cue-ai 0.9.1 → 0.9.2

package/resources/skills/skills/eu-funding/ted-tender-search/evals.md

@@ -0,0 +1,26 @@
+# Activation evals — ted-tender-search
+
+Run by judging each query against the `description:` only: does it fire?
+Pass bar: >=90% of TRIGGER fire, <=10% of NO-TRIGGER false-fire.
+
+## TRIGGER (must fire)
+
+- find EU tenders for IT companies
+- search TED for Hungarian procurement
+- közbeszerzés keresés szoftverre
+- what public procurement notices are open in Slovakia?
+- find tenders by CPV code 72000000
+- are there open EU contracts my company can bid on?
+- TED search for AI tenders
+- list active procurement notices from Hungarian buyers
+
+## NO-TRIGGER (must NOT fire — route elsewhere)
+
+- find grants for my startup            → hu-grant-finder
+- what GINOP can I apply for?           → hu-grant-finder
+- find me a venture capital investor    → hu-grant-finder
+- write me a bid proposal               → content/article-writer
+- scrape this website                   → gstack/scrape
+- how do I register a Kft?              → none
+
+Last run: 8/8 trigger, 0/6 false-fire = 100%.

package/resources/skills/skills/eu-funding/ted-tender-search/scripts/ted-search.sh

@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+# ted-search.sh — one-command EU tender search via the official free TED API.
+#
+# Usage:   ted-search.sh <BUYER_COUNTRY> [CPV_CODES] [SCOPE] [LIMIT]
+#   BUYER_COUNTRY  ISO 3-letter buyer country, e.g. HUN, SVK  (required)
+#   CPV_CODES      space-separated, default "72000000 48000000 73000000" (IT/sw/R&D)
+#   SCOPE          ACTIVE (default, open to bid) or ALL (historical)
+#   LIMIT          page size, default 50
+#
+# Examples:
+#   ted-search.sh HUN
+#   ted-search.sh SVK "72000000 48000000" ACTIVE 60
+set -euo pipefail
+
+COUNTRY="${1:?usage: ted-search.sh <BUYER_COUNTRY> [CPV] [SCOPE] [LIMIT]}"
+CPV="${2:-72000000 48000000 73000000}"
+SCOPE="${3:-ACTIVE}"
+LIMIT="${4:-50}"
+
+QUERY="classification-cpv IN (${CPV}) AND organisation-country-buyer IN (${COUNTRY})"
+
+BODY=$(python3 -c 'import json,sys
+print(json.dumps({"query":sys.argv[1],
+  "fields":["publication-number","notice-title","buyer-name","classification-cpv","notice-type"],
+  "limit":int(sys.argv[2]),"scope":sys.argv[3]}))' "$QUERY" "$LIMIT" "$SCOPE")
+
+curl -sS -m 60 -X POST "https://api.ted.europa.eu/v3/notices/search" \
+  -H "Content-Type: application/json" -d "$BODY" \
+| python3 -c '
+import json,sys
+d=json.load(sys.stdin)
+def pick(f):
+    if not isinstance(f,dict): return f or ""
+    for l in ("eng","hun"):
+        if f.get(l): v=f[l]; return v[0] if isinstance(v,list) else v
+    return next((v[0] if isinstance(v,list) else v for v in f.values()), "")
+ns=sorted(d.get("notices",[]), key=lambda n:-int(n["publication-number"].split("-")[1]))
+total=d.get("totalNoticeCount",0); shown=min(15,len(ns))
+print("TOTAL match: %d   (showing newest %d)\n" % (total, shown))
+for n in ns[:15]:
+    p=n["publication-number"]
+    title=pick(n.get("notice-title",""))[:70]
+    buyer=pick(n.get("buyer-name",""))[:55]
+    print("%s  %s" % (p, title))
+    print("   %s  https://ted.europa.eu/en/notice/%s" % (buyer, p))
+'

package/resources/skills/skills/github/gx-agents/SKILL.md

@@ -0,0 +1,96 @@
+---
+name: gx-agents
+category: github
+triggers:
+  - who's working on what
+  - show all agents
+  - is anyone else editing
+  - agent collision
+  - which PR is each agent shipping
+  - who owns this file
+  - agent radar
+description: >-
+  Use when several agents work in parallel and you need to see who is on which branch, worktree, or PR, or to avoid editing a file another agent already owns. Triggers: "who's working on what", "show all agents", "is anyone else editing X", "agent collision", "which PR is each agent shipping", "who owns this file", "agent radar". Drives the gx mcp tools (list_agents, who_owns, my_context) or the `gx mcp list-agents` / `gx mcp who-owns` CLI to read every agent's branch, worktree, dirty files, locks, and PR. Read-only. NOT for repo-safety repair (use gitguardex).
+---
+
+# gx agents: see every agent, avoid collisions
+
+Multiple agents (Claude, Codex) editing nearby repos step on each other: two
+edit the same file, or one edits the protected primary checkout and a later
+branch switch auto-stashes the work. `gx mcp` exposes the live picture
+gitguardex already tracks. Read it BEFORE you edit, not after the conflict.
+
+## Prereq
+
+The server ships with gitguardex (`gx mcp serve`). Register it once so any
+session can call the tools:
+
+```sh
+claude mcp add gx -s user -- gx mcp serve
+```
+
+If it is not registered, use the CLI fallback below: same data, no MCP client.
+
+## Before you edit a shared file: check ownership
+
+Ask who holds the lock before touching a path. If another branch owns it,
+coordinate or pick a different file instead of overwriting.
+
+```sh
+gx mcp who-owns path/to/file.ts
+# -> "locked by <agent> (branch agent/<name>/...)"  or  "unclaimed"
+```
+
+MCP tool form: call `who_owns` with `{ "file": "path/to/file.ts" }`.
+
+## See the whole field
+
+List every active agent lane across all your repos: branch, worktree, the
+files each is editing right now (`dirty`), held locks, last commit, and PR.
+
+```sh
+gx mcp list-agents            # human view
+gx mcp list-agents --json     # machine view (pass --no-prs to skip gh/network)
+```
+
+MCP tool form: call `list_agents` (pass `{ "include_prs": true }` when you need
+PR state, which is off by default to keep the cross-repo scan fast).
+
+Watch for `⚠ ON PRIMARY CHECKOUT`: that lane is editing the protected base, not
+an isolated worktree, so its work can be auto-stashed. Tell it to move with
+`gx branch start`.
+
+## Know your own lane
+
+```sh
+# MCP tool: my_context  -> repo, branch, worktree, onPrimaryCheckout, dirty, locks, PR
+```
+
+## Example
+
+User: "before I touch the checkout component, is anyone else on it?"
+
+```sh
+gx mcp who-owns apps/storefront/src/checkout-delivery-step.tsx
+# -> locked by codex (branch agent/codex/checkout-copy-fix)
+gx mcp list-agents --no-prs | grep -A3 checkout
+# -> codex  agent/codex/checkout-copy-fix   editing 4 file(s)
+```
+
+Conclusion: codex owns it and is editing it right now. Pick different work or
+post a handoff instead of overwriting.
+
+## Rules
+
+- **Read-only.** These tools never change a repo. To actually reserve a file,
+  use `gx locks claim --branch "<branch>" <file>`; to coordinate live tasks,
+  use Colony. `gx mcp` only shows the state.
+- **Locks lag edits.** File locks are written at commit time, so `who_owns` can
+  return `unclaimed` while another lane is mid-edit. Cross-check the lane's
+  `dirty` files in `list_agents` for in-progress work.
+- **One agent per file.** If `who_owns` (or another lane's `dirty`) shows the
+  file is taken, do not overwrite. Post a handoff or pick different work.
+- **Act on the primary-checkout warning.** A lane on the primary checkout is the
+  collision waiting to happen; route it to `gx branch start` first.
+- **This is not gitguardex repair.** For broken repo safety (dirty worktree,
+  stuck finish, `gx doctor`) use the `gitguardex` skill instead.

package/resources/skills/skills/meta/focus/SKILL.md

@@ -0,0 +1,62 @@
+---
+name: focus
+description: 'Use when user says "focus", "which skill", "what skill should I use", "route this", or faces a task in a profile with many loaded skills. Picks the best-fit loaded skill to invoke, fast.'
+tags: [meta, routing, skills, focus]
+---
+
+# Focus
+
+Pick the right *loaded* skill for the task at hand. When a profile carries dozens of
+skills, the cost is decision latency, not capability. Focus narrows the loaded set to the
+one skill that fires, so you invoke it instead of freestyling.
+
+Scope: skills already in the active profile. For a skill that is **not** loaded, use
+[[smart-loader]] (it reads from disk). For catalog lookup or dedup before writing a new
+skill, use [[skill-suggestion]].
+
+## Steps
+
+1. List what is loaded in the active profile:
+
+```bash
+cue skills list
+```
+
+2. Narrow by intent (fuzzy match across the set):
+
+```bash
+cue skills search "<task keywords>"
+```
+
+3. Confirm a candidate by the prompts that historically fired it:
+
+```bash
+cue skills triggers <skill-id>
+```
+
+4. Invoke the top match via the Skill tool. If 2+ fit, name them and pick the most
+   specific. If none fits the loaded set, hand off to [[smart-loader]] or say so plainly.
+
+## How to match
+
+- Read each candidate's `description:` trigger phrases against the task intent; the most
+  specific wins. A skill that names the exact tool or platform beats a generic one.
+- One skill, one job: route to the single best fit, do not chain three skills for one task.
+- Prefer a loaded skill over freestyling. Even a 70% fit usually beats raw improvisation,
+  because the skill carries the verified recipe.
+
+## Rules
+
+- Only route to skills in the active profile (`cue skills list`). For unloaded skills use
+  [[smart-loader]]; this skill never loads from disk.
+- Name the match and the reason in one line before invoking, so the choice is auditable.
+- If nothing fits, say so and offer [[smart-loader]] or a new skill. Do not force a bad match.
+- Recommend only what the task needs: one skill if one fits.
+
+## Example
+
+User: "focus, I need to find EU tenders."
+
+Run `cue skills list` and `cue skills search "tender"`, see `eu-funding/ted-tender-search`
+match the intent and tool exactly, and invoke it. If the profile had no tender skill, hand
+off to [[smart-loader]] to find one on disk.

package/resources/skills/skills/tools/portless/SKILL.md

@@ -0,0 +1,186 @@
+---
+name: portless
+description: Named .localhost HTTPS URLs for local dev instead of port numbers. Use when the user says "portless", "https on localhost", "named dev URL", "stop using port 3000", or runs multiple dev servers (Next.js, Vite, Medusa) that collide on ports. Prefer it for Medusa shop local dev.
+allowed-tools: Bash(portless:*), Bash(npm:*)
+category: tools
+tags: [tools, local-dev, https, proxy, dev-server, medusa, monorepo]
+requires_mcps: []
+metadata:
+  version: 1.0.0
+  homepage: https://github.com/vercel-labs/portless
+---
+
+# portless: named .localhost URLs for local dev
+
+Run dev servers behind stable `https://<name>.localhost` URLs instead of memorizing port numbers. portless starts a local HTTPS proxy, assigns each app an ephemeral port via `PORT`, and routes a clean URL to it. HTTP/2 + a trusted local CA come on by default, so no browser warnings and no port collisions when several servers run at once.
+
+Pre-1.0 (current 0.13.x): the state-dir format can change between releases, so re-run `portless trust` after upgrades if certs stop working.
+
+## When to activate
+
+- User wants `https://myapp.localhost` instead of `http://localhost:3000`.
+- Two or more dev servers fight over ports (admin + storefront, web + api).
+- A Medusa shop needs local URLs for both the backend and the storefront.
+- User asks for HTTPS/HTTP-2 on localhost without manual mkcert setup.
+- A monorepo (pnpm/turbo) needs one URL per workspace package.
+
+## Prerequisites
+
+Install once, globally (recommended so every project shares one proxy + CA):
+
+```bash
+npm install -g portless
+portless --version          # -> portless 0.13.x
+```
+
+First run generates a local CA, trusts it, and binds port 443 (auto-elevates with `sudo` on macOS/Linux). To skip HTTPS use `--no-tls`.
+
+## Step 1: run a single app
+
+Infer the name from `package.json`/git root and run the `dev` script through the proxy:
+
+```bash
+portless run next dev
+# -> https://myapp.localhost
+```
+
+Or name it explicitly:
+
+```bash
+portless myapp next dev
+# -> https://myapp.localhost
+```
+
+Bare `portless` (no args) runs the `dev` script and infers the name:
+
+```bash
+portless            # -> runs "dev", https://<project>.localhost
+```
+
+## Step 2: wire it into package.json
+
+Put the proxy in the script once so it works for everyone:
+
+```jsonc
+{ "scripts": { "dev": "portless run next dev" } }
+```
+
+With a `portless.json` you can keep the script clean and run `portless` to route it:
+
+```jsonc
+// portless.json
+{ "name": "myapp" }
+```
+
+```bash
+portless            # runs "dev", https://myapp.localhost
+PORTLESS=0 pnpm dev # bypass the proxy, use the default port
+```
+
+## Step 3: subdomains and monorepos
+
+Organize services under subdomains:
+
+```bash
+portless api.myapp pnpm start    # -> https://api.myapp.localhost
+portless docs.myapp next dev     # -> https://docs.myapp.localhost
+```
+
+One `portless.json` at the repo root covers every workspace package (pnpm/npm/yarn/bun). The `apps` map is only for name overrides:
+
+```jsonc
+{
+  "apps": {
+    "apps/web": { "name": "myapp" },
+    "apps/api": { "name": "api.myapp" }
+  }
+}
+```
+
+```bash
+portless                  # from repo root: start every package with a "dev" script
+cd apps/web && portless   # start just one
+```
+
+## Step 4: Medusa shop local dev (preferred)
+
+For `medusa-shops/<shop>`, route both halves through portless so admin and storefront stop colliding on ports:
+
+```bash
+# backend (Medusa serves admin on the injected PORT)
+portless admin.myshop medusa develop   # -> https://admin.myshop.localhost
+
+# storefront
+portless myshop pnpm dev               # -> https://myshop.localhost
+```
+
+Next.js storefronts must allow the dev origin:
+
+```js
+// next.config.js
+module.exports = { allowedDevOrigins: ["myshop.localhost", "*.myshop.localhost"] }
+```
+
+If the storefront proxies `/api` to the backend, set `changeOrigin: true` or portless returns `508 Loop Detected` (it rewrites the `Host` header back to the proxy). See Rules.
+
+Related: the `medusa-local-dev` skill runs many shops on a fixed-port registry (`.dev-ports.yaml`) with the `medusa-dev` helper for lifecycle (start/stop/tail). portless is the preferred URL layer on top: keep `medusa-dev` for process management, or pass `portless --app-port <registry-port>` to give each shop a clean `https://<shop>.localhost` instead of a bare port.
+
+## Step 5: git worktrees
+
+`portless run` auto-detects linked worktrees and prepends the branch as a subdomain, so each worktree gets its own URL with zero config:
+
+```bash
+# main checkout
+portless run next dev               # -> https://myapp.localhost
+# worktree on branch "fix-ui"
+portless run next dev               # -> https://fix-ui.myapp.localhost
+```
+
+## Commands reference
+
+```bash
+portless list                 # show active routes (local + tailnet)
+portless alias <name> <port>  # static route, e.g. point a name at a Docker port
+portless trust                # (re)add the local CA to the system trust store
+portless prune                # kill orphaned dev servers from crashed sessions
+portless hosts sync           # add routes to /etc/hosts (fixes Safari)
+portless clean                # remove state, CA trust entry, and hosts block
+
+portless proxy start          # start the HTTPS proxy (port 443, daemon)
+portless proxy start --no-tls # plain HTTP on port 80
+portless proxy start -p 1355  # custom port, no sudo
+portless proxy stop
+
+portless service install      # start the proxy at OS startup (survives reboot)
+portless service status
+portless service uninstall
+```
+
+Useful flags: `--no-tls`, `--tld test` (use `.test`, IANA-reserved), `--wildcard` (unregistered subdomains fall back to parent), `--app-port <n>` (fixed port), `--tailscale` / `--funnel` (share over tailnet/public), `--force` (take over a route).
+
+## Examples
+
+**User:** "my next storefront and medusa admin both want port 3000, fix it"
+→ `npm i -g portless`, then `portless admin.shop medusa develop` and `portless shop pnpm dev`. Two clean HTTPS URLs, no port clash. Add `allowedDevOrigins` to `next.config.js`.
+
+**User:** "give me https on localhost without mkcert"
+→ `portless run next dev`. First run trusts a local CA automatically; the app is at `https://<project>.localhost` with HTTP/2.
+
+**User:** "Safari can't reach myapp.localhost"
+→ `portless hosts sync` (Safari uses the system resolver, which may not handle `.localhost` subdomains).
+
+**User:** "spin up every app in this pnpm monorepo"
+→ from the repo root, `portless`. It discovers workspace packages and starts each one's `dev` script under `<package>.<project>.localhost`.
+
+**User:** "I keep getting 508 Loop Detected"
+→ the frontend proxies to another portless app without rewriting `Host`. Set `changeOrigin: true` (Vite/webpack) so portless routes to the target app, not back to itself.
+
+## Rules
+
+- **Prefer portless in Medusa shops.** Backend (`admin.<shop>.localhost`) and storefront (`<shop>.localhost`) collide on ports otherwise; named URLs remove the juggling and match the deployed `admin.<shop>.hu` shape. WHY: it mirrors prod hostnames and lets both run together.
+- **Install globally for shared state.** One global install means one proxy and one CA across projects. Per-project installs can run different pre-1.0 versions whose state formats diverge, which breaks trust. WHY: avoids re-trusting per repo.
+- **Rewrite the Host header on app-to-app proxies** (`changeOrigin: true`). WHY: without it portless loops the request back to the caller and answers `508 Loop Detected`.
+- **Add storefront origins to `allowedDevOrigins`.** WHY: frameworks reject cross-origin dev requests from the new `.localhost` host otherwise.
+- **CI / non-interactive: portless exits with an error instead of prompting.** Use `PORTLESS=0` to bypass the proxy in scripts that should hit the raw port. WHY: task runners (turbo, CI) must fail fast, not hang on a TTY prompt.
+- **Avoid `.local` and `.dev` TLDs.** `.local` clashes with mDNS/Bonjour; `.dev` is HSTS-forced by Google. Use the default `.localhost` or `--tld test`. WHY: collision and forced-HTTPS surprises.
+- **`run get alias hosts list trust clean prune proxy service` are reserved** subcommands and cannot be app names. Use `portless run <cmd>` or `portless --name <name> <cmd>` to force one.

package/src/lib/analytics.ts

@@ -69,10 +69,15 @@ function readSessionLog(since?: Date): SessionLogEntry[] {
  *   - `skill_invoked` (structured `Skill` tool_use): skill, session_id, tool_use_id
  *   - `skill_miss` (trigger matched but skill wasn't fired): session_id,
  *     prompt_redacted (first 80 chars, secret-masked), matched_skills
+ *   - `skill_gap` (self-learner — profile-self-improve.sh Stop hook): where the
+ *     active profile's skills fell short. `source:"hook"` carries cheap friction
+ *     `signals`; `source:"critic"` carries a critic-agent verdict (`skill`,
+ *     `gap_type`, `suggestion`, `confidence`). Consumed by `cue profile
+ *     self-improve`; inert to existing readers.
  */
 export interface SessionEvent {
   ts: string;
-  event: "start" | "end" | "skill_hit" | "skill_invoked" | "skill_miss";
+  event: "start" | "end" | "skill_hit" | "skill_invoked" | "skill_miss" | "skill_gap";
   profile?: string;
   agent?: "claude-code" | "codex";
   cwd?: string;
@@ -82,6 +87,13 @@ export interface SessionEvent {
   tool_use_id?: string;
   prompt_redacted?: string;
   matched_skills?: string[];
+  // skill_gap variant
+  source?: "hook" | "critic";
+  signals?: string[];
+  gap_type?: "missing-skill" | "weak-description" | "weak-body" | "profile-composition";
+  suggestion?: string;
+  confidence?: number;
+  first_prompt?: string;
 }
 
 /**