enigma-cli 1.0.0 → 1.1.1

package/assets/skills/backend-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Backend/API architecture: controller-service-repository layering, API and request optimization, server-side caching (Redis), and Zod boundary validation.",
-  "cliVersion": "1.0.0",
+  "cliVersion": "1.1.1",
   "sha": "c442bc9e39a7710cb709ef2abb8d15ecd8aa16ed4f5c8af92b7af6877401cba4"
 }

package/assets/skills/ciphera-style-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.1.0",
   "provider": "FJRG2007/enigma",
   "description": "Ciphera code style conventions (formatting, naming, imports, comments, code-level anti-patterns; TypeScript-first, language-agnostic).",
-  "cliVersion": "1.0.0",
+  "cliVersion": "1.1.1",
   "sha": "f8602bb79fbbe063ab39fbd59d0b7844a22c3a1583fcd11c1b4f98a2fe8ddc86"
 }

package/assets/skills/code-review-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Pre-delivery self-review gate, prioritized review dimensions, and change-quality criteria.",
-  "cliVersion": "1.0.0",
+  "cliVersion": "1.1.1",
   "sha": "3d3bbe0602d5bbb4afe37648fe3c2fa39376b1bcbac5d8c441f01fad1e866ed0"
 }

package/assets/skills/core-engineering-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.4.0",
   "provider": "FJRG2007/enigma",
   "description": "Core engineering execution policy and harness orchestration (highest-authority rules).",
-  "cliVersion": "1.0.0",
+  "cliVersion": "1.1.1",
   "sha": "c9c69c59516794311cb7b306ed4d4ad971824de3689a39c2b86c7669c73f2e8b"
 }

package/assets/skills/database-expert/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Senior database architecture policy: query optimization, anti-duplication/normalization, scalability, and RGPD/GDPR encryption.",
-  "cliVersion": "1.0.0",
+  "cliVersion": "1.1.1",
   "sha": "c4617ee8d1a57d9621c81bef3093e94de91f79eec0cc0ead41f6d18dd443e623"
 }

package/assets/skills/debugging-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Reproduce-isolate-fix debugging methodology with root-cause discipline and regression verification.",
-  "cliVersion": "1.0.0",
+  "cliVersion": "1.1.1",
   "sha": "14b0064c8b33a0dc85e51464b05005cf5801c756b1101789a6924b9548420f6b"
 }

package/assets/skills/dependency-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Dependency and supply-chain security: lockfiles and reproducible installs, version pinning, vulnerability auditing, vetting/minimizing packages, vendoring, and SBOM/provenance.",
-  "cliVersion": "1.0.0",
+  "cliVersion": "1.1.1",
   "sha": "6375d835c2aef2c9bd31ce116444dc3d796f510f9970a213aa3ac4696d7e21b9"
 }

package/assets/skills/frontend-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Frontend architecture: reusable components, abstraction thresholds, state management, and optimistic UI with rollback.",
-  "cliVersion": "1.0.0",
+  "cliVersion": "1.1.1",
   "sha": "b0355b0e15f9f528d32adf19f0722d2727cd64d6b3544307ecc7a3141338f023"
 }

package/assets/skills/git-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.2.0",
   "provider": "FJRG2007/enigma",
   "description": "Git & contribution policy (senior engineering standards).",
-  "cliVersion": "1.0.0",
+  "cliVersion": "1.1.1",
   "sha": "ada4b7eb5bb7e013429e23703c271c0f34b0d76327c059efa148ea2794f96178"
 }

package/assets/skills/security-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Application and AI-agent security: secrets, authn/authz (least privilege), OWASP Top 10, transport/crypto baseline, secure logging, and agent/MCP/tool-use safety.",
-  "cliVersion": "1.0.0",
+  "cliVersion": "1.1.1",
   "sha": "9971e9d9127397d0152e89d24aad3191e2935e55a8483db7fd15f5d4d7a60e7a"
 }

package/assets/skills/testing-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Test strategy, coverage gates, deterministic tests, mocking discipline, and regression-first bug fixing.",
-  "cliVersion": "1.0.0",
+  "cliVersion": "1.1.1",
   "sha": "d19fa8ec7985ed231478be504d3c80360897f555d0bc0624bea19c091f459fb0"
 }

package/assets/skills/validation-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Strict frontend + backend schema validation, schema consistency, and safe client-facing error handling.",
-  "cliVersion": "1.0.0",
+  "cliVersion": "1.1.1",
   "sha": "a33622a2f810ee4cea39824cb1a7ca34b355a917d4224025df50d77dd74f0b3a"
 }

package/dist/enigma.js

@@ -1,9 +1,9 @@
 #!/usr/bin/env node
 
 // src/cli.ts
-import { dirname as dirname4, join as join8 } from "path";
+import { dirname as dirname4, join as join10 } from "path";
 import { fileURLToPath as fileURLToPath4 } from "url";
-import * as p3 from "@clack/prompts";
+import * as p5 from "@clack/prompts";
 
 // src/util.ts
 import { existsSync, statSync, readFileSync } from "fs";
@@ -17,7 +17,7 @@ function isDir(pth) {
 }
 function readJson(file) {
   try {
-    return JSON.parse(readFileSync(file, "utf8"));
+    return JSON.parse(readFileSync(file, "utf8").replace(/^\uFEFF/, ""));
   } catch {
     return null;
   }
@@ -29,11 +29,11 @@ function isOnPath(bin) {
 }
 
 // src/skills.ts
-import { existsSync as existsSync4, readdirSync, readFileSync as readFileSync2, writeFileSync as writeFileSync3, cpSync as cpSync2, mkdirSync as mkdirSync3, rmSync } from "fs";
-import { dirname as dirname2, join as join5, resolve as resolve2, relative as relative2, sep as sep2 } from "path";
+import { existsSync as existsSync5, readdirSync, readFileSync as readFileSync3, writeFileSync as writeFileSync4, cpSync as cpSync2, mkdirSync as mkdirSync4, rmSync } from "fs";
+import { dirname as dirname2, join as join6, resolve as resolve2, relative as relative2, sep as sep2 } from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
 import { createHash } from "crypto";
-import * as p2 from "@clack/prompts";
+import * as p3 from "@clack/prompts";
 
 // src/agents.ts
 import { homedir } from "os";
@@ -257,15 +257,134 @@ function disableClaudeAttribution(scope) {
   writeFileSync2(path, JSON.stringify(next, null, 2) + "\n");
   return true;
 }
+function enableClaudeBypass(scope, dryRun) {
+  const path = claudeSettingsPath(scope);
+  const current = readJson(path) || {};
+  const permissions = typeof current.permissions === "object" && current.permissions !== null ? current.permissions : {};
+  if (permissions.defaultMode === "bypassPermissions") return { path, changed: false };
+  if (dryRun) return { path, changed: true };
+  const next = { ...current, permissions: { ...permissions, defaultMode: "bypassPermissions" } };
+  const dir = join4(path, "..");
+  if (!isDir(dir)) mkdirSync2(dir, { recursive: true });
+  writeFileSync2(path, JSON.stringify(next, null, 2) + "\n");
+  return { path, changed: true };
+}
+
+// src/permissions.ts
+import { homedir as homedir3 } from "os";
+import { join as join5 } from "path";
+import { existsSync as existsSync4, mkdirSync as mkdirSync3, readFileSync as readFileSync2, writeFileSync as writeFileSync3 } from "fs";
+import * as p2 from "@clack/prompts";
+var BYPASS_SUPPORTED = ["claude", "codex", "opencode"];
+var BYPASS_DEFAULT_ON = /* @__PURE__ */ new Set(["claude", "codex"]);
+async function resolveBypassSelection(candidates, opts, interactive) {
+  const supported = candidates.filter((a) => BYPASS_SUPPORTED.includes(a.name));
+  if (!supported.length || opts.noBypass) return [];
+  const names = supported.map((a) => a.name);
+  if (opts.bypass !== null) {
+    const req = opts.bypass.map((s) => s.trim().toLowerCase());
+    if (req.includes("none")) return [];
+    if (req.includes("all")) return names;
+    return names.filter((n) => req.includes(n));
+  }
+  if (!interactive) return [];
+  const r = await p2.multiselect({
+    message: "Bypass approval prompts for which agents? (security trade-off: the agent stops asking before acting)",
+    options: supported.map((a) => ({
+      value: a.name,
+      label: a.label,
+      hint: BYPASS_DEFAULT_ON.has(a.name) ? "recommended" : "less reliable - off by default"
+    })),
+    initialValues: names.filter((n) => BYPASS_DEFAULT_ON.has(n)),
+    required: false
+  });
+  if (p2.isCancel(r)) return [];
+  return r;
+}
+function applyBypass(agentNames, scope, dryRun) {
+  for (const name of agentNames) {
+    const res = enableFor(name, scope, dryRun);
+    if (!res) continue;
+    const label = AGENTS[name]?.label || name;
+    if (dryRun) p2.log.info(`Bypass (dry run): would enable for ${label} -> ${res.path}.`);
+    else if (res.changed) p2.log.warn(`Bypass: enabled for ${label} (${res.path}) - approval prompts are now OFF.`);
+    else p2.log.info(`Bypass: already enabled for ${label}.`);
+  }
+}
+function enableFor(name, scope, dryRun) {
+  switch (name) {
+    case "claude":
+      return enableClaudeBypass(scope, dryRun);
+    case "codex":
+      return enableCodexBypass(dryRun);
+    case "opencode":
+      return enableOpencodeBypass(scope, dryRun);
+    default:
+      return null;
+  }
+}
+function enableCodexBypass(dryRun) {
+  const path = join5(homedir3(), ".codex", "config.toml");
+  const before = existsSync4(path) ? readFileSync2(path, "utf8") : "";
+  let after = setTomlTopLevelKey(before, "approval_policy", '"never"');
+  after = setTomlTopLevelKey(after, "sandbox_mode", '"danger-full-access"');
+  const changed = after !== before;
+  if (changed && !dryRun) {
+    const dir = join5(path, "..");
+    if (!isDir(dir)) mkdirSync3(dir, { recursive: true });
+    writeFileSync3(path, after);
+  }
+  return { path, changed };
+}
+function enableOpencodeBypass(scope, dryRun) {
+  const path = scope === "global" ? join5(homedir3(), ".config", "opencode", "opencode.json") : join5(process.cwd(), "opencode.json");
+  const current = readJson(path) || {};
+  const perm = current.permission;
+  const alreadyAllowAll = perm === "allow" || typeof perm === "object" && perm !== null && perm["*"] === "allow";
+  if (alreadyAllowAll) return { path, changed: false };
+  if (dryRun) return { path, changed: true };
+  const existing = typeof perm === "object" && perm !== null ? perm : {};
+  const rest = {};
+  for (const k of Object.keys(existing)) if (k !== "*") rest[k] = existing[k];
+  const next = { ...current, permission: { "*": "allow", ...rest } };
+  const dir = join5(path, "..");
+  if (!isDir(dir)) mkdirSync3(dir, { recursive: true });
+  writeFileSync3(path, JSON.stringify(next, null, 2) + "\n");
+  return { path, changed: true };
+}
+function setTomlTopLevelKey(content, key, tomlValue) {
+  const assign = `${key} = ${tomlValue}`;
+  if (content.trim() === "") return `${assign}
+`;
+  const lines = content.split("\n");
+  const firstTable = lines.findIndex((l) => /^\s*\[/.test(l));
+  const scanEnd = firstTable === -1 ? lines.length : firstTable;
+  const keyRe = new RegExp(`^\\s*${key}\\s*=`);
+  for (let i = 0; i < scanEnd; i++) {
+    if (!keyRe.test(lines[i])) continue;
+    if (lines[i].trim() === assign) return content;
+    lines[i] = assign;
+    return normalizeTrailingNewline(lines.join("\n"));
+  }
+  let insertAt = scanEnd;
+  while (insertAt > 0 && lines[insertAt - 1].trim() === "") insertAt--;
+  const followsTable = insertAt < lines.length && /^\s*\[/.test(lines[insertAt]);
+  lines.splice(insertAt, 0, ...followsTable ? [assign, ""] : [assign]);
+  return normalizeTrailingNewline(lines.join("\n"));
+}
+function normalizeTrailingNewline(s) {
+  return `${s.replace(/\s+$/, "")}
+`;
+}
 
 // src/skills.ts
 var __dirname2 = dirname2(fileURLToPath2(import.meta.url));
 var PKG_ROOT = resolve2(__dirname2, "..");
-var ASSETS = join5(PKG_ROOT, "assets");
-var SKILLS_ROOT = join5(ASSETS, "skills");
-var MEMORY_ROOT = join5(ASSETS, "memory");
+var ASSETS = join6(PKG_ROOT, "assets");
+var SKILLS_ROOT = join6(ASSETS, "skills");
+var MEMORY_ROOT = join6(ASSETS, "memory");
 function cliVersion() {
-  return (readJson(join5(PKG_ROOT, "package.json")) || {}).version || "0.0.0";
+  return (readJson(join6(PKG_ROOT, "package.json")) || {}).version || "0.0.0";
 }
 function serializeMeta(meta) {
   const ordered = {};
@@ -276,12 +395,12 @@ function serializeMeta(meta) {
   return JSON.stringify(ordered, null, 2) + "\n";
 }
 function readSkillMeta(skillDir) {
-  return readJson(join5(skillDir, "skill.json")) || {};
+  return readJson(join6(skillDir, "skill.json")) || {};
 }
 function listFilesRel(dir, base = dir) {
   const out = [];
   for (const e of readdirSync(dir)) {
-    const full = join5(dir, e);
+    const full = join6(dir, e);
     if (isDir(full)) out.push(...listFilesRel(full, base));
     else out.push(relative2(base, full).split(sep2).join("/"));
   }
@@ -293,13 +412,13 @@ function computeContentSha(dir) {
   for (const f of files) {
     h.update(f);
     h.update("\0");
-    h.update(readFileSync2(join5(dir, f)));
+    h.update(readFileSync3(join6(dir, f)));
     h.update("\0");
   }
   return h.digest("hex");
 }
 function skillStatus(destDir, srcMeta) {
-  if (!existsSync4(destDir)) return { kind: "install", from: null, to: srcMeta.version || null };
+  if (!existsSync5(destDir)) return { kind: "install", from: null, to: srcMeta.version || null };
   const destMeta = readSkillMeta(destDir);
   const from = destMeta.version || null;
   const to = srcMeta.version || null;
@@ -326,27 +445,27 @@ function statusLabel(st) {
 }
 function filesEqual(a, b) {
   try {
-    return readFileSync2(a).equals(readFileSync2(b));
+    return readFileSync3(a).equals(readFileSync3(b));
   } catch {
     return false;
   }
 }
 function memoryStatus(srcFile, destFile) {
-  if (!existsSync4(destFile)) return "install";
+  if (!existsSync5(destFile)) return "install";
   return filesEqual(srcFile, destFile) ? "identical" : "overwrite";
 }
 function computePrune(destSkillsDir, sourceNames) {
   if (!isDir(destSkillsDir)) return [];
-  return readdirSync(destSkillsDir).filter((e) => isDir(join5(destSkillsDir, e)) && existsSync4(join5(destSkillsDir, e, "SKILL.md"))).filter((e) => !sourceNames.includes(e)).map((e) => ({ name: e, dir: join5(destSkillsDir, e), meta: readSkillMeta(join5(destSkillsDir, e)) })).filter((s) => isManagedProvider(s.meta.provider));
+  return readdirSync(destSkillsDir).filter((e) => isDir(join6(destSkillsDir, e)) && existsSync5(join6(destSkillsDir, e, "SKILL.md"))).filter((e) => !sourceNames.includes(e)).map((e) => ({ name: e, dir: join6(destSkillsDir, e), meta: readSkillMeta(join6(destSkillsDir, e)) })).filter((s) => isManagedProvider(s.meta.provider));
 }
 function inspectSkills() {
   if (!isDir(SKILLS_ROOT)) return [];
-  return readdirSync(SKILLS_ROOT).filter((e) => isDir(join5(SKILLS_ROOT, e)) && existsSync4(join5(SKILLS_ROOT, e, "SKILL.md"))).map((e) => ({ name: e, src: join5(SKILLS_ROOT, e), meta: readSkillMeta(join5(SKILLS_ROOT, e)) }));
+  return readdirSync(SKILLS_ROOT).filter((e) => isDir(join6(SKILLS_ROOT, e)) && existsSync5(join6(SKILLS_ROOT, e, "SKILL.md"))).map((e) => ({ name: e, src: join6(SKILLS_ROOT, e), meta: readSkillMeta(join6(SKILLS_ROOT, e)) }));
 }
 function inspectMemory(agent) {
   if (!agent.memoryFile) return [];
-  const src = join5(MEMORY_ROOT, agent.memoryFile);
-  return existsSync4(src) ? [{ name: agent.memoryFile, src }] : [];
+  const src = join6(MEMORY_ROOT, agent.memoryFile);
+  return existsSync5(src) ? [{ name: agent.memoryFile, src }] : [];
 }
 function sealSources() {
   if (!isDir(SKILLS_ROOT)) {
@@ -356,16 +475,16 @@ function sealSources() {
   const cli = cliVersion();
   let sealed = 0;
   for (const name of readdirSync(SKILLS_ROOT)) {
-    const dir = join5(SKILLS_ROOT, name);
-    if (!isDir(dir) || !existsSync4(join5(dir, "SKILL.md"))) continue;
-    const metaPath = join5(dir, "skill.json");
+    const dir = join6(SKILLS_ROOT, name);
+    if (!isDir(dir) || !existsSync5(join6(dir, "SKILL.md"))) continue;
+    const metaPath = join6(dir, "skill.json");
     const meta = readJson(metaPath) || { name };
     const before = JSON.stringify(meta);
     meta.provider = MANAGED_PROVIDER;
     meta.cliVersion = cli;
     meta.sha = computeContentSha(dir);
     const changed = JSON.stringify(meta) !== before;
-    writeFileSync3(metaPath, serializeMeta(meta));
+    writeFileSync4(metaPath, serializeMeta(meta));
     console.log(`${changed ? "updated" : "ok     "}  ${name}  cli=${cli}  sha=${meta.sha.slice(0, 12)}`);
     sealed++;
   }
@@ -381,18 +500,18 @@ function checkSources() {
   const problems = [];
   let checked = 0;
   for (const name of readdirSync(SKILLS_ROOT)) {
-    const dir = join5(SKILLS_ROOT, name);
-    if (!isDir(dir) || !existsSync4(join5(dir, "SKILL.md"))) continue;
+    const dir = join6(SKILLS_ROOT, name);
+    if (!isDir(dir) || !existsSync5(join6(dir, "SKILL.md"))) continue;
     checked++;
-    const md = readFileSync2(join5(dir, "SKILL.md"), "utf8");
+    const md = readFileSync3(join6(dir, "SKILL.md"), "utf8");
     const fm = md.match(/^---\n([\s\S]*?)\n---/);
     if (!fm) problems.push(`${name}: SKILL.md is missing YAML frontmatter`);
     else {
       if (!/^name:\s*\S/m.test(fm[1])) problems.push(`${name}: frontmatter missing 'name'`);
       if (!/^description:\s*\S/m.test(fm[1])) problems.push(`${name}: frontmatter missing 'description'`);
     }
-    const metaPath = join5(dir, "skill.json");
-    if (!existsSync4(metaPath)) {
+    const metaPath = join6(dir, "skill.json");
+    if (!existsSync5(metaPath)) {
       problems.push(`${name}: missing skill.json`);
       continue;
     }
@@ -417,22 +536,22 @@ function checkSources() {
 async function installSkills(opts, interactive) {
   const available = discoverAgents();
   if (available.length === 0) {
-    p2.cancel("No installable agents known.");
+    p3.cancel("No installable agents known.");
     process.exit(1);
   }
   let scope;
   if (opts.scope) {
     scope = opts.scope;
   } else if (interactive) {
-    const r = await p2.select({
+    const r = await p3.select({
       message: "Where should skills be installed?",
       options: [
         { value: "global", label: "Global (user)", hint: "~/.claude, ~/.codex, ~/.config/opencode" },
         { value: "local", label: "Local (this project)", hint: process.cwd() }
       ]
     });
-    if (p2.isCancel(r)) {
-      p2.cancel("Aborted.");
+    if (p3.isCancel(r)) {
+      p3.cancel("Aborted.");
       return;
     }
     scope = r;
@@ -444,19 +563,19 @@ async function installSkills(opts, interactive) {
   if (opts.agents.length) {
     chosenAgents = available.filter((a) => opts.agents.includes(a.name));
     const unknown = opts.agents.filter((n) => !available.some((a) => a.name === n));
-    if (unknown.length) p2.log.warn(`Skipping unknown/absent agents: ${unknown.join(", ")}`);
+    if (unknown.length) p3.log.warn(`Skipping unknown/absent agents: ${unknown.join(", ")}`);
   } else if (opts.allAgents) {
     chosenAgents = available;
   } else if (interactive && available.length > 1) {
     const preselect = (detected.length ? detected : available).map((a) => a.name);
-    const r = await p2.multiselect({
+    const r = await p3.multiselect({
       message: "Which agents? (detected on this system are preselected)",
       options: available.map((a) => ({ value: a.name, label: a.label, hint: a.installed ? "detected" : "not detected" })),
       initialValues: preselect,
       required: true
     });
-    if (p2.isCancel(r)) {
-      p2.cancel("Aborted.");
+    if (p3.isCancel(r)) {
+      p3.cancel("Aborted.");
       return;
     }
     chosenAgents = available.filter((a) => r.includes(a.name));
@@ -464,24 +583,26 @@ async function installSkills(opts, interactive) {
     chosenAgents = detected;
   } else {
     chosenAgents = available;
-    p2.log.warn("No installed agents detected; defaulting to all supported agents.");
+    p3.log.warn("No installed agents detected; defaulting to all supported agents.");
   }
   if (chosenAgents.length === 0) {
-    p2.cancel("No matching agents selected.");
+    p3.cancel("No matching agents selected.");
     process.exit(1);
   }
   const claudeScope = chosenAgents.some((a) => a.name === "claude") ? scope : null;
   const applyClaudeConfig = () => {
     if (!claudeScope || opts.dryRun) return;
     if (disableClaudeAttribution(claudeScope)) {
-      p2.log.info("Claude Code: disabled Co-Authored-By and PR attribution in settings.json.");
+      p3.log.info("Claude Code: disabled Co-Authored-By and PR attribution in settings.json.");
     }
   };
+  const bypassAgents = await resolveBypassSelection(chosenAgents, opts, interactive);
+  const applyBypassConfig = () => applyBypass(bypassAgents, scope, opts.dryRun);
   const plan = [];
   for (const agent of chosenAgents) {
     const target = agent.targets[scope];
     if (!target) {
-      p2.log.warn(`${agent.label} has no '${scope}' target - skipping.`);
+      p3.log.warn(`${agent.label} has no '${scope}' target - skipping.`);
       continue;
     }
     const skills = inspectSkills();
@@ -490,25 +611,25 @@ async function installSkills(opts, interactive) {
     if (!opts.memoryOnly && opts.skills.length) {
       chosenSkills = skills.filter((s2) => opts.skills.includes(s2.name));
     } else if (!opts.memoryOnly && interactive && skills.length > 1) {
-      const r = await p2.multiselect({
+      const r = await p3.multiselect({
         message: `Skills for ${agent.label} - all selected; deselect any you don't want`,
         options: skills.map((s2) => {
-          const st = skillStatus(join5(target.skills, s2.name), s2.meta);
+          const st = skillStatus(join6(target.skills, s2.name), s2.meta);
           const prov = s2.meta.provider ? ` ${s2.meta.provider}` : "";
           return { value: s2.name, label: s2.name, hint: `${statusLabel(st)}${prov}` };
         }),
         initialValues: skills.map((s2) => s2.name),
         required: false
       });
-      if (p2.isCancel(r)) {
-        p2.cancel("Aborted.");
+      if (p3.isCancel(r)) {
+        p3.cancel("Aborted.");
         return;
       }
       chosenSkills = skills.filter((s2) => r.includes(s2.name));
     }
     const skillsWithStatus = (opts.memoryOnly ? [] : chosenSkills).map((s2) => ({
       ...s2,
-      status: skillStatus(join5(target.skills, s2.name), s2.meta),
+      status: skillStatus(join6(target.skills, s2.name), s2.meta),
       overwrite: true
     }));
     const prune = opts.prune && !opts.memoryOnly ? computePrune(target.skills, skills.map((s2) => s2.name)) : [];
@@ -518,16 +639,16 @@ async function installSkills(opts, interactive) {
   if (tampered.length) {
     if (opts.keepModified) {
       for (const s2 of tampered) s2.overwrite = false;
-      p2.log.warn(`${tampered.length} locally-modified skill(s) will be kept (--keep-modified).`);
+      p3.log.warn(`${tampered.length} locally-modified skill(s) will be kept (--keep-modified).`);
     } else if (interactive && !opts.dryRun) {
-      const sel = await p2.multiselect({
+      const sel = await p3.multiselect({
         message: `${tampered.length} skill(s) were modified locally since install. Select which to OVERWRITE`,
         options: tampered.map((s2, i) => ({ value: i, label: s2.name, hint: s2.meta.version ? `v${s2.meta.version}` : "modified" })),
         initialValues: tampered.map((_, i) => i),
         required: false
       });
-      if (p2.isCancel(sel)) {
-        p2.cancel("Aborted.");
+      if (p3.isCancel(sel)) {
+        p3.cancel("Aborted.");
         return;
       }
       tampered.forEach((s2, i) => {
@@ -562,7 +683,7 @@ async function installSkills(opts, interactive) {
       lines.push(`  ${label.padEnd(26)} skill   ${s2.name}${prov}`);
     }
     for (const m of x.memory) {
-      const ms = memoryStatus(m.src, join5(x.target.memory, m.name));
+      const ms = memoryStatus(m.src, join6(x.target.memory, m.name));
       if (ms === "identical") {
         nSkip++;
         lines.push(`  ${"up-to-date (skip)".padEnd(26)} memory  ${m.name}`);
@@ -581,13 +702,14 @@ async function installSkills(opts, interactive) {
     }
   }
   if (nInstall + nUpdate + nRemove === 0) {
-    p2.note(lines.join("\n"), "Nothing to do");
+    p3.note(lines.join("\n"), "Nothing to do");
     applyClaudeConfig();
+    applyBypassConfig();
     await maybeOfferGitHooks(interactive, opts);
-    p2.log.success(`Everything up-to-date - ${nSkip} item(s) unchanged${nKept ? `, ${nKept} kept modified` : ""} (${scope}).`);
+    p3.log.success(`Everything up-to-date - ${nSkip} item(s) unchanged${nKept ? `, ${nKept} kept modified` : ""} (${scope}).`);
     return;
   }
-  p2.note(lines.join("\n"), opts.dryRun ? "Dry run - planned changes" : "Planned changes");
+  p3.note(lines.join("\n"), opts.dryRun ? "Dry run - planned changes" : "Planned changes");
   if (interactive && !opts.dryRun) {
     const summary = [
       nInstall && `${nInstall} to install`,
@@ -595,63 +717,65 @@ async function installSkills(opts, interactive) {
       nRemove && `${nRemove} to remove`,
       nSkip && `${nSkip} unchanged`
     ].filter(Boolean).join(", ");
-    const ok = await p2.confirm({ message: `Apply: ${summary}?` });
-    if (p2.isCancel(ok) || !ok) {
-      p2.cancel("Aborted.");
+    const ok = await p3.confirm({ message: `Apply: ${summary}?` });
+    if (p3.isCancel(ok) || !ok) {
+      p3.cancel("Aborted.");
       return;
     }
   }
   if (opts.dryRun) {
-    p2.log.info("Dry run complete - no files written.");
+    applyBypassConfig();
+    p3.log.info("Dry run complete - no files written.");
     return;
   }
   const changedAgents = plan.filter(
-    (x) => x.skills.some(willCopy) || x.memory.some((m) => memoryStatus(m.src, join5(x.target.memory, m.name)) !== "identical") || x.prune.length > 0
+    (x) => x.skills.some(willCopy) || x.memory.some((m) => memoryStatus(m.src, join6(x.target.memory, m.name)) !== "identical") || x.prune.length > 0
   );
-  const s = p2.spinner();
+  const s = p3.spinner();
   s.start("Installing...");
   let copied = 0;
   try {
     for (const x of plan) {
-      mkdirSync3(x.target.skills, { recursive: true });
-      mkdirSync3(x.target.memory, { recursive: true });
+      mkdirSync4(x.target.skills, { recursive: true });
+      mkdirSync4(x.target.memory, { recursive: true });
       for (const sk of x.skills) {
         if (!willCopy(sk)) continue;
-        cpSync2(sk.src, join5(x.target.skills, sk.name), { recursive: true, force: true });
+        cpSync2(sk.src, join6(x.target.skills, sk.name), { recursive: true, force: true });
         copied++;
       }
       for (const m of x.memory) {
-        if (memoryStatus(m.src, join5(x.target.memory, m.name)) === "identical") continue;
-        cpSync2(m.src, join5(x.target.memory, m.name), { force: true });
+        if (memoryStatus(m.src, join6(x.target.memory, m.name)) === "identical") continue;
+        cpSync2(m.src, join6(x.target.memory, m.name), { force: true });
         copied++;
       }
       for (const pr of x.prune) rmSync(pr.dir, { recursive: true, force: true });
     }
   } catch (err) {
     s.stop("Failed.");
-    p2.cancel(`Error while installing: ${err.message}`);
+    p3.cancel(`Error while installing: ${err.message}`);
     process.exit(1);
   }
   s.stop(`Wrote ${copied} item(s)${nRemove ? `, removed ${nRemove}` : ""}.`);
   applyClaudeConfig();
+  applyBypassConfig();
   await maybeOfferGitHooks(interactive, opts);
-  p2.log.success(`${nInstall} installed, ${nUpdate} updated/overwritten` + (nRemove ? `, ${nRemove} removed` : "") + (nSkip ? `, ${nSkip} unchanged` : "") + (nKept ? `, ${nKept} kept modified` : "") + ` (${scope}).`);
+  p3.log.success(`${nInstall} installed, ${nUpdate} updated/overwritten` + (nRemove ? `, ${nRemove} removed` : "") + (nSkip ? `, ${nSkip} unchanged` : "") + (nKept ? `, ${nKept} kept modified` : "") + ` (${scope}).`);
   if (changedAgents.length) {
     const { known, running } = runningStatus(changedAgents.map((x) => x.agent));
     if (running.size) {
       const names = changedAgents.filter((x) => running.has(x.agent.name)).map((x) => x.agent.label);
-      p2.log.warn(`Restart ${names.join(", ")} to apply the changes (running now).`);
+      p3.log.warn(`Restart ${names.join(", ")} to apply the changes (running now).`);
     } else if (!known) {
       const names = changedAgents.map((x) => x.agent.label);
-      p2.log.info(`If any of these agents are running, restart them to apply the changes: ${names.join(", ")}.`);
+      p3.log.info(`If any of these agents are running, restart them to apply the changes: ${names.join(", ")}.`);
     }
   }
 }
 
 // src/guard.ts
-import { readFileSync as readFileSync3, statSync as statSync2 } from "fs";
+import { readFileSync as readFileSync4, statSync as statSync2 } from "fs";
 import { execFileSync as execFileSync3 } from "child_process";
-import { basename, extname, dirname as dirname3, join as join6 } from "path";
+import { basename, extname, dirname as dirname3, join as join7 } from "path";
 import { fileURLToPath as fileURLToPath3 } from "url";
 var LARGE_FILE_BYTES = 5 * 1024 * 1024;
 var ENV_ALLOWED = /(example|sample|template)/i;
@@ -712,7 +836,7 @@ var SELF_DIR = dirname3(fileURLToPath3(import.meta.url));
 function loadConfig() {
   const defaults = { secrets: true, envFiles: true, depDirs: true, generatedDirs: true, junkFiles: true, largeFiles: true };
   try {
-    const raw = JSON.parse(readFileSync3(join6(SELF_DIR, "enigma-guard.json"), "utf8"));
+    const raw = JSON.parse(readFileSync4(join7(SELF_DIR, "enigma-guard.json"), "utf8"));
     return { ...defaults, ...raw };
   } catch {
     return defaults;
@@ -727,7 +851,7 @@ function scanSecrets(file, blocks) {
   if (SECRET_SKIP_EXT.has(extname(file).toLowerCase())) return;
   let text;
   try {
-    text = readFileSync3(file, "utf8");
+    text = readFileSync4(file, "utf8");
   } catch {
     return;
   }
@@ -797,22 +921,22 @@ if (isGuardEntry && fileURLToPath3(import.meta.url) === guardEntry) {
 }
 
 // src/config.ts
-import { homedir as homedir3 } from "os";
-import { join as join7 } from "path";
-import { existsSync as existsSync5, mkdirSync as mkdirSync4, writeFileSync as writeFileSync4 } from "fs";
+import { homedir as homedir4 } from "os";
+import { join as join8 } from "path";
+import { existsSync as existsSync6, mkdirSync as mkdirSync5, writeFileSync as writeFileSync5 } from "fs";
 var CONFIG_FILE = ".enigma.json";
 var CONFIG_DEFAULTS = { commitEmoji: true };
 var BOOLEAN_KEYS = ["commitEmoji"];
 var CLI_KEYS = { "commit-emoji": "commitEmoji" };
 function configPath(scope) {
-  return scope === "global" ? join7(homedir3(), CONFIG_FILE) : join7(process.cwd(), CONFIG_FILE);
+  return scope === "global" ? join8(homedir4(), CONFIG_FILE) : join8(process.cwd(), CONFIG_FILE);
 }
 function readConfig() {
   const sources = [];
   let config = { ...CONFIG_DEFAULTS };
   for (const scope of ["global", "local"]) {
     const path = configPath(scope);
-    const raw = existsSync5(path) ? readJson(path) : null;
+    const raw = existsSync6(path) ? readJson(path) : null;
     if (raw) {
       config = { ...config, ...raw };
       sources.push(path);
@@ -830,9 +954,9 @@ function setValue(scope, key, value) {
   const path = configPath(scope);
   const current = readJson(path) || {};
   const next = { ...current, [key]: value };
-  const dir = join7(path, "..");
-  if (!isDir(dir)) mkdirSync4(dir, { recursive: true });
-  writeFileSync4(path, JSON.stringify(next, null, 2) + "\n");
+  const dir = join8(path, "..");
+  if (!isDir(dir)) mkdirSync5(dir, { recursive: true });
+  writeFileSync5(path, JSON.stringify(next, null, 2) + "\n");
   return path;
 }
 function runConfigCli(positionals, scope) {
@@ -868,9 +992,105 @@ From: ${sources.join(", ")}` : "\nFrom: built-in defaults (no .enigma.json found
   return 0;
 }
 
+// src/update.ts
+import { homedir as homedir5 } from "os";
+import { join as join9 } from "path";
+import { writeFileSync as writeFileSync6 } from "fs";
+import { spawn, spawnSync } from "child_process";
+import * as p4 from "@clack/prompts";
+var REGISTRY_URL = "https://registry.npmjs.org/enigma-cli/latest";
+var UPDATE_COMMAND = "npm i -g enigma-cli@latest";
+var CACHE_FILE = join9(homedir5(), ".enigma-update-check.json");
+var CHECK_INTERVAL_MS = 24 * 60 * 60 * 1e3;
+var CHILD_SCRIPT = [
+  "const fs = require('fs');",
+  "const ctrl = new AbortController();",
+  "const t = setTimeout(() => ctrl.abort(), 5000);",
+  "fetch(process.env.E_URL, { signal: ctrl.signal, headers: { 'user-agent': 'enigma-cli-update-check' } })",
+  "  .then((r) => (r.ok ? r.json() : null))",
+  "  .then((d) => { if (d && d.version) fs.writeFileSync(process.env.E_FILE, JSON.stringify({ latest: d.version, checkedAt: Date.now() })); })",
+  "  .catch(() => {})",
+  "  .finally(() => clearTimeout(t));"
+].join("\n");
+function parseVersion(version) {
+  const core = String(version).trim().replace(/^v/, "").split("-")[0];
+  const [major, minor, patch] = core.split(".").map((n) => parseInt(n, 10) || 0);
+  return [major || 0, minor || 0, patch || 0];
+}
+function isNewer(latest, current) {
+  const a = parseVersion(latest);
+  const b = parseVersion(current);
+  for (let i = 0; i < 3; i++) {
+    if (a[i] > b[i]) return true;
+    if (a[i] < b[i]) return false;
+  }
+  return false;
+}
+function paint(text, code) {
+  return process.stdout.isTTY && !process.env.NO_COLOR ? `\x1B[${code}m${text}\x1B[0m` : text;
+}
+function renderUpdateBox(current, latest) {
+  const lines = [
+    { text: `Update available  ${current} -> ${latest}`, color: "1;33" },
+    { text: `Run ${UPDATE_COMMAND} to update`, color: "36" }
+  ];
+  const width = Math.max(...lines.map((l) => l.text.length));
+  const border = `+${"-".repeat(width + 4)}+`;
+  const blank = `|${" ".repeat(width + 4)}|`;
+  const rows = lines.map((l) => `|${paint(`  ${l.text}${" ".repeat(width - l.text.length)}  `, l.color)}|`);
+  return [border, blank, ...rows, blank, border].join("\n");
+}
+function readCache() {
+  return readJson(CACHE_FILE);
+}
+function scheduleUpdateCheck() {
+  try {
+    const cache = readCache();
+    if (cache && Date.now() - cache.checkedAt < CHECK_INTERVAL_MS) return;
+    writeFileSync6(CACHE_FILE, JSON.stringify({ latest: cache?.latest ?? null, checkedAt: Date.now() }));
+    const child = spawn(process.execPath, ["-e", CHILD_SCRIPT], {
+      detached: true,
+      stdio: "ignore",
+      windowsHide: true,
+      env: { ...process.env, E_URL: REGISTRY_URL, E_FILE: CACHE_FILE }
+    });
+    child.unref();
+  } catch {
+  }
+}
+function runUpdate() {
+  try {
+    const result = spawnSync("npm", ["i", "-g", "enigma-cli@latest"], {
+      stdio: "inherit",
+      shell: process.platform === "win32"
+    });
+    if (result.status === 0) console.log("Updated. Re-run your command to use the new version.");
+    else console.log(`Update did not complete. Run '${UPDATE_COMMAND}' manually.`);
+  } catch {
+    console.log(`Could not run the update. Run '${UPDATE_COMMAND}' manually.`);
+  }
+}
+async function notifyUpdate(current, interactive) {
+  if (!process.stdout.isTTY || process.env.CI) return;
+  try {
+    scheduleUpdateCheck();
+    const cache = readCache();
+    const latest = cache?.latest ? String(cache.latest).replace(/[^\w.+-]/g, "") : "";
+    if (!latest || !isNewer(latest, current)) return;
+    process.stdout.write(`
+${renderUpdateBox(current, latest)}
+`);
+    if (!interactive) return;
+    const ok = await p4.confirm({ message: `Update now with ${UPDATE_COMMAND}?`, initialValue: true });
+    if (p4.isCancel(ok) || !ok) return;
+    runUpdate();
+  } catch {
+  }
+}
+
 // src/cli.ts
 var __dirname3 = dirname4(fileURLToPath4(import.meta.url));
-var PKG = readJson(join8(__dirname3, "..", "package.json")) || {};
+var PKG = readJson(join10(__dirname3, "..", "package.json")) || {};
 var COMMANDS = /* @__PURE__ */ new Set(["install", "security", "guard", "seal", "check", "config", "help", "version"]);
 function parseArgs(argv) {
   const opts = {
@@ -884,6 +1104,8 @@ function parseArgs(argv) {
     memoryOnly: false,
     prune: true,
     keepModified: false,
+    bypass: null,
+    noBypass: false,
     force: false,
     all: false,
     yes: false,
@@ -931,6 +1153,12 @@ function parseArgs(argv) {
       case "--keep-modified":
         opts.keepModified = true;
         break;
+      case "--bypass":
+        opts.bypass = (opts.bypass || []).concat(next().split(","));
+        break;
+      case "--no-bypass":
+        opts.noBypass = true;
+        break;
       case "--force":
         opts.force = true;
         break;
@@ -988,6 +1216,8 @@ Install options:
       --all            Target every supported agent, ignoring detection
       --skills-only    Only skill folders   --memory-only  Only memory files
       --no-prune       Keep orphaned skills  --keep-modified  Don't overwrite local edits
+      --bypass <names> Disable approval prompts for agents (claude,codex,opencode | all | none)
+      --no-bypass      Never configure permission bypass (skip the prompt)
       --dry-run        Show the plan without writing
 
 Security options:
@@ -1000,6 +1230,7 @@ Examples:
   enigma                              # interactive
   enigma install --global             # skills for detected agents, user level
   enigma install --all -y             # every supported agent, non-interactive
+  enigma install -y --bypass claude,codex  # also disable approval prompts (unattended)
   enigma security                     # configure git hooks (choose protections)
   enigma config                       # show effective runtime config
   enigma config commit-emoji off      # opt out of commit-message emojis (global)
@@ -1007,12 +1238,16 @@ Examples:
 }
 async function run(argv) {
   const opts = parseArgs(argv);
+  const interactive = Boolean(process.stdout.isTTY) && !opts.yes;
+  const version = PKG.version || "0.0.0";
   if (opts.help || opts.command === "help") {
     printHelp();
+    await notifyUpdate(version, interactive);
     return;
   }
   if (opts.version || opts.command === "version") {
-    console.log(PKG.version || "0.0.0");
+    console.log(version);
+    await notifyUpdate(version, interactive);
     return;
   }
   if (opts.command === "seal") return sealSources();
@@ -1023,23 +1258,24 @@ async function run(argv) {
   if (opts.command === "config") {
     process.exit(runConfigCli(opts.positionals, opts.scope));
   }
-  const interactive = Boolean(process.stdout.isTTY) && !opts.yes;
   if (opts.command === "install") {
-    p3.intro("enigma - install agent skills");
+    p5.intro("enigma - install agent skills");
     await installSkills(opts, interactive);
-    p3.outro("Done.");
+    p5.outro("Done.");
+    await notifyUpdate(version, interactive);
     return;
   }
   if (opts.command === "security") {
-    p3.intro("enigma - git security hooks");
+    p5.intro("enigma - git security hooks");
     const done = await setupGitHooks(opts, interactive);
-    p3.outro(done ? "Git hooks configured." : "No changes made.");
+    p5.outro(done ? "Git hooks configured." : "No changes made.");
+    await notifyUpdate(version, interactive);
     return;
   }
-  p3.intro("enigma");
+  p5.intro("enigma");
   let features;
   if (interactive) {
-    const r = await p3.multiselect({
+    const r = await p5.multiselect({
       message: "What do you want to set up?",
       options: [
         { value: "skills", label: "Agent skills", hint: "Claude Code, Codex, opencode" },
@@ -1048,8 +1284,8 @@ async function run(argv) {
       initialValues: ["skills"],
       required: true
     });
-    if (p3.isCancel(r)) {
-      p3.cancel("Aborted.");
+    if (p5.isCancel(r)) {
+      p5.cancel("Aborted.");
       return;
     }
     features = r;
@@ -1058,7 +1294,8 @@ async function run(argv) {
   }
   if (features.includes("skills")) await installSkills(opts, interactive);
   if (features.includes("security")) await setupGitHooks(opts, interactive);
-  p3.outro("Done.");
+  p5.outro("Done.");
+  await notifyUpdate(version, interactive);
 }
 
 // src/bin/enigma.ts

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "enigma-cli",
-  "version": "1.0.0",
+  "version": "1.1.1",
   "description": "Everything you need to work with a coding agent: install shared policy skills for Claude Code, OpenAI Codex and opencode, and set up portable git security hooks.",
   "type": "module",
   "bin": {