create-hq 10.7.1 → 10.9.0

package/commands/team-sync.md

@@ -0,0 +1,431 @@
+# Sync Team Content
+
+Pull latest team content and push local changes for all joined teams. Bidirectional git sync using `gh` CLI for authentication — no manual git operations needed.
+
+**Usage:** `/sync` or `/sync --team <slug>` or `/sync --dry-run`
+
+**Requires:** `gh` CLI authenticated (`gh auth status`)
+
+## Arguments
+
+Parse the user's input for:
+- `--team <slug>` — Sync only a specific team by slug (e.g., `--team indigo`)
+- `--dry-run` — Show what would be synced without making changes
+
+If no flags, sync all discovered teams.
+
+## Process
+
+1. Discover teams from `companies/*/team.json`
+2. Verify `gh` CLI is authenticated
+3. For each team: pull remote changes, then push local changes
+4. Sync command symlinks
+5. Report what was pulled and pushed
+
+## Steps
+
+### 1. Verify gh CLI
+
+Check that `gh` is installed and authenticated:
+```bash
+gh auth status 2>&1
+```
+
+If `gh` is not found:
+```
+GitHub CLI (gh) is required for team commands.
+Install it: https://cli.github.com
+```
+Stop here.
+
+If not authenticated:
+```
+GitHub CLI is not authenticated. Run:
+  gh auth login
+Then try /sync again.
+```
+Stop here.
+
+Ensure git is configured to use `gh` for HTTPS authentication:
+```bash
+gh auth setup-git 2>&1
+```
+
+### 2. Discover teams
+
+Find all team.json files:
+```bash
+find companies/*/team.json -maxdepth 0 2>/dev/null
+```
+
+If no files found:
+```
+No teams found. Join a team first:
+  npx create-hq
+```
+Stop here.
+
+If `--team <slug>` was specified, filter to only `companies/{slug}/team.json`. If that file doesn't exist:
+```
+Team "{slug}" not found. Available teams:
+  {list discovered team slugs}
+```
+Stop here.
+
+### 3. Sync each team
+
+For each team (or the single `--team` target):
+
+#### 3a. Read team metadata
+
+Read `companies/{slug}/team.json` and extract:
+- `team_name` — human-readable name
+- `team_slug` — directory slug
+
+Get the remote URL:
+```bash
+git -C companies/{slug} remote get-url origin
+```
+
+If no git remote is configured:
+```
+Team "{slug}" has no git remote configured. Was it set up correctly?
+Try re-joining: npx create-hq
+```
+Skip this team and continue.
+
+#### 3b. Check local status
+
+```bash
+git -C companies/{slug} status --short
+```
+
+Note which files have local modifications (these will be pushed after pulling).
+
+#### 3c. Pull remote changes (--dry-run: fetch only)
+
+If `--dry-run`:
+```bash
+git -C companies/{slug} fetch origin 2>&1
+git -C companies/{slug} log HEAD..origin/main --oneline 2>/dev/null
+```
+
+Show what would be pulled:
+```
+[dry-run] Would pull from {team_name}:
+  {list of incoming commits}
+```
+
+If NOT `--dry-run`:
+```bash
+git -C companies/{slug} pull origin main --ff-only 2>&1
+```
+
+Capture the output. If pull succeeds, parse the output for:
+- "Already up to date." → nothing to report
+- File change summary → report changed files
+
+If `--ff-only` fails (diverged history):
+```bash
+git -C companies/{slug} pull origin main --no-rebase 2>&1
+```
+
+If the merge pull succeeds (auto-merged), continue to step 3d.
+
+If the merge pull fails with conflicts, enter the **conflict resolution flow**:
+
+##### Conflict Detection
+
+List the conflicting files:
+```bash
+git -C companies/{slug} diff --name-only --diff-filter=U
+```
+
+For each conflicting file, show a plain-language summary:
+```
+Sync conflict in {team_name} ({slug}):
+
+  {N} file(s) have changes on both your machine and the team repo:
+
+    {filename_1}:
+      Your change:  {brief description from local side of conflict}
+      Team change:  {brief description from remote side of conflict}
+
+    {filename_2}:
+      Your change:  ...
+      Team change:  ...
+```
+
+To generate descriptions, read each conflicting file and look for `<<<<<<<`, `=======`, `>>>>>>>` markers. Summarize the content between `<<<<<<<` and `=======` as "Your change" and between `=======` and `>>>>>>>` as "Team change". Keep descriptions short and jargon-free.
+
+##### Resolution Options
+
+Ask the user which resolution strategy to use:
+
+```
+How would you like to resolve these conflicts?
+
+  1. Keep my local version (discard team changes for conflicting files)
+  2. Keep team version (discard my local changes for conflicting files)
+  3. Let me resolve manually (I'll edit the files, then re-run /sync)
+```
+
+**Option 1 — Keep local:**
+For each conflicting file:
+```bash
+git -C companies/{slug} checkout --ours -- {filename}
+git -C companies/{slug} add {filename}
+```
+Then complete the merge:
+```bash
+git -C companies/{slug} commit -m "sync: resolved conflicts — kept local versions"
+```
+Report: `Kept your local version for {N} file(s). Merge complete.`
+Continue to step 3d (push).
+
+**Option 2 — Keep remote (team):**
+For each conflicting file:
+```bash
+git -C companies/{slug} checkout --theirs -- {filename}
+git -C companies/{slug} add {filename}
+```
+Then complete the merge:
+```bash
+git -C companies/{slug} commit -m "sync: resolved conflicts — kept team versions"
+```
+Report: `Kept team version for {N} file(s). Merge complete.`
+Continue to step 3d (push).
+
+**Option 3 — Manual merge:**
+```
+OK — the conflicting files have been left with merge markers.
+Open these files and look for lines like:
+
+  <<<<<<< HEAD
+  (your version)
+  =======
+  (team version)
+  >>>>>>>
+
+Edit each file to keep what you want, then delete the marker lines.
+When you're done, run /sync again to complete the merge.
+```
+**Do NOT push for this team.** Skip to the next team. The user will re-run /sync after editing.
+
+##### Never Silently Overwrite
+
+If at any point the merge would silently overwrite local changes (e.g., a force-pull), **do not proceed**. Always show the user what will change and let them choose. The `--no-rebase` flag ensures git does not rewrite local history.
+
+##### Post-Resolution State
+
+After resolving (options 1 or 2), verify the working tree is clean:
+```bash
+git -C companies/{slug} status --short
+```
+
+If clean: report `Conflicts resolved. Ready to push.` and continue.
+If still dirty: report remaining issues and skip push for this team.
+
+#### 3d. Push local changes (--dry-run: show status only)
+
+If there are local changes to push (from step 3b):
+
+If `--dry-run`:
+```bash
+git -C companies/{slug} diff --stat HEAD 2>/dev/null
+```
+
+Show what would be pushed:
+```
+[dry-run] Would push from {team_name}:
+  {list of local changes}
+```
+
+If NOT `--dry-run`:
+
+First, stage and commit any uncommitted changes:
+```bash
+git -C companies/{slug} add -A
+git -C companies/{slug} diff --cached --quiet || git -C companies/{slug} commit -m "sync: local changes from $(whoami)"
+```
+
+#### 3d-pre. Pre-push secrets scan
+
+Before pushing, scan the changes for accidental secrets or PII. Compare what will be pushed against the remote:
+
+```bash
+git -C companies/{slug} diff origin/main..HEAD -- . ':!team.json' 2>/dev/null
+```
+
+Scan the diff output for these patterns:
+
+| Pattern | Description |
+|---------|-------------|
+| `(?i)(api[_-]?key\|api[_-]?secret)\s*[:=]\s*\S+` | API keys |
+| `(?i)(password\|passwd\|pwd)\s*[:=]\s*\S+` | Passwords |
+| `(?i)(secret\|token)\s*[:=]\s*['"]?[A-Za-z0-9+/=_-]{20,}` | Tokens/secrets |
+| `-----BEGIN (RSA\|DSA\|EC\|OPENSSH) PRIVATE KEY-----` | Private keys |
+| `(?i)(aws_access_key_id\|aws_secret_access_key)\s*=\s*\S+` | AWS credentials |
+| `ghp_[A-Za-z0-9]{36}\|gho_[A-Za-z0-9]{36}\|ghu_[A-Za-z0-9]{36}` | GitHub tokens |
+| `sk-[A-Za-z0-9]{20,}` | OpenAI/Stripe-style keys |
+| `^\+.*\.env` | .env file additions |
+
+Run the scan:
+```bash
+git -C companies/{slug} diff origin/main..HEAD -- . ':!team.json' 2>/dev/null | grep -nE '(api[_-]?key|api[_-]?secret|password|passwd|pwd|secret|token)\s*[:=]|-----BEGIN .* PRIVATE KEY-----|aws_(access_key_id|secret_access_key)\s*=|ghp_[A-Za-z0-9]{36}|gho_[A-Za-z0-9]{36}|ghu_[A-Za-z0-9]{36}|sk-[A-Za-z0-9]{20,}' || true
+```
+
+**If matches found:**
+
+```
+Pre-push security scan found potential secrets:
+
+  {filename}:{line}: {matched pattern preview}
+  {filename}:{line}: {matched pattern preview}
+
+These look like they might contain sensitive data (API keys, tokens, passwords, or private keys).
+Pushing secrets to a shared repo is hard to undo — they persist in git history.
+
+Options:
+  1. Remove the sensitive data and re-run /sync
+  2. Push anyway (I've verified these are safe to share)
+```
+
+If the user chooses option 1: skip the push for this team. The user will edit files and re-run /sync.
+If the user chooses option 2: continue to push.
+
+**If no matches found:** Continue to push silently (no output needed).
+
+#### 3d-push. Push to remote
+
+Then push:
+```bash
+git -C companies/{slug} push origin main 2>&1
+```
+
+If push fails because remote has new changes (non-fast-forward):
+```
+Remote has new changes. Pulling first, then retrying push...
+```
+Pull again (step 3c flow). If pull triggers conflicts, enter the conflict resolution flow above. After a clean pull, retry the push once:
+```bash
+git -C companies/{slug} push origin main 2>&1
+```
+If the retry also fails, report the error and skip this team:
+```
+Push failed for {team_name} after retry. Error: {error message}
+You can try again later with /sync --team {slug}
+```
+
+### 4. Sync command symlinks
+
+After all teams have been synced, manage command symlinks so team-distributed commands are available as slash commands.
+
+#### 4a. Scan for team commands
+
+For each synced team, check if the team directory contains distributed commands:
+```bash
+ls companies/{slug}/.claude/commands/*.md 2>/dev/null
+```
+
+If the directory doesn't exist or has no `.md` files, skip this team for symlink management.
+
+#### 4b. Create symlinks for new commands
+
+For each `.md` file found in `companies/{slug}/.claude/commands/`:
+
+1. Determine the symlink name using the pattern `{slug}--{command}.md` (double-dash separates team slug from command name). For example: `companies/acme/.claude/commands/deploy.md` → `.claude/commands/acme--deploy.md`
+
+2. Check if the symlink target already exists at `.claude/commands/{slug}--{command}.md`:
+   - If it's already a symlink pointing to the correct source → skip (already linked)
+   - If it exists but is NOT a symlink (a real file or symlink to wrong target) → warn and skip:
+     ```
+     Skipping {slug}--{command}.md — file already exists (not a team symlink)
+     ```
+   - If it doesn't exist → create the symlink:
+     ```bash
+     ln -s "../../companies/{slug}/.claude/commands/{command}.md" ".claude/commands/{slug}--{command}.md"
+     ```
+
+3. Track linked commands for the report.
+
+**Note on relative paths:** Symlinks use relative paths (`../../companies/...`) so they work regardless of HQ's absolute location. The path is relative from `.claude/commands/` to `companies/{slug}/.claude/commands/`.
+
+If `--dry-run`:
+```
+[dry-run] Would link commands for {team_name}:
+  {slug}--{command}.md → companies/{slug}/.claude/commands/{command}.md
+```
+Do not create actual symlinks.
+
+#### 4c. Remove stale symlinks
+
+Scan `.claude/commands/` for symlinks that match the team pattern (`{slug}--*.md`) but whose targets no longer exist (the source command was removed from the team repo):
+
+```bash
+for link in .claude/commands/{slug}--*.md; do
+  if [ -L "$link" ] && [ ! -e "$link" ]; then
+    rm "$link"
+    # Track as unlinked for report
+  fi
+done
+```
+
+Also remove symlinks for commands that were removed from the team's `.claude/commands/` directory — compare the set of existing symlinks against the set of current source files:
+
+```bash
+# Get current team commands
+CURRENT=$(ls companies/{slug}/.claude/commands/*.md 2>/dev/null | xargs -I{} basename {})
+# Get current symlinks for this team
+LINKED=$(ls -la .claude/commands/{slug}--*.md 2>/dev/null | grep "^l" | awk '{print $NF}' | xargs -I{} basename {})
+# Any symlink not matching a current command → remove
+```
+
+If `--dry-run`, show what would be removed without removing.
+
+#### 4d. Symlink summary (per team)
+
+Collect results for the final report:
+- Commands linked (new symlinks created)
+- Commands already linked (unchanged)
+- Commands unlinked (stale symlinks removed)
+- Commands skipped (name collision)
+
+### 5. Report results
+
+After syncing all teams, display a summary:
+
+```
+Sync complete:
+
+  {team_name} ({slug}):
+    Pulled: {N} files changed ({list or "up to date"})
+    Pushed: {N} files changed ({list or "nothing to push"})
+
+  {team_name_2} ({slug_2}):
+    Pulled: ...
+    Pushed: ...
+```
+
+If `--dry-run`:
+```
+Dry run complete — no changes were made.
+
+  {team_name} ({slug}):
+    Would pull: {N} incoming commits
+    Would push: {N} local changes
+```
+
+## Security Notes
+
+- Git authentication is handled by `gh auth setup-git`, which configures a credential helper that delegates to `gh`. No tokens are stored on disk or passed via environment variables.
+- No askpass scripts, no credential.helper overrides, no GIT_TOKEN env vars.
+- `gh` stores credentials in the OS keychain (macOS Keychain, Windows Credential Manager) and handles token refresh transparently.
+
+## Troubleshooting
+
+- **"gh: command not found"** — Install GitHub CLI: https://cli.github.com
+- **"not logged into any GitHub hosts"** — Run `gh auth login`
+- **"No git remote"** — Team directory wasn't set up correctly; re-join the team
+- **"Permission denied" on push** — Your GitHub account may not have write access to this repo
+- **Merge conflicts** — See conflict messages; resolve manually or wait for `/sync` conflict resolution

package/dist/__tests__/auth.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=auth.test.d.ts.map

package/dist/__tests__/auth.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/auth.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/auth.test.js

@@ -0,0 +1,201 @@
+import { describe, it, expect, vi, beforeEach, afterEach, afterAll } from "vitest";
+import * as path from "path";
+import * as os from "os";
+import * as fs from "fs";
+/**
+ * Unit tests for auth.ts:
+ *   - githubApi error handling (403 on /user/installations)
+ *   - ~/.hq/app-token.json persistence (load / save / clear)
+ *   - Token validation via /user/installations probe
+ */
+// ─── Mocks ─────────────────────────────────────────────────────────────────
+const mockFetch = vi.fn();
+vi.stubGlobal("fetch", mockFetch);
+// Mock child_process so module-level execSync calls in auth.ts don't run
+vi.mock("child_process", () => ({
+    exec: vi.fn(),
+    execSync: vi.fn(),
+}));
+// Import after mocks are in place
+const { githubApi, loadGitHubAuth, saveGitHubAuth, clearGitHubAuth, isGitHubAuthValid, isAppScopedToken, HQ_APP_TOKEN_PATH, } = await import("../auth.js");
+// ─── Fixtures ──────────────────────────────────────────────────────────────
+const fakeAuth = {
+    access_token: "ghu_fake_app_token",
+    login: "testuser",
+    id: 12345,
+    name: "Test User",
+    email: "test@example.com",
+    issued_at: new Date().toISOString(),
+};
+// Use a temp directory so tests don't touch the real ~/.hq/
+const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "create-hq-auth-test-"));
+const tmpTokenPath = path.join(tmpDir, "app-token.json");
+// ─── githubApi ─────────────────────────────────────────────────────────────
+describe("githubApi", () => {
+    beforeEach(() => mockFetch.mockReset());
+    it("throws a user-friendly message on 403 for /user/installations", async () => {
+        mockFetch.mockResolvedValueOnce({
+            ok: false,
+            status: 403,
+            text: async () => JSON.stringify({
+                message: "You must authenticate with an access token authorized to a GitHub App in order to list installations",
+                documentation_url: "https://docs.github.com/rest/apps/installations#list-app-installations-accessible-to-the-user-access-token",
+                status: "403",
+            }),
+        });
+        await expect(githubApi("/user/installations?per_page=100", fakeAuth)).rejects.toThrow(/signed in with a regular GitHub token/i);
+    });
+    it("includes the re-run hint in the 403 installations error", async () => {
+        mockFetch.mockResolvedValueOnce({
+            ok: false,
+            status: 403,
+            text: async () => JSON.stringify({
+                message: "You must authenticate with an access token authorized to a GitHub App",
+            }),
+        });
+        await expect(githubApi("/user/installations?per_page=100", fakeAuth)).rejects.toThrow(/npx create-hq/);
+    });
+    it("preserves the raw error for non-installation 403s", async () => {
+        mockFetch.mockResolvedValueOnce({
+            ok: false,
+            status: 403,
+            text: async () => JSON.stringify({ message: "Resource not accessible by integration" }),
+        });
+        await expect(githubApi("/orgs/acme/repos", fakeAuth)).rejects.toThrow(/GitHub API 403 \/orgs\/acme\/repos/);
+    });
+    it("throws the raw error for non-403 failures", async () => {
+        mockFetch.mockResolvedValueOnce({
+            ok: false,
+            status: 404,
+            text: async () => JSON.stringify({ message: "Not Found" }),
+        });
+        await expect(githubApi("/user/installations?per_page=100", fakeAuth)).rejects.toThrow(/GitHub API 404/);
+    });
+    it("returns parsed JSON on success", async () => {
+        mockFetch.mockResolvedValueOnce({
+            ok: true,
+            status: 200,
+            json: async () => ({ installations: [] }),
+        });
+        const result = await githubApi("/user/installations?per_page=100", fakeAuth);
+        expect(result).toEqual({ installations: [] });
+    });
+});
+// ─── ~/.hq/app-token.json persistence ──────────────────────────────────────
+describe("App token persistence", () => {
+    afterEach(() => {
+        // Clean up temp token file between tests
+        try {
+            fs.unlinkSync(tmpTokenPath);
+        }
+        catch { }
+    });
+    afterEach(() => {
+        // Clean up the real path if any test accidentally wrote there
+        // (shouldn't happen — we test with tmpTokenPath)
+    });
+    it("HQ_APP_TOKEN_PATH points to ~/.hq/app-token.json", () => {
+        const expected = path.join(os.homedir(), ".hq", "app-token.json");
+        expect(HQ_APP_TOKEN_PATH).toBe(expected);
+    });
+    it("saveGitHubAuth writes token file to disk", () => {
+        saveGitHubAuth(fakeAuth, tmpTokenPath);
+        // File was written
+        expect(fs.existsSync(tmpTokenPath)).toBe(true);
+        const stored = JSON.parse(fs.readFileSync(tmpTokenPath, "utf-8"));
+        expect(stored.login).toBe("testuser");
+        expect(stored.access_token).toBe("ghu_fake_app_token");
+    });
+    it("saveGitHubAuth creates ~/.hq/ directory if missing", () => {
+        const nested = path.join(tmpDir, "sub", "app-token.json");
+        saveGitHubAuth(fakeAuth, nested);
+        expect(fs.existsSync(nested)).toBe(true);
+    });
+    it("saveGitHubAuth sets restrictive file permissions (0600)", () => {
+        saveGitHubAuth(fakeAuth, tmpTokenPath);
+        const stat = fs.statSync(tmpTokenPath);
+        // Owner read+write only (0600 = 0o600 = 384 decimal)
+        expect(stat.mode & 0o777).toBe(0o600);
+    });
+    it("loadGitHubAuth reads from token file when present", () => {
+        // Write a valid token file
+        fs.writeFileSync(tmpTokenPath, JSON.stringify(fakeAuth), "utf-8");
+        const loaded = loadGitHubAuth(tmpTokenPath);
+        expect(loaded).not.toBeNull();
+        expect(loaded.login).toBe("testuser");
+        expect(loaded.access_token).toBe("ghu_fake_app_token");
+    });
+    it("loadGitHubAuth returns null when token file does not exist", () => {
+        const loaded = loadGitHubAuth(tmpTokenPath);
+        expect(loaded).toBeNull();
+    });
+    it("loadGitHubAuth returns null for corrupted JSON", () => {
+        fs.writeFileSync(tmpTokenPath, "NOT VALID JSON{{{", "utf-8");
+        const loaded = loadGitHubAuth(tmpTokenPath);
+        expect(loaded).toBeNull();
+    });
+    it("loadGitHubAuth returns null when token file is missing access_token", () => {
+        fs.writeFileSync(tmpTokenPath, JSON.stringify({ login: "x", id: 1 }), "utf-8");
+        const loaded = loadGitHubAuth(tmpTokenPath);
+        expect(loaded).toBeNull();
+    });
+    it("clearGitHubAuth removes the token file", () => {
+        fs.writeFileSync(tmpTokenPath, JSON.stringify(fakeAuth), "utf-8");
+        expect(fs.existsSync(tmpTokenPath)).toBe(true);
+        clearGitHubAuth(tmpTokenPath);
+        expect(fs.existsSync(tmpTokenPath)).toBe(false);
+    });
+    it("clearGitHubAuth is a no-op when file does not exist", () => {
+        // Should not throw
+        clearGitHubAuth(tmpTokenPath);
+    });
+});
+// ─── isGitHubAuthValid ─────────────────────────────────────────────────────
+describe("isGitHubAuthValid", () => {
+    beforeEach(() => mockFetch.mockReset());
+    it("returns true when /user responds 200", async () => {
+        mockFetch.mockResolvedValueOnce({ ok: true });
+        expect(await isGitHubAuthValid(fakeAuth)).toBe(true);
+    });
+    it("returns false when /user responds non-ok", async () => {
+        mockFetch.mockResolvedValueOnce({ ok: false, status: 401 });
+        expect(await isGitHubAuthValid(fakeAuth)).toBe(false);
+    });
+    it("returns false on network error", async () => {
+        mockFetch.mockRejectedValueOnce(new Error("ECONNREFUSED"));
+        expect(await isGitHubAuthValid(fakeAuth)).toBe(false);
+    });
+});
+// ─── isAppScopedToken ──────────────────────────────────────────────────────
+describe("isAppScopedToken", () => {
+    beforeEach(() => mockFetch.mockReset());
+    it('returns "yes" when /user/installations responds 200', async () => {
+        mockFetch.mockResolvedValueOnce({ ok: true, status: 200 });
+        expect(await isAppScopedToken(fakeAuth)).toBe("yes");
+    });
+    it('returns "no" on 403 (definitive — wrong token type)', async () => {
+        mockFetch.mockResolvedValueOnce({ ok: false, status: 403 });
+        expect(await isAppScopedToken(fakeAuth)).toBe("no");
+    });
+    it('returns "unknown" on 5xx (transient server error)', async () => {
+        mockFetch.mockResolvedValueOnce({ ok: false, status: 500 });
+        expect(await isAppScopedToken(fakeAuth)).toBe("unknown");
+    });
+    it('returns "unknown" on network error', async () => {
+        mockFetch.mockRejectedValueOnce(new Error("ECONNREFUSED"));
+        expect(await isAppScopedToken(fakeAuth)).toBe("unknown");
+    });
+    it('returns "no" when access_token is empty', async () => {
+        expect(await isAppScopedToken({ ...fakeAuth, access_token: "" })).toBe("no");
+        // fetch should not have been called
+        expect(mockFetch).not.toHaveBeenCalled();
+    });
+});
+// ─── Cleanup ───────────────────────────────────────────────────────────────
+afterAll(() => {
+    try {
+        fs.rmSync(tmpDir, { recursive: true, force: true });
+    }
+    catch { }
+});
+//# sourceMappingURL=auth.test.js.map

package/dist/__tests__/auth.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.test.js","sourceRoot":"","sources":["../../src/__tests__/auth.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,QAAQ,CAAC;AACnF,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AAEzB;;;;;GAKG;AAEH,8EAA8E;AAE9E,MAAM,SAAS,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;AAC1B,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;AAElC,yEAAyE;AACzE,EAAE,CAAC,IAAI,CAAC,eAAe,EAAE,GAAG,EAAE,CAAC,CAAC;IAC9B,IAAI,EAAE,EAAE,CAAC,EAAE,EAAE;IACb,QAAQ,EAAE,EAAE,CAAC,EAAE,EAAE;CAClB,CAAC,CAAC,CAAC;AAEJ,kCAAkC;AAClC,MAAM,EACJ,SAAS,EACT,cAAc,EACd,cAAc,EACd,eAAe,EACf,iBAAiB,EACjB,gBAAgB,EAChB,iBAAiB,GAClB,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,CAAC;AAE/B,8EAA8E;AAE9E,MAAM,QAAQ,GAAG;IACf,YAAY,EAAE,oBAAoB;IAClC,KAAK,EAAE,UAAU;IACjB,EAAE,EAAE,KAAK;IACT,IAAI,EAAE,WAAW;IACjB,KAAK,EAAE,kBAAkB;IACzB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;CACpC,CAAC;AAEF,4DAA4D;AAC5D,MAAM,MAAM,GAAG,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,sBAAsB,CAAC,CAAC,CAAC;AAC9E,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAC;AAEzD,8EAA8E;AAE9E,QAAQ,CAAC,WAAW,EAAE,GAAG,EAAE;IACzB,UAAU,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,CAAC,CAAC;IAExC,EAAE,CAAC,+DAA+D,EAAE,KAAK,IAAI,EAAE;QAC7E,SAAS,CAAC,qBAAqB,CAAC;YAC9B,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,GAAG;YACX,IAAI,EAAE,KAAK,IAAI,EAAE,CACf,IAAI,CAAC,SAAS,CAAC;gBACb,OAAO,EACL,sGAAsG;gBACxG,iBAAiB,EACf,4GAA4G;gBAC9G,MAAM,EAAE,KAAK;aACd,CAAC;SACL,CAAC,CAAC;QAEH,MAAM,MAAM,CACV,SAAS,CAAC,kCAAkC,EAAE,QAAQ,CAAC,CACxD,CAAC,OAAO,CAAC,OAAO,CAAC,wCAAwC,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yDAAyD,EAAE,KAAK,IAAI,EAAE;QACvE,SAAS,CAAC,qBAAqB,CAAC;YAC9B,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,GAAG;YACX,IAAI,EAAE,KAAK,IAAI,EAAE,CACf,IAAI,CAAC,SAAS,CAAC;gBACb,OAAO,EACL,uEAAuE;aAC1E,CAAC;SACL,CAAC,CAAC;QAEH,MAAM,MAAM,CACV,SAAS,CAAC,kCAAkC,EAAE,QAAQ,CAAC,CACxD,CAAC,OAAO,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IACrC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mDAAmD,EAAE,KAAK,IAAI,EAAE;QACjE,SAAS,CAAC,qBAAqB,CAAC;YAC9B,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,GAAG;YACX,IAAI,EAAE,KAAK,IAAI,EAAE,CACf,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,wCAAwC,EAAE,CAAC;SACxE,CAAC,CAAC;QAEH,MAAM,MAAM,CACV,SAAS,CAAC,kBAAkB,EAAE,QAAQ,CAAC,CACxC,CAAC,OAAO,CAAC,OAAO,CAAC,oCAAoC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;QACzD,SAAS,CAAC,qBAAqB,CAAC;YAC9B,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,GAAG;YACX,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC;SAC3D,CAAC,CAAC;QAEH,MAAM,MAAM,CACV,SAAS,CAAC,kCAAkC,EAAE,QAAQ,CAAC,CACxD,CAAC,OAAO,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,KAAK,IAAI,EAAE;QAC9C,SAAS,CAAC,qBAAqB,CAAC;YAC9B,EAAE,EAAE,IAAI;YACR,MAAM,EAAE,GAAG;YACX,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE,aAAa,EAAE,EAAE,EAAE,CAAC;SAC1C,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,SAAS,CAC5B,kCAAkC,EAClC,QAAQ,CACT,CAAC;QACF,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,EAAE,aAAa,EAAE,EAAE,EAAE,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,8EAA8E;AAE9E,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;IACrC,SAAS,CAAC,GAAG,EAAE;QACb,yCAAyC;QACzC,IAAI,CAAC;YAAC,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC;QAAC,CAAC;QAAC,MAAM,CAAC,CAAA,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,8DAA8D;QAC9D,iDAAiD;IACnD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kDAAkD,EAAE,GAAG,EAAE;QAC1D,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,gBAAgB,CAAC,CAAC;QAClE,MAAM,CAAC,iBAAiB,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;QAClD,cAAc,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;QAEvC,mBAAmB;QACnB,MAAM,CAAC,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC,CAAC;QAClE,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACtC,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;IACzD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;QAC5D,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,gBAAgB,CAAC,CAAC;QAC1D,cAAc,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QACjC,MAAM,CAAC,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yDAAyD,EAAE,GAAG,EAAE;QACjE,cAAc,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;QACvC,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;QACvC,qDAAqD;QACrD,MAAM,CAAC,IAAI,CAAC,IAAI,GAAG,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mDAAmD,EAAE,GAAG,EAAE;QAC3D,2BAA2B;QAC3B,EAAE,CAAC,aAAa,CAAC,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,OAAO,CAAC,CAAC;QAElE,MAAM,MAAM,GAAG,cAAc,CAAC,YAAY,CAAC,CAAC;QAC5C,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC9B,MAAM,CAAC,MAAO,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACvC,MAAM,CAAC,MAAO,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4DAA4D,EAAE,GAAG,EAAE;QACpE,MAAM,MAAM,GAAG,cAAc,CAAC,YAAY,CAAC,CAAC;QAC5C,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,EAAE,CAAC,aAAa,CAAC,YAAY,EAAE,mBAAmB,EAAE,OAAO,CAAC,CAAC;QAC7D,MAAM,MAAM,GAAG,cAAc,CAAC,YAAY,CAAC,CAAC;QAC5C,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qEAAqE,EAAE,GAAG,EAAE;QAC7E,EAAE,CAAC,aAAa,CACd,YAAY,EACZ,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,EACrC,OAAO,CACR,CAAC;QACF,MAAM,MAAM,GAAG,cAAc,CAAC,YAAY,CAAC,CAAC;QAC5C,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;QAChD,EAAE,CAAC,aAAa,CAAC,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,OAAO,CAAC,CAAC;QAClE,MAAM,CAAC,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAE/C,eAAe,CAAC,YAAY,CAAC,CAAC;QAC9B,MAAM,CAAC,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qDAAqD,EAAE,GAAG,EAAE;QAC7D,mBAAmB;QACnB,eAAe,CAAC,YAAY,CAAC,CAAC;IAChC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,8EAA8E;AAE9E,QAAQ,CAAC,mBAAmB,EAAE,GAAG,EAAE;IACjC,UAAU,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,CAAC,CAAC;IAExC,EAAE,CAAC,sCAAsC,EAAE,KAAK,IAAI,EAAE;QACpD,SAAS,CAAC,qBAAqB,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;QAC9C,MAAM,CAAC,MAAM,iBAAiB,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACvD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0CAA0C,EAAE,KAAK,IAAI,EAAE;QACxD,SAAS,CAAC,qBAAqB,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QAC5D,MAAM,CAAC,MAAM,iBAAiB,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACxD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,KAAK,IAAI,EAAE;QAC9C,SAAS,CAAC,qBAAqB,CAAC,IAAI,KAAK,CAAC,cAAc,CAAC,CAAC,CAAC;QAC3D,MAAM,CAAC,MAAM,iBAAiB,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACxD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,8EAA8E;AAE9E,QAAQ,CAAC,kBAAkB,EAAE,GAAG,EAAE;IAChC,UAAU,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,CAAC,CAAC;IAExC,EAAE,CAAC,qDAAqD,EAAE,KAAK,IAAI,EAAE;QACnE,SAAS,CAAC,qBAAqB,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QAC3D,MAAM,CAAC,MAAM,gBAAgB,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACvD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qDAAqD,EAAE,KAAK,IAAI,EAAE;QACnE,SAAS,CAAC,qBAAqB,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QAC5D,MAAM,CAAC,MAAM,gBAAgB,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mDAAmD,EAAE,KAAK,IAAI,EAAE;QACjE,SAAS,CAAC,qBAAqB,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QAC5D,MAAM,CAAC,MAAM,gBAAgB,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAC3D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;QAClD,SAAS,CAAC,qBAAqB,CAAC,IAAI,KAAK,CAAC,cAAc,CAAC,CAAC,CAAC;QAC3D,MAAM,CAAC,MAAM,gBAAgB,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAC3D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;QACvD,MAAM,CAAC,MAAM,gBAAgB,CAAC,EAAE,GAAG,QAAQ,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7E,oCAAoC;QACpC,MAAM,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;IAC3C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,8EAA8E;AAE9E,QAAQ,CAAC,GAAG,EAAE;IACZ,IAAI,CAAC;QAAC,EAAE,CAAC,MAAM,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IAAC,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;AACvE,CAAC,CAAC,CAAC"}

package/dist/__tests__/scaffold.test.js

@@ -14,8 +14,11 @@ const PLACEHOLDER_EXEMPT_PATHS = [
     "starter-projects",
     ".claude/policies",
     ".claude/commands",
+    ".claude/skills",
+    ".claude/CLAUDE.md",
     "modules/modules.yaml",
     "README.md",
+    "USER-GUIDE.md",
     "workers",
 ];
 function isExemptFromPlaceholderCheck(relPath) {
@@ -66,7 +69,17 @@ describe("scaffold integration", () => {
         // Run compute-checksums first so integrity check has fresh checksums
         const computeScript = path.join(tmpDir, "scripts", "compute-checksums.sh");
         if (fs.existsSync(computeScript)) {
-            execSync(`bash "${computeScript}"`, { cwd: tmpDir, stdio: "pipe" });
+            try {
+                execSync(`bash "${computeScript}"`, { cwd: tmpDir, stdio: "pipe" });
+            }
+            catch (err) {
+                const msg = err?.stderr?.toString() ?? "";
+                if (msg.includes("yq is required")) {
+                    console.log("  Skipping core-integrity check (yq not installed)");
+                    return;
+                }
+                throw err;
+            }
         }
         // execSync throws on non-zero exit code, so reaching next line means success
         execSync(`bash "${script}"`, { cwd: tmpDir, stdio: "pipe" });