cortexhawk 3.1.0

package/scripts/install-codex.sh

@@ -0,0 +1,128 @@
+#!/bin/bash
+# install-codex.sh — CortexHawk installer for OpenAI Codex CLI
+# Sourced by install.sh when --target codex is used
+# Uses shared functions: copy_skills, generate_agents_md, convert_modes_to_skills, merge_mcp_toml, create_docs_workspace
+
+install_codex() {
+    if [ "$GLOBAL" = true ]; then
+        TARGET="$HOME/.codex"
+        AGENTS_DIR="$HOME/.agents"
+        echo "Installing for Codex CLI globally to $TARGET"
+    else
+        TARGET="$(pwd)/.codex"
+        AGENTS_DIR="$(pwd)/.agents"
+        echo "Installing for Codex CLI to project: $TARGET"
+    fi
+
+    mkdir -p "$TARGET"
+    mkdir -p "$AGENTS_DIR/skills"
+
+    # 1. Skills — direct copy via shared function
+    echo "  Copying skills..."
+    if [ -d "$SCRIPT_DIR/skills" ]; then
+        copy_skills "$AGENTS_DIR" "$PROFILE"
+    fi
+
+    # 2. Commands → Skills (explicit invocation via $cmd-name)
+    echo "  Converting commands to skills..."
+    for cmd_file in "$SCRIPT_DIR"/commands/*.md; do
+        [ -f "$cmd_file" ] || continue
+        local cmd_name
+        cmd_name=$(basename "$cmd_file" .md)
+        local cmd_dir="$AGENTS_DIR/skills/cmd-$cmd_name"
+        mkdir -p "$cmd_dir/agents"
+        cp "$cmd_file" "$cmd_dir/SKILL.md"
+        cat > "$cmd_dir/agents/openai.yaml" << 'YAML'
+policy:
+  allow_implicit_invocation: false
+YAML
+    done
+    local cmd_count
+    cmd_count=$(find "$AGENTS_DIR/skills/cmd-"* -maxdepth 0 -type d 2>/dev/null | wc -l | tr -d ' ')
+    echo "  Converted $cmd_count commands to skills (invoke with \$cmd-name)"
+
+    # 3. Modes → Skills via shared function
+    convert_modes_to_skills "$AGENTS_DIR/skills" "mode-"
+
+    # 4. AGENTS.md — via shared function with commands section injected
+    echo "  Generating AGENTS.md..."
+    local agents_md
+    if [ "$GLOBAL" = true ]; then
+        agents_md="$HOME/AGENTS.md"
+    else
+        agents_md="$(pwd)/AGENTS.md"
+    fi
+    # Build commands listing for extra_content
+    local commands_section
+    commands_section="## Commands"$'\n'$'\n'"Commands are installed as skills. Invoke explicitly with \\\$cmd-name:"$'\n'
+    for cmd_file in "$SCRIPT_DIR"/commands/*.md; do
+        [ -f "$cmd_file" ] || continue
+        local name desc
+        name=$(basename "$cmd_file" .md)
+        desc=$(grep '^description:' "$cmd_file" | sed 's/description: *//')
+        commands_section="${commands_section}"$'\n'"- \`\$cmd-$name\` — $desc"
+    done
+    generate_agents_md "$agents_md" "optimized agents, skills, commands, and modes for Codex CLI." "$commands_section"
+
+    # 5. config.toml — settings + MCP servers via shared function
+    echo "  Generating config.toml..."
+    {
+        echo "# CortexHawk configuration for Codex CLI"
+        echo ""
+        echo 'model = "o4-mini"'
+        echo 'approval_mode = "suggest"'
+        echo ""
+        echo "[history]"
+        echo 'persistence = "save-all"'
+        echo "send_to_cloud = false"
+        echo ""
+        merge_mcp_toml
+    } > "$TARGET/config.toml"
+
+    # 6. Hooks — dispatcher for after_tool_use
+    echo "  Installing hooks dispatcher..."
+    mkdir -p "$AGENTS_DIR/hooks"
+    cp "$SCRIPT_DIR/hooks/codex-dispatcher.sh" "$AGENTS_DIR/hooks/"
+    cp "$SCRIPT_DIR/hooks/self-review.sh" "$AGENTS_DIR/hooks/"
+    cp "$SCRIPT_DIR/hooks/dependency-check.sh" "$AGENTS_DIR/hooks/"
+    cp "$SCRIPT_DIR/hooks/test-reminder.sh" "$AGENTS_DIR/hooks/"
+    cp "$SCRIPT_DIR/hooks/agent-analytics.sh" "$AGENTS_DIR/hooks/"
+    chmod +x "$AGENTS_DIR/hooks/"*.sh
+
+    # Add hooks config to config.toml (commented — uncomment when Codex stabilizes hooks config)
+    {
+        echo "# Hooks — uncomment when Codex CLI hooks config is stabilized"
+        echo "# [hooks.after_tool_use]"
+        echo "# command = \"bash\""
+        echo "# args = [\"$AGENTS_DIR/hooks/codex-dispatcher.sh\"]"
+        echo ""
+    } >> "$TARGET/config.toml"
+
+    # 7. Create docs/ workspace via shared function (local only)
+    if [ "$GLOBAL" = false ]; then
+        create_docs_workspace "$(dirname "$TARGET")"
+    fi
+
+    # 8. Info
+    echo ""
+    echo "  Info: hooks dispatcher installed (after_tool_use), config commented — uncomment when Codex stabilizes"
+    echo "  Info: PreToolUse guards (file-guard, branch-guard, commit-guard) skipped — not yet available in Codex"
+
+    # Write manifest
+    write_manifest "$TARGET" "$PROFILE" "codex" false
+
+    echo ""
+    echo "CortexHawk installed successfully for Codex CLI!"
+    echo ""
+    echo "Available: 20 agents (in AGENTS.md), 36 skills, $cmd_count commands (as skills), 7 modes (as skills), MCP servers, hooks dispatcher"
+    echo ""
+    echo "Commands: invoke with \$cmd-plan, \$cmd-build, \$cmd-test, etc."
+    echo "Modes: invoke with \$mode-fast, \$mode-research, etc."
+
+    run_audit "$(dirname "$TARGET")"
+    update_gitignore "$(dirname "$TARGET")" ".codex"
+    update_gitignore "$(dirname "$TARGET")" ".agents"
+
+    echo ""
+    echo "  To activate: exit Codex (ctrl+c) and relaunch 'codex' in this directory."
+}

package/scripts/interactive-init.sh

@@ -0,0 +1,264 @@
+#!/bin/bash
+# interactive-init.sh — Interactive onboarding wizard for CortexHawk
+# Sourced by install.sh --init. Sets: TARGET_CLI, GLOBAL, PROFILE, PROFILE_FILE,
+# GIT_BRANCHING, GIT_COMMIT_CONVENTION, GIT_PR_PREFERENCE, GIT_AUTO_PUSH, GIT_WORK_BRANCH
+
+cyan()  { printf "\033[36m%s\033[0m\n" "$1"; }
+green() { printf "\033[32m%s\033[0m\n" "$1"; }
+yellow(){ printf "\033[33m%s\033[0m\n" "$1"; }
+bold()  { printf "\033[1m%s\033[0m\n" "$1"; }
+
+echo ""
+cyan "================================"
+cyan "CortexHawk Interactive Setup"
+cyan "================================"
+echo ""
+
+# --- Step 1: Target CLI ---
+bold "1. Target CLI"
+echo "  1) Claude Code (default) — fully supported"
+echo "  2) Kimi CLI (experimental)"
+echo "  3) Codex CLI (experimental)"
+echo "  4) All (install for all CLIs simultaneously)"
+read -r -p "Choice [1-4] (default: 1): " target_choice
+case "$target_choice" in
+    2) TARGET_CLI="kimi" ;;
+    3) TARGET_CLI="codex" ;;
+    4) TARGET_CLI="all" ;;
+    *) TARGET_CLI="claude" ;;
+esac
+green "  → $TARGET_CLI"
+echo ""
+
+# --- Step 2: Scope ---
+bold "2. Install Scope"
+echo "  1) Local project — install in current directory (default)"
+echo "  2) Global — install in ~/.${TARGET_CLI}/ (shared across all projects)"
+read -r -p "Choice [1-2] (default: 1): " scope_choice
+case "$scope_choice" in
+    2) GLOBAL=true ;;
+    *) GLOBAL=false ;;
+esac
+green "  → $([ "$GLOBAL" = true ] && echo "global" || echo "local")"
+echo ""
+
+# --- Step 3: Skills ---
+bold "3. Skills"
+echo "  1) All skills (36) — everything included"
+echo "  2) Fullstack — React, Next.js, Tailwind, testing, devops"
+echo "  3) API — FastAPI, Python, security, databases"
+echo "  4) Data — Python, SQL, performance, pattern detection"
+echo "  5) Custom — pick individual categories"
+echo "  6) Autodetect — scan project files and recommend"
+read -r -p "Choice [1-6] (default: 1): " skill_choice
+
+case "$skill_choice" in
+    2) PROFILE="fullstack"; green "  → fullstack (21 skills)" ;;
+    3) PROFILE="api";       green "  → api (21 skills)" ;;
+    4) PROFILE="data";      green "  → data (17 skills)" ;;
+    5)
+        echo ""
+        echo "  Skill categories:"
+        echo "    1) databases (2)      2) devops (3)       3) frameworks (8)"
+        echo "    4) meta (2)           5) optimization (1) 6) quality (4)"
+        echo "    7) security (10)      8) testing (3)      9) workflow (3)"
+        echo ""
+        read -r -p "  Enter numbers (space-separated) or 'all': " cat_input
+
+        # Map numbers to category names (bash 3 compatible — no declare -A)
+        SELECTED_CATS=""
+        if [ "$cat_input" = "all" ]; then
+            SELECTED_CATS="databases devops frameworks meta optimization quality security testing workflow"
+        else
+            for num in $cat_input; do
+                case "$num" in
+                    1) SELECTED_CATS="$SELECTED_CATS databases" ;;
+                    2) SELECTED_CATS="$SELECTED_CATS devops" ;;
+                    3) SELECTED_CATS="$SELECTED_CATS frameworks" ;;
+                    4) SELECTED_CATS="$SELECTED_CATS meta" ;;
+                    5) SELECTED_CATS="$SELECTED_CATS optimization" ;;
+                    6) SELECTED_CATS="$SELECTED_CATS quality" ;;
+                    7) SELECTED_CATS="$SELECTED_CATS security" ;;
+                    8) SELECTED_CATS="$SELECTED_CATS testing" ;;
+                    9) SELECTED_CATS="$SELECTED_CATS workflow" ;;
+                esac
+            done
+        fi
+
+        # Generate custom profile JSON
+        PROFILE_FILE="/tmp/cortexhawk-custom-$(date +%s).json"
+        SKILL_LINES=""
+        SKILL_COUNT=0
+        for category in $SELECTED_CATS; do
+            cat_dir="$SCRIPT_DIR/skills/$category"
+            [ -d "$cat_dir" ] || continue
+            for skill_dir in "$cat_dir"/*/; do
+                [ -d "$skill_dir" ] || continue
+                skill_name=$(basename "$skill_dir")
+                [ -n "$SKILL_LINES" ] && SKILL_LINES="$SKILL_LINES,"
+                SKILL_LINES="$SKILL_LINES
+    \"$category/$skill_name\""
+                SKILL_COUNT=$((SKILL_COUNT + 1))
+            done
+        done
+
+        printf '{\n  "name": "custom",\n  "description": "Custom category selection",\n  "skills": [%s\n  ]\n}\n' "$SKILL_LINES" > "$PROFILE_FILE"
+        PROFILE="custom"
+        green "  → custom ($SKILL_COUNT skills)"
+        ;;
+    6)
+        source "$SCRIPT_DIR/scripts/autodetect-profile.sh"
+        PROFILE="autodetect"
+        green "  → autodetect ($SKILL_COUNT skills detected)"
+        ;;
+    *) PROFILE=""; green "  → all (36 skills)" ;;
+esac
+echo ""
+
+# --- Step 3b: SkillsMP API key (optional) ---
+bold "3b. SkillsMP (optional)"
+echo "  Search 87k+ community skills. Get a free key at: https://skillsmp.com/docs/api"
+echo ""
+read -r -p "  API key (press Enter to skip): " SKILLSMP_KEY
+if [ -n "$SKILLSMP_KEY" ]; then
+    if [ -f ".env" ] && grep -q '^SKILLSMP_API_KEY=' .env 2>/dev/null; then
+        sed -i "s/^SKILLSMP_API_KEY=.*/SKILLSMP_API_KEY=$SKILLSMP_KEY/" .env
+    else
+        echo "SKILLSMP_API_KEY=$SKILLSMP_KEY" >> .env
+    fi
+    green "  → saved to .env"
+else
+    yellow "  → skipped (use --search with local REGISTRY.md only)"
+fi
+echo ""
+
+# --- Step 4: Git Workflow ---
+if [ "$GLOBAL" = false ]; then
+    bold "4. Git Workflow"
+    echo ""
+
+    # 4a. Branching
+    echo "  Branching strategy:"
+    echo "    1) Direct main   — commit + push direct to main (solo/small team)"
+    echo "    2) Dev branch    — work on a fixed branch, PR to main when ready"
+    echo "    3) Feature branch — one branch per feature, merge via PR"
+    echo "    4) GitFlow       — develop/release/hotfix (formal release cycles)"
+    read -r -p "  Choice [1-4] (default: 1): " branch_choice
+    case "$branch_choice" in
+        2) GIT_BRANCHING="dev-branch" ;;
+        3) GIT_BRANCHING="feature-branches" ;;
+        4) GIT_BRANCHING="gitflow" ;;
+        *) GIT_BRANCHING="direct-main" ;;
+    esac
+
+    # If dev-branch, ask for branch name
+    GIT_WORK_BRANCH=""
+    if [ "$GIT_BRANCHING" = "dev-branch" ]; then
+        read -r -p "  Working branch name (default: dev): " work_branch
+        GIT_WORK_BRANCH="${work_branch:-dev}"
+        green "  → $GIT_BRANCHING (branch: $GIT_WORK_BRANCH)"
+    else
+        green "  → $GIT_BRANCHING"
+    fi
+    echo ""
+
+    # 4b. Commit convention
+    echo "  Commit convention:"
+    echo "    1) Conventional — feat(scope): description (default)"
+    echo "    2) Freeform     — no enforced format"
+    read -r -p "  Choice [1-2] (default: 1): " commit_choice
+    case "$commit_choice" in
+        2) GIT_COMMIT_CONVENTION="freeform" ;;
+        *) GIT_COMMIT_CONVENTION="conventional" ;;
+    esac
+    green "  → $GIT_COMMIT_CONVENTION"
+    echo ""
+
+    # 4c. PR preference
+    echo "  Pull requests:"
+    echo "    1) Never    — /ship does commit + push, no PR"
+    echo "    2) On demand — /ship asks before creating a PR (default)"
+    echo "    3) Always   — /ship always creates a PR"
+    read -r -p "  Choice [1-3] (default: 2): " pr_choice
+    case "$pr_choice" in
+        1) GIT_PR_PREFERENCE="never" ;;
+        3) GIT_PR_PREFERENCE="always" ;;
+        *) GIT_PR_PREFERENCE="on-demand" ;;
+    esac
+    green "  → $GIT_PR_PREFERENCE"
+    echo ""
+
+    # 4d. Auto-push
+    echo "  Auto-push after commit:"
+    echo "    1) Never       — commit only, manual push"
+    echo "    2) After commit — push automatically after each commit (default)"
+    echo "    3) Ask          — ask each time"
+    read -r -p "  Choice [1-3] (default: 2): " push_choice
+    case "$push_choice" in
+        1) GIT_AUTO_PUSH="never" ;;
+        3) GIT_AUTO_PUSH="ask" ;;
+        *) GIT_AUTO_PUSH="after-commit" ;;
+    esac
+    green "  → $GIT_AUTO_PUSH"
+    echo ""
+else
+    GIT_BRANCHING=""
+    GIT_COMMIT_CONVENTION=""
+    GIT_PR_PREFERENCE=""
+    GIT_AUTO_PUSH=""
+    GIT_WORK_BRANCH=""
+fi
+
+# --- Step 5: Summary + Confirmation ---
+bold "5. Summary"
+echo "  Target:      $TARGET_CLI"
+echo "  Scope:       $([ "$GLOBAL" = true ] && echo "global (~/.${TARGET_CLI}/)" || echo "local (.${TARGET_CLI}/)")"
+echo "  Skills:      $([ -n "$PROFILE" ] && echo "$PROFILE" || echo "all (36)")"
+echo "  SkillsMP:    $([ -n "$SKILLSMP_KEY" ] && echo "configured" || echo "skipped")"
+if [ -n "$GIT_BRANCHING" ]; then
+    echo "  Branching:   $GIT_BRANCHING$([ -n "$GIT_WORK_BRANCH" ] && echo " ($GIT_WORK_BRANCH)")"
+    echo "  Commits:     $GIT_COMMIT_CONVENTION"
+    echo "  PRs:         $GIT_PR_PREFERENCE"
+    echo "  Auto-push:   $GIT_AUTO_PUSH"
+fi
+echo ""
+read -r -p "Proceed? [Y/n]: " confirm
+case "$confirm" in
+    [nN]*)
+        yellow "Installation cancelled."
+        [ -n "$PROFILE_FILE" ] && rm -f "$PROFILE_FILE" 2>/dev/null
+        exit 0
+        ;;
+esac
+
+# --- Auto git setup ---
+if [ "$GLOBAL" = false ]; then
+    if [ ! -d ".git" ]; then
+        echo ""
+        read -r -p "No git repo detected. Initialize one? [Y/n]: " git_confirm
+        case "$git_confirm" in
+            [nN]*) yellow "  → skipped git init" ;;
+            *)
+                git init -q
+                green "  → git init done"
+                ;;
+        esac
+    fi
+    if [ ! -f ".gitignore" ]; then
+        cat > .gitignore <<'GITIGNORE'
+node_modules/
+__pycache__/
+.env
+.env.local
+*.log
+dist/
+build/
+.DS_Store
+GITIGNORE
+        green "  → .gitignore created"
+    fi
+fi
+
+echo ""
+green "Starting installation..."
+echo ""

package/scripts/post-install-audit.sh

@@ -0,0 +1,130 @@
+#!/bin/bash
+# post-install-audit.sh — Lightweight security audit after CortexHawk install
+# Usage: bash scripts/post-install-audit.sh <project_root>
+# Always exits 0 — warnings only, never blocking
+
+PROJECT_ROOT="${1:-.}"
+
+if [ ! -d "$PROJECT_ROOT" ]; then
+    echo "post-install-audit: directory not found: $PROJECT_ROOT"
+    exit 0
+fi
+
+cd "$PROJECT_ROOT" || exit 0
+
+WARNINGS=0
+
+yellow() { printf "\033[33m%s\033[0m\n" "$1"; }
+green() { printf "\033[32m%s\033[0m\n" "$1"; }
+cyan() { printf "\033[36m%s\033[0m\n" "$1"; }
+
+warn() { yellow "  WARN:  $1"; WARNINGS=$((WARNINGS + 1)); }
+ok() { green "  OK:    $1"; }
+
+echo ""
+echo "================================"
+cyan "Post-Install Security Audit"
+echo "================================"
+echo ""
+
+# --- 1. .gitignore covers .env ---
+echo "Checking .gitignore..."
+if [ -f ".gitignore" ]; then
+    if grep -qE '^\s*\.env\b' ".gitignore"; then
+        ok ".gitignore covers .env"
+    else
+        warn ".gitignore exists but does not cover .env"
+    fi
+else
+    warn "No .gitignore found — create one with .env listed"
+fi
+
+# --- 2. No .env files committed ---
+echo "Checking for committed .env files..."
+if command -v git &>/dev/null && [ -d ".git" ]; then
+    ENV_FILES=$(git ls-files '*.env' '.env' '.env.*' '.env.local' '.env.production' 2>/dev/null)
+    if [ -n "$ENV_FILES" ]; then
+        warn "Tracked .env files found: $ENV_FILES"
+    else
+        ok "No .env files in git history"
+    fi
+else
+    ok "Not a git repo — skipping tracked .env check"
+fi
+
+# --- 3. Hardcoded secrets in source files ---
+echo "Checking for hardcoded secrets..."
+SECRET_PATTERNS='(api[_-]?key|api[_-]?secret|password|passwd|token|secret[_-]?key|PRIVATE.KEY|AWS_SECRET)\s*[=:]\s*["'"'"'][^\s"'"'"']{8,}'
+if command -v git &>/dev/null && [ -d ".git" ]; then
+    HITS=$(git ls-files -- '*.py' '*.js' '*.ts' '*.jsx' '*.tsx' '*.go' '*.rs' '*.java' '*.rb' '*.sh' '*.yaml' '*.yml' '*.toml' 2>/dev/null \
+        | xargs grep -lEi "$SECRET_PATTERNS" 2>/dev/null || true)
+else
+    HITS=$(find . -maxdepth 3 -type f \( -name '*.py' -o -name '*.js' -o -name '*.ts' -o -name '*.jsx' -o -name '*.tsx' -o -name '*.go' -o -name '*.rs' -o -name '*.java' -o -name '*.rb' -o -name '*.sh' \) 2>/dev/null \
+        | xargs grep -lEi "$SECRET_PATTERNS" 2>/dev/null || true)
+fi
+if [ -n "$HITS" ]; then
+    for f in $HITS; do
+        warn "Potential secret in: $f"
+    done
+else
+    ok "No hardcoded secrets detected"
+fi
+
+# --- 4. Dependency vulnerabilities (non-blocking) ---
+echo "Checking dependency vulnerabilities..."
+AUDIT_RAN=false
+if [ -f "package-lock.json" ] || [ -f "package.json" ]; then
+    if command -v npm &>/dev/null; then
+        VULN_OUTPUT=$(npm audit --json 2>/dev/null | grep -o '"total":[0-9]*' | head -1 | cut -d: -f2)
+        if [ -n "$VULN_OUTPUT" ] && [ "$VULN_OUTPUT" -gt 0 ] 2>/dev/null; then
+            warn "npm audit: $VULN_OUTPUT vulnerabilities found — run 'npm audit' for details"
+        else
+            ok "npm audit: no vulnerabilities"
+        fi
+        AUDIT_RAN=true
+    fi
+fi
+if [ -f "requirements.txt" ] || [ -f "pyproject.toml" ]; then
+    if command -v pip-audit &>/dev/null; then
+        VULN_COUNT=$(pip-audit 2>/dev/null | grep -c 'VULN' || echo 0)
+        if [ "$VULN_COUNT" -gt 0 ]; then
+            warn "pip-audit: $VULN_COUNT vulnerabilities found — run 'pip-audit' for details"
+        else
+            ok "pip-audit: no vulnerabilities"
+        fi
+        AUDIT_RAN=true
+    fi
+fi
+if [ "$AUDIT_RAN" = false ]; then
+    ok "No supported dependency manager detected — skipping"
+fi
+
+# --- 5. Sensitive files tracked in git ---
+echo "Checking for tracked sensitive files..."
+SENSITIVE_PATTERNS='\.pem$|\.key$|\.p12$|\.pfx$|\.keystore$|id_rsa|id_ed25519|\.ssh/'
+if command -v git &>/dev/null && [ -d ".git" ]; then
+    SENSITIVE_FILES=$(git ls-files 2>/dev/null | grep -E "$SENSITIVE_PATTERNS" || true)
+    if [ -n "$SENSITIVE_FILES" ]; then
+        for f in $SENSITIVE_FILES; do
+            warn "Sensitive file tracked: $f"
+        done
+    else
+        ok "No sensitive files tracked"
+    fi
+else
+    ok "Not a git repo — skipping sensitive file check"
+fi
+
+# --- Summary ---
+echo ""
+echo "================================"
+if [ "$WARNINGS" -gt 0 ]; then
+    yellow "Audit complete: $WARNINGS warning(s)"
+    echo ""
+    cyan "Run /scan for a full AI-powered security audit."
+else
+    green "Audit complete: all checks clean"
+fi
+echo ""
+
+exit 0