'origin remote URL has embedded credentials.',
+        'Fix: git remote set-url origin https://github.com/<owner>/<repo>.git',
+      ].join(' '),
+    );
+  }
+
+  const badTrackedFiles = checkTrackedFiles();
+  if (badTrackedFiles.length > 0) {
+    failures.push(
+      `forbidden files are tracked by git: ${badTrackedFiles.join(', ')}`,
+    );
+  }
+
+  if (failures.length > 0) {
+    console.error('❌ Repo hygiene check failed:');
+    failures.forEach((failure) => console.error(`  - ${failure}`));
+    process.exit(1);
+  }
+
+  console.log('✅ Repo hygiene check passed');
+}
+
+main();

package/scripts/postinstall.js

@@ -11,7 +11,9 @@ const NC = '\x1b[0m';
 
 const fs = require('fs');
 const path = require('path');
-let skillCount = 60;
+const { execSync, execFileSync } = require('child_process');
+
+let skillCount = 68;
 try {
   const skillsDir = path.join(__dirname, '..', 'skills');
   if (fs.existsSync(skillsDir)) {
@@ -212,7 +214,6 @@ const showSkillGuide = (choice) => {
   }
 
   console.log('');
-  console.log(`${W}${BOLD}${isVi ? 'Nhấn ENTER để quay lại...' : 'Press ENTER to go back...'}${NC}`);
 };
 
 const printMenu = () => {
@@ -242,20 +243,11 @@ const printMenu = () => {
     console.log(`  ${C}⚙️ Operations${NC}    : Triển khai an toàn & Quản lý CI/CD`);
     console.log(`  ${C}📈 Growth${NC}        : Tối ưu chuyển đổi (CRO) & Tracking`);
     console.log('');
-    console.log(`    ${W}${BOLD}💡 Nhập số (1-12) để xem hướng dẫn & ví dụ:${NC}`);
+    console.log(`    ${W}${BOLD}🌟 Lệnh phổ biến:${NC}`);
     console.log('');
-    console.log(`   1. ${Y}Cách CodyMaster vận hành    ${NC} → cm-how-it-work`);
-    console.log(`   2. ${Y}Vibe coding (Zero code)     ${NC} → cm-start`);
-    console.log(`   3. ${Y}Tham gia dự án có sẵn       ${NC} → cm-brainstorm-idea`);
-    console.log(`   4. ${Y}Code giao diện từ URL/Ảnh   ${NC} → cm-ux-master`);
-    console.log(`   5. ${Y}Lập trình TDD & Pair code   ${NC} → cm-tdd`);
-    console.log(`   6. ${Y}Dọn dẹp & Tái cấu trúc      ${NC} → cm-clean-code`);
-    console.log(`   7. ${Y}Quét & Sửa lỗi bảo mật      ${NC} → cm-security-gate`);
-    console.log(`   8. ${Y}Viết tài liệu Docs & API    ${NC} → cm-dockit`);
-    console.log(`   9. ${Y}Tạo Landing Page "WOW"      ${NC} → cm-cro-methodology`);
-    console.log(`  10. ${Y}Bảng theo dõi tiến độ       ${NC} → cm dashboard`);
-    console.log(`  11. ${Y}Xem Demo tự động            ${NC} → /cm:demo`);
-    console.log(`  12. ${Y}Trợ giúp & Cú pháp lệnh      ${NC} → cm help`);
+    console.log(`   🔸 ${Y}Bảng tiến độ (Dashboard)    ${NC} → cm dashboard`);
+    console.log(`   🔸 ${Y}Cần trợ giúp / Tìm kỹ năng    ${NC} → cm help`);
+    console.log(`   🔸 ${Y}Cách CodyMaster hoạt động  ${NC} → cm-how-it-work`);
   } else {
     console.log(`  ${C}🎯 Orchestration${NC} : Task Planning & Agent Synergy`);
     console.log(`  ${C}🎨 Product${NC}       : UX/UI Mastery & User Psychology`);
@@ -264,20 +256,11 @@ const printMenu = () => {
     console.log(`  ${C}⚙️ Operations${NC}    : Safe Deployments & CI/CD Excellence`);
     console.log(`  ${C}📈 Growth${NC}        : Conversion Tracking & Hacks`);
     console.log('');
-    console.log(`    ${W}${BOLD}💡 Type a number (1-12) for guide & examples:${NC}`);
+    console.log(`    ${W}${BOLD}🌟 Popular Commands:${NC}`);
     console.log('');
-    console.log(`   1. ${Y}The ultimate guide          ${NC} → cm-how-it-work`);
-    console.log(`   2. ${Y}Vibe coding (Zero code)     ${NC} → cm-start`);
-    console.log(`   3. ${Y}Code an existing project    ${NC} → cm-brainstorm-idea`);
-    console.log(`   4. ${Y}Generate UX/UI designs      ${NC} → cm-ux-master`);
-    console.log(`   5. ${Y}Code TDD & Pair coding      ${NC} → cm-tdd`);
-    console.log(`   6. ${Y}Clean & Refactor codebase   ${NC} → cm-clean-code`);
-    console.log(`   7. ${Y}Scan for vulnerabilities    ${NC} → cm-security-gate`);
-    console.log(`   8. ${Y}Write docs & generate APIs  ${NC} → cm-dockit`);
-    console.log(`   9. ${Y}Release WOW landing page    ${NC} → cm-cro-methodology`);
-    console.log(`  10. ${Y}Open progress dashboard     ${NC} → cm dashboard`);
-    console.log(`  11. ${Y}See an interactive demo     ${NC} → /cm:demo`);
-    console.log(`  12. ${Y}Help & Command list         ${NC} → cm help`);
+    console.log(`   🔸 ${Y}Open progress dashboard    ${NC} → cm dashboard`);
+    console.log(`   🔸 ${Y}Help & Command list        ${NC} → cm help`);
+    console.log(`   🔸 ${Y}The ultimate guide         ${NC} → cm-how-it-work`);
   }
   
   console.log('');
@@ -285,7 +268,30 @@ const printMenu = () => {
   console.log('');
 };
 
+const isInstalledAsNpmDependency = () => {
+  const root = path.resolve(__dirname, '..').replace(/\\/g, '/');
+  return /[/\\]node_modules[/\\]codymaster$/i.test(root);
+};
+
+const npmCmd = () => (process.platform === 'win32' ? 'npm.cmd' : 'npm');
+
+const activateCli = () => {
+  const pkgRoot = path.join(__dirname, '..');
+
+  if (isInstalledAsNpmDependency()) {
+    console.log(`  ${C}CodyMaster CLI (per-project install — official path):${NC}`);
+    console.log(`    ${W}npx cm${NC}   or   ${W}npx codymaster${NC}`);
+    console.log(
+      `  ${DIM}Optional — bare ${W}cm${DIM} in any terminal: ${W}npm install -g codymaster${NC}`,
+    );
+    return;
+  }
+
+
+};
+
 const main = () => {
+  activateCli();
   printMenu();
 };
 

package/scripts/security-scan.js

@@ -6,7 +6,7 @@ const DANGEROUS_PATTERNS = [
   { name: 'Anon Key Variable', regex: /ANON_KEY\s*[=:]\s*['\"][a-zA-Z0-9._\/-]{20,}/g },
   { name: 'Private Key Block', regex: /-----BEGIN\s+(RSA|EC|DSA|OPENSSH)?\s*PRIVATE KEY-----/g },
   { name: 'JWT Token', regex: /eyJ[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]{10,}/g },
-  { name: 'Generic API Key', regex: /(?:api[_-]?key|api[_-]?secret|access[_-]?token)\s*[=:]\s*['\"][a-zA-Z0-9\/+=]{20,}['\"/]/gi },
+  { name: 'Generic API Key', regex: /(?:api[_-]?key|api[_-]?secret|access[_-]?token)\s*[=:]\s*['\"][a-zA-Z0-9\/+=]{20,}['\"]/gi },
   { name: 'AWS Key', regex: /AKIA[0-9A-Z]{16}/g },
   { name: 'Slack Token', regex: /xox[baprs]-[0-9a-zA-Z-]{10,}/g },
   { name: 'GitHub Token', regex: /gh[ps]_[a-zA-Z0-9]{36,}/g },

package/scripts/validate-skills.mjs

@@ -0,0 +1,42 @@
+#!/usr/bin/env node
+/**
+ * Ensures each skill folder under skills/ has SKILL.md with a title line.
+ */
+import fs from 'fs';
+import path from 'path';
+import { fileURLToPath } from 'url';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const root = path.join(__dirname, '..', 'skills');
+
+/** Directories under skills/ that are not standalone skills (assets, packs). */
+const SKIP_DIRS = new Set(['profiles', 'extensions', 'scripts']);
+
+let errors = 0;
+if (!fs.existsSync(root)) {
+  console.error('No skills/ directory');
+  process.exit(1);
+}
+
+for (const name of fs.readdirSync(root, { withFileTypes: true })) {
+  if (!name.isDirectory()) continue;
+  if (name.name.startsWith('_') || name.name.startsWith('.')) continue;
+  if (SKIP_DIRS.has(name.name)) continue;
+  const md = path.join(root, name.name, 'SKILL.md');
+  if (!fs.existsSync(md)) {
+    console.error(`Missing SKILL.md: ${name.name}`);
+    errors++;
+    continue;
+  }
+  const text = fs.readFileSync(md, 'utf8');
+  if (!/^#\s+\S/m.test(text)) {
+    console.error(`SKILL.md missing H1 title: ${name.name}`);
+    errors++;
+  }
+}
+
+if (errors) {
+  console.error(`validate-skills: ${errors} error(s)`);
+  process.exit(1);
+}
+console.log('validate-skills: OK');