create-byan-agent 2.15.0 → 2.17.0

package/src/byan-v2/data/strict-mantras.json

@@ -0,0 +1,188 @@
+{
+  "metadata": {
+    "source": "byan-sync-rules",
+    "generated_from": "_byan/_config/strict-mode.yaml",
+    "count": 12
+  },
+  "mantras": [
+    {
+      "id": "STRICT-1",
+      "title": "Scope Lock First",
+      "description": "Reformulate the request and lock the scope before any build. The locked scope is the contract for the rest of the task.",
+      "validation": {
+        "type": "keyword",
+        "keywords": [
+          "lock the scope",
+          "byan_strict_lock_scope",
+          "scope lock"
+        ],
+        "required": true
+      },
+      "priority": "critical"
+    },
+    {
+      "id": "STRICT-2",
+      "title": "No Downgrade",
+      "description": "Deliver the scope that was asked. Do not substitute an MVP, a stub, or a \"simplified version\" unless the user approves it and it is recorded in the audit trail.",
+      "validation": {
+        "type": "keyword",
+        "keywords": [
+          "no downgrade",
+          "downgrade",
+          "mvp"
+        ],
+        "required": true
+      },
+      "priority": "critical"
+    },
+    {
+      "id": "STRICT-3",
+      "title": "No Silent Cut",
+      "description": "If a part of the scope cannot be done, surface it as a gap in the self_verify findings. Do not drop it quietly.",
+      "validation": {
+        "type": "keyword",
+        "keywords": [
+          "silent cut",
+          "surface it as a gap",
+          "do not cut silently"
+        ],
+        "required": true
+      },
+      "priority": "high"
+    },
+    {
+      "id": "STRICT-4",
+      "title": "Self-Verify Three Times",
+      "description": "Run at least three self-verification passes against the locked acceptance criteria before calling complete.",
+      "validation": {
+        "type": "keyword",
+        "keywords": [
+          "self-verify",
+          "byan_strict_self_verify",
+          "three times"
+        ],
+        "required": true
+      },
+      "priority": "critical"
+    },
+    {
+      "id": "STRICT-5",
+      "title": "Re-Read The Original",
+      "description": "Each self-verify pass re-reads the original request, not your own summary of it.",
+      "validation": {
+        "type": "keyword",
+        "keywords": [
+          "re-read",
+          "original request"
+        ],
+        "required": true
+      },
+      "priority": "high"
+    },
+    {
+      "id": "STRICT-6",
+      "title": "Evidence Over Assertion",
+      "description": "A \"done\" claim needs an artifact (test output, file diff, command result), not a statement.",
+      "validation": {
+        "type": "keyword",
+        "keywords": [
+          "evidence",
+          "artifact",
+          "test output"
+        ],
+        "required": true
+      },
+      "priority": "high"
+    },
+    {
+      "id": "STRICT-7",
+      "title": "Hard Claim Floor",
+      "description": "Claims in security, performance, or compliance need LEVEL-1 sourcing (95%) or they are BLOCKED.",
+      "validation": {
+        "type": "keyword",
+        "keywords": [
+          "level-1",
+          "95%",
+          "blocked"
+        ],
+        "required": true
+      },
+      "priority": "critical"
+    },
+    {
+      "id": "STRICT-8",
+      "title": "Gap Is Not Failure",
+      "description": "Reporting a gap is the correct behavior. Hiding a gap is the violation.",
+      "validation": {
+        "type": "keyword",
+        "keywords": [
+          "gap is",
+          "hiding a gap",
+          "the violation"
+        ],
+        "required": true
+      },
+      "priority": "high"
+    },
+    {
+      "id": "STRICT-9",
+      "title": "Audit Trail",
+      "description": "Every scope lock, verify pass, and completion is appended to the audit log. The commit gate reads this trail.",
+      "validation": {
+        "type": "keyword",
+        "keywords": [
+          "audit trail",
+          "audit log",
+          "audit token"
+        ],
+        "required": true
+      },
+      "priority": "high"
+    },
+    {
+      "id": "STRICT-10",
+      "title": "No Premature Complete",
+      "description": "complete is rejected below three passes or when the last pass found a gap.",
+      "validation": {
+        "type": "keyword",
+        "keywords": [
+          "byan_strict_complete",
+          "rejected below",
+          "earn"
+        ],
+        "required": true
+      },
+      "priority": "critical"
+    },
+    {
+      "id": "STRICT-11",
+      "title": "Honest Status",
+      "description": "Report failing tests with their output. Report skipped steps as skipped. Do not round a partial result up to \"done\".",
+      "validation": {
+        "type": "keyword",
+        "keywords": [
+          "honest status",
+          "failing tests",
+          "skipped"
+        ],
+        "required": true
+      },
+      "priority": "high"
+    },
+    {
+      "id": "STRICT-12",
+      "title": "Full Over Fast",
+      "description": "When the user states \"complete, no cost compromise\", speed is out of scope. Do not re-question the budget under the guise of an estimate.",
+      "validation": {
+        "type": "keyword",
+        "keywords": [
+          "full over fast",
+          "no cost compromise",
+          "out of scope"
+        ],
+        "required": true
+      },
+      "priority": "high"
+    }
+  ]
+}

package/src/byan-v2/generation/mantra-validator.js

@@ -5,25 +5,60 @@ class MantraValidator {
   constructor(mantrasData = null) {
     if (mantrasData) {
       this.mantrasData = mantrasData;
+      this._explicitMantras = true;
     } else {
       const mantrasPath = path.join(__dirname, '../data/mantras.json');
       this.mantrasData = JSON.parse(fs.readFileSync(mantrasPath, 'utf8'));
+      this._explicitMantras = false;
     }
-    
-    this.mantras = this.mantrasData.mantras;
+
+    this.personaMantras = this.mantrasData.mantras;
+    this.strictMantras = this._loadStrictMantras();
+    this.mantras = this.personaMantras;
     this.results = null;
     this.agentContent = null;
   }
 
+  // Strict-mode artifacts (the byan-strict skill, AGENTS.md block, copilot
+  // block) are validated against the strict mantra set, not the 64 persona
+  // mantras. The set is generated by byan-sync-rules from strict-mode.yaml.
+  _loadStrictMantras() {
+    try {
+      const p = path.join(__dirname, '../data/strict-mantras.json');
+      if (fs.existsSync(p)) {
+        return JSON.parse(fs.readFileSync(p, 'utf8')).mantras;
+      }
+    } catch {
+      // fall through — no strict set available
+    }
+    return null;
+  }
+
+  _isStrictArtifact(content) {
+    if (typeof content !== 'string') return false;
+    if (/name:\s*byan-strict/.test(content)) return true;
+    if (/#\s*BYAN Strict Mode/.test(content)) return true;
+    const strictIds = content.match(/STRICT-\d+/g) || [];
+    return strictIds.length >= 3;
+  }
+
   validate(agentDefinition) {
     if (agentDefinition === null || agentDefinition === undefined) {
       throw new Error('Agent definition is required');
     }
 
-    this.agentContent = typeof agentDefinition === 'string' 
-      ? agentDefinition 
+    this.agentContent = typeof agentDefinition === 'string'
+      ? agentDefinition
       : JSON.stringify(agentDefinition);
 
+    // Pick the ruleset : strict artifacts get the strict mantras, unless the
+    // caller supplied an explicit mantra set in the constructor.
+    if (!this._explicitMantras && this.strictMantras && this._isStrictArtifact(this.agentContent)) {
+      this.mantras = this.strictMantras;
+    } else {
+      this.mantras = this.personaMantras;
+    }
+
     this.results = {
       totalMantras: this.mantras.length,
       compliant: [],

package/update-byan-agent/__tests__/migrate-mcp-config.test.js

@@ -13,6 +13,7 @@ const fs   = require('fs-extra');
 
 // Module under test (loaded once; all I/O goes to tmpdir per test)
 const { runMigration } = require('../lib/migrate-mcp-config');
+const { mcpConfig: { TOKEN_PLACEHOLDER } } = require('byan-platform-config');
 
 // ──────────────────────────────────────────────────────────────────────────────
 // Helpers
@@ -69,16 +70,16 @@ test('returns no-byan-server if .mcp.json has other servers but no byan entry',
 });
 
 // ──────────────────────────────────────────────────────────────────────────────
-// Test 3 — byan entry already has token and URL without /api suffix → already-ok
+// Test 3 — byan entry already has placeholder + clean URL → already-ok
 // ──────────────────────────────────────────────────────────────────────────────
-test('returns already-ok if byan entry has token and no /api suffix', async () => {
+test('returns already-ok if byan entry has no BYAN_API_TOKEN (token belongs in .env / settings.local.json)', async () => {
   const dir = await makeTmp();
   await writeMcp(dir, {
     mcpServers: {
       byan: {
         command: 'node',
         args:    ['_byan/mcp/byan-mcp-server/server.js'],
-        env:     { BYAN_API_URL: 'https://api.byan.io', BYAN_API_TOKEN: 'byan_tok' },
+        env:     { BYAN_API_URL: 'https://api.byan.io' },
       },
     },
   });
@@ -91,7 +92,7 @@ test('returns already-ok if byan entry has token and no /api suffix', async () =
 // ──────────────────────────────────────────────────────────────────────────────
 // Test 4 — needs token but .env + settings.local.json both empty → no-token-available
 // ──────────────────────────────────────────────────────────────────────────────
-test('returns no-token-available if .mcp.json needs token but sources are empty', async () => {
+test('returns already-ok if .mcp.json has no BYAN_API_TOKEN (token absence is now the desired state)', async () => {
   const dir = await makeTmp();
   await writeMcp(dir, {
     mcpServers: {
@@ -99,23 +100,19 @@ test('returns no-token-available if .mcp.json needs token but sources are empty'
         command: 'node',
         args:    ['_byan/mcp/byan-mcp-server/server.js'],
         env:     { BYAN_API_URL: 'https://api.byan.io' },
-        // no BYAN_API_TOKEN
       },
     },
   });
-  // no .env, no settings.local.json
   const result = await runMigration(dir);
   expect(result.migrated).toBe(false);
-  expect(result.reason).toBe('no-token-available');
-  expect(typeof result.hint).toBe('string');
-  expect(result.hint.length).toBeGreaterThan(0);
+  expect(result.reason).toBe('already-ok');
   await fs.remove(dir);
 });
 
 // ──────────────────────────────────────────────────────────────────────────────
 // Test 5 — migrates successfully: token from .env
 // ──────────────────────────────────────────────────────────────────────────────
-test('migrates: token from .env → .mcp.json env.BYAN_API_TOKEN', async () => {
+test('with token already absent in .mcp.json + .env populated: no-op (already-ok), .env preserved untouched', async () => {
   const dir = await makeTmp();
   await writeMcp(dir, {
     mcpServers: {
@@ -129,19 +126,18 @@ test('migrates: token from .env → .mcp.json env.BYAN_API_TOKEN', async () => {
   await writeDotenv(dir, 'BYAN_API_TOKEN=byan_from_dotenv\n');
 
   const result = await runMigration(dir);
-  expect(result.migrated).toBe(true);
-  expect(result.reason).toBe('healed');
-  expect(result.changes.length).toBeGreaterThanOrEqual(1);
+  expect(result.migrated).toBe(false);
+  expect(result.reason).toBe('already-ok');
 
-  const written = await readMcp(dir);
-  expect(written.mcpServers.byan.env.BYAN_API_TOKEN).toBe('byan_from_dotenv');
+  const dotenvAfter = await fs.readFile(path.join(dir, '.env'), 'utf8');
+  expect(dotenvAfter).toBe('BYAN_API_TOKEN=byan_from_dotenv\n');
   await fs.remove(dir);
 });
 
 // ──────────────────────────────────────────────────────────────────────────────
 // Test 6 — migrates successfully: token from .claude/settings.local.json fallback
 // ──────────────────────────────────────────────────────────────────────────────
-test('migrates: token from settings.local.json fallback', async () => {
+test('with token in settings.local.json + absent from .mcp.json: no-op (already-ok), settings preserved', async () => {
   const dir = await makeTmp();
   await writeMcp(dir, {
     mcpServers: {
@@ -152,22 +148,20 @@ test('migrates: token from settings.local.json fallback', async () => {
       },
     },
   });
-  // no .env, token in settings.local.json
   await writeSettingsLocal(dir, { env: { BYAN_API_TOKEN: 'byan_from_settings' } });
 
   const result = await runMigration(dir);
-  expect(result.migrated).toBe(true);
-  expect(result.reason).toBe('healed');
-
-  const written = await readMcp(dir);
-  expect(written.mcpServers.byan.env.BYAN_API_TOKEN).toBe('byan_from_settings');
+  expect(result.migrated).toBe(false);
+  expect(result.reason).toBe('already-ok');
+  const settings = await fs.readJson(path.join(dir, '.claude', 'settings.local.json'));
+  expect(settings.env.BYAN_API_TOKEN).toBe('byan_from_settings');
   await fs.remove(dir);
 });
 
 // ──────────────────────────────────────────────────────────────────────────────
 // Test 7 — strips /api suffix from BYAN_API_URL
 // ──────────────────────────────────────────────────────────────────────────────
-test('strips /api suffix from BYAN_API_URL', async () => {
+test('strips /api suffix and extracts clear token to .env (token removed from .mcp.json)', async () => {
   const dir = await makeTmp();
   await writeMcp(dir, {
     mcpServers: {
@@ -184,7 +178,60 @@ test('strips /api suffix from BYAN_API_URL', async () => {
 
   const written = await readMcp(dir);
   expect(written.mcpServers.byan.env.BYAN_API_URL).toBe('https://api.byan.io');
-  expect(written.mcpServers.byan.env.BYAN_API_TOKEN).toBe('byan_tok');
+  expect(written.mcpServers.byan.env.BYAN_API_TOKEN).toBeUndefined();
+  const dotenvContent = await fs.readFile(path.join(dir, '.env'), 'utf8');
+  expect(dotenvContent).toContain('BYAN_API_TOKEN=byan_tok');
+  const raw = await fs.readFile(path.join(dir, '.mcp.json'), 'utf8');
+  expect(raw).not.toContain('byan_tok');
+  await fs.remove(dir);
+});
+
+test('extracts clear token from .mcp.json into .env and removes it from .mcp.json (security migration)', async () => {
+  const dir = await makeTmp();
+  await writeMcp(dir, {
+    mcpServers: {
+      byan: {
+        command: 'node',
+        args:    ['_byan/mcp/byan-mcp-server/server.js'],
+        env:     { BYAN_API_URL: 'https://api.byan.io', BYAN_API_TOKEN: 'byan_leaked_in_clear' },
+      },
+    },
+  });
+
+  const result = await runMigration(dir);
+  expect(result.migrated).toBe(true);
+  expect(result.reason).toBe('healed');
+  expect(result.changes.some((c) => /extracted/i.test(c))).toBe(true);
+
+  const written = await readMcp(dir);
+  expect(written.mcpServers.byan.env.BYAN_API_TOKEN).toBeUndefined();
+
+  const raw = await fs.readFile(path.join(dir, '.mcp.json'), 'utf8');
+  expect(raw).not.toContain('byan_leaked_in_clear');
+
+  const dotenvContent = await fs.readFile(path.join(dir, '.env'), 'utf8');
+  expect(dotenvContent).toContain('BYAN_API_TOKEN=byan_leaked_in_clear');
+  await fs.remove(dir);
+});
+
+test('removes ${BYAN_API_TOKEN} placeholder from .mcp.json (no value to extract)', async () => {
+  const dir = await makeTmp();
+  await writeMcp(dir, {
+    mcpServers: {
+      byan: {
+        command: 'node',
+        args:    ['_byan/mcp/byan-mcp-server/server.js'],
+        env:     { BYAN_API_URL: 'https://api.byan.io', BYAN_API_TOKEN: TOKEN_PLACEHOLDER },
+      },
+    },
+  });
+
+  const result = await runMigration(dir);
+  expect(result.migrated).toBe(true);
+  expect(result.reason).toBe('healed');
+
+  const written = await readMcp(dir);
+  expect(written.mcpServers.byan.env.BYAN_API_TOKEN).toBeUndefined();
   await fs.remove(dir);
 });
 
@@ -215,6 +262,9 @@ test('dry-run: does not write .mcp.json but returns changes', async () => {
   const afterMcp = await readMcp(dir);
   expect(afterMcp.mcpServers.byan.env.BYAN_API_URL).toBe('https://api.byan.io/api');
   expect(afterMcp.mcpServers.byan.env.BYAN_API_TOKEN).toBeUndefined();
+  // .env must NOT have been touched on dry-run either
+  const dotenvAfter = await fs.readFile(path.join(dir, '.env'), 'utf8');
+  expect(dotenvAfter).toBe('BYAN_API_TOKEN=byan_dryrun_tok\n');
   await fs.remove(dir);
 });
 

package/update-byan-agent/lib/migrate-mcp-config.js

@@ -1,16 +1,20 @@
 /**
  * migrate-mcp-config — self-healing migration for pre-fix BYAN installs.
  *
- * Injects BYAN_API_TOKEN into .mcp.json env block if absent, and strips the
- * legacy /api suffix from BYAN_API_URL. Uses byan-platform-config primitives
- * exclusively; no duplicated logic here.
+ * Heals three drift cases on .mcp.json:
+ *   1. token missing       → injects ${BYAN_API_TOKEN} placeholder
+ *   2. url has /api suffix → strips it
+ *   3. token in clear      → extracts to .env and replaces with placeholder
+ *                            (security fix from BYAN >=2.16.0)
+ *
+ * Uses byan-platform-config primitives exclusively; no duplicated logic here.
  */
 
 const chalk = require('chalk');
 const ora = require('ora');
 const {
-  mcpConfig: { readMcpConfig, ensureMcpConfig },
-  envConfig:  { readEnvToken },
+  mcpConfig: { readMcpConfig, ensureMcpConfig, TOKEN_PLACEHOLDER },
+  envConfig:  { readEnvToken, updateDotenv },
   urlUtils:   { stripApiSuffix },
 } = require('byan-platform-config');
 
@@ -65,32 +69,27 @@ async function runMigration(projectRoot, { dryRun = false, verbose = false } = {
   stopSpinner(chalk.gray('.mcp.json lu'), true);
 
   // 3. Diagnose
-  const tokenMissing   = !byan.env || !byan.env.BYAN_API_TOKEN;
-  const urlHasApiSuffix = /\/api\/?$/.test(byan.env && byan.env.BYAN_API_URL || '');
+  const currentToken      = (byan.env && byan.env.BYAN_API_TOKEN) || '';
+  const tokenIsPlaceholder = currentToken === TOKEN_PLACEHOLDER;
+  const tokenInClear      = !!currentToken && !tokenIsPlaceholder;
+  const tokenIsLegacy     = !!currentToken; // any non-empty value is legacy: token must not live in .mcp.json
+  const urlHasApiSuffix   = /\/api\/?$/.test(byan.env && byan.env.BYAN_API_URL || '');
 
   // 4. Nothing to do?
-  if (!tokenMissing && !urlHasApiSuffix) {
-    log(chalk.green('  .mcp.json est deja a jour (token present, URL correcte)'));
+  if (!tokenIsLegacy && !urlHasApiSuffix) {
+    log(chalk.green('  .mcp.json est deja a jour (token absent du fichier, URL correcte)'));
     return { migrated: false, reason: 'already-ok' };
   }
 
   const changes = [];
-
-  // 5. Resolve token
-  let token = byan.env && byan.env.BYAN_API_TOKEN; // may already exist (url-only fix)
-  if (tokenMissing) {
-    startSpinner('Recherche BYAN_API_TOKEN (.env / settings.local.json)...');
-    token = await readEnvToken(projectRoot);
-    if (!token) {
-      stopSpinner(chalk.yellow('Token introuvable'), false);
-      return {
-        migrated: false,
-        reason:   'no-token-available',
-        hint:     'Re-run npx create-byan-agent to prompt for a token',
-      };
-    }
-    stopSpinner(chalk.green('Token trouve'), true);
-    changes.push('BYAN_API_TOKEN injected into .mcp.json env');
+  let extractedClearToken = null;
+
+  // 5. Detect a clear-text token to relocate to .env
+  if (tokenInClear) {
+    extractedClearToken = currentToken;
+    changes.push('BYAN_API_TOKEN extracted from .mcp.json (clear) into .env, removed from .mcp.json');
+  } else if (tokenIsPlaceholder) {
+    changes.push('BYAN_API_TOKEN placeholder removed from .mcp.json (token now resolved via settings.local.json env)');
   }
 
   // 6. Resolve URL
@@ -108,9 +107,16 @@ async function runMigration(projectRoot, { dryRun = false, verbose = false } = {
     return { migrated: false, reason: 'dry-run', changes };
   }
 
-  // 8. Apply via ensureMcpConfig
+  // 8. Apply
   startSpinner('Application de la migration...');
-  await ensureMcpConfig(projectRoot, { apiUrl: cleanUrl || existingUrl, token });
+  if (extractedClearToken) {
+    const existingDotenvToken = await readEnvToken(projectRoot);
+    if (!existingDotenvToken || existingDotenvToken !== extractedClearToken) {
+      await updateDotenv(projectRoot, { BYAN_API_TOKEN: extractedClearToken });
+    }
+  }
+  // ensureMcpConfig always strips BYAN_API_TOKEN from .mcp.json (security)
+  await ensureMcpConfig(projectRoot, { apiUrl: cleanUrl || existingUrl });
   stopSpinner(chalk.green('.mcp.json migre avec succes'), true);
 
   // 9. Return result