enigma-cli 1.0.0

package/dist/enigma.js

@@ -0,0 +1,1068 @@
+#!/usr/bin/env node
+
+// src/cli.ts
+import { dirname as dirname4, join as join8 } from "path";
+import { fileURLToPath as fileURLToPath4 } from "url";
+import * as p3 from "@clack/prompts";
+
+// src/util.ts
+import { existsSync, statSync, readFileSync } from "fs";
+import { join, sep } from "path";
+function isDir(pth) {
+  try {
+    return statSync(pth).isDirectory();
+  } catch {
+    return false;
+  }
+}
+function readJson(file) {
+  try {
+    return JSON.parse(readFileSync(file, "utf8"));
+  } catch {
+    return null;
+  }
+}
+function isOnPath(bin) {
+  const dirs = (process.env.PATH || process.env.Path || "").split(sep === "\\" ? ";" : ":").filter(Boolean);
+  const exts = sep === "\\" ? (process.env.PATHEXT || ".EXE;.CMD;.BAT;.COM").split(";").map((e) => e.toLowerCase()) : [""];
+  return dirs.some((d) => exts.some((ext) => existsSync(join(d, bin + ext))));
+}
+
+// src/skills.ts
+import { existsSync as existsSync4, readdirSync, readFileSync as readFileSync2, writeFileSync as writeFileSync3, cpSync as cpSync2, mkdirSync as mkdirSync3, rmSync } from "fs";
+import { dirname as dirname2, join as join5, resolve as resolve2, relative as relative2, sep as sep2 } from "path";
+import { fileURLToPath as fileURLToPath2 } from "url";
+import { createHash } from "crypto";
+import * as p2 from "@clack/prompts";
+
+// src/agents.ts
+import { homedir } from "os";
+import { join as join2 } from "path";
+import { existsSync as existsSync2 } from "fs";
+import { execFileSync } from "child_process";
+var HOME = homedir();
+var MANAGED_PROVIDER = "FJRG2007/enigma";
+var LEGACY_PROVIDERS = ["FJRG2007"];
+function isManagedProvider(provider) {
+  return provider === MANAGED_PROVIDER || typeof provider === "string" && LEGACY_PROVIDERS.includes(provider);
+}
+var AGENTS = {
+  claude: {
+    label: "Claude Code",
+    memoryFile: "CLAUDE.md",
+    detect: { bins: ["claude"], dirs: [join2(HOME, ".claude")] },
+    targets: {
+      global: { skills: join2(HOME, ".claude", "skills"), memory: join2(HOME, ".claude") },
+      local: { skills: join2(process.cwd(), ".claude", "skills"), memory: process.cwd() }
+    }
+  },
+  codex: {
+    label: "OpenAI Codex",
+    memoryFile: "AGENTS.md",
+    // Codex reads AGENTS.md from its home (~/.codex) and project root, but
+    // discovers skills from the shared `.agents/skills` location, not ~/.codex/skills.
+    detect: { bins: ["codex"], dirs: [join2(HOME, ".codex")] },
+    targets: {
+      global: { skills: join2(HOME, ".agents", "skills"), memory: join2(HOME, ".codex") },
+      local: { skills: join2(process.cwd(), ".agents", "skills"), memory: process.cwd() }
+    }
+  },
+  opencode: {
+    label: "opencode",
+    memoryFile: "AGENTS.md",
+    // opencode reads AGENTS.md from ~/.config/opencode (global) or the project
+    // root (local); skills from ~/.config/opencode/skills and .opencode/skills.
+    detect: { bins: ["opencode"], dirs: [join2(HOME, ".config", "opencode"), join2(HOME, ".opencode")] },
+    targets: {
+      global: { skills: join2(HOME, ".config", "opencode", "skills"), memory: join2(HOME, ".config", "opencode") },
+      local: { skills: join2(process.cwd(), ".opencode", "skills"), memory: process.cwd() }
+    }
+  }
+};
+function isInstalled(agent) {
+  const det = agent.detect || {};
+  return (det.dirs || []).some((d) => existsSync2(d)) || (det.bins || []).some((b) => isOnPath(b));
+}
+function discoverAgents() {
+  return Object.keys(AGENTS).map((name) => {
+    const agent = { name, ...AGENTS[name] };
+    return { ...agent, installed: isInstalled(agent) };
+  });
+}
+function processSnapshot() {
+  try {
+    if (process.platform === "win32") {
+      return execFileSync("tasklist", ["/fo", "csv", "/nh"], { encoding: "utf8" }).toLowerCase();
+    }
+    return execFileSync("ps", ["-A", "-o", "comm="], { encoding: "utf8" }).toLowerCase();
+  } catch {
+    return null;
+  }
+}
+function runningStatus(agents) {
+  const snap = processSnapshot();
+  if (snap == null) return { known: false, running: /* @__PURE__ */ new Set() };
+  const running = /* @__PURE__ */ new Set();
+  for (const a of agents) {
+    const det = a.detect || {};
+    const names = det.procs || det.bins || [a.name];
+    if (names.some((n) => snap.includes(String(n).toLowerCase()))) running.add(a.name);
+  }
+  return { known: true, running };
+}
+
+// src/security.ts
+import { existsSync as existsSync3, mkdirSync, cpSync, writeFileSync, chmodSync } from "fs";
+import { dirname, join as join3, resolve, relative } from "path";
+import { fileURLToPath } from "url";
+import { execFileSync as execFileSync2 } from "child_process";
+import * as p from "@clack/prompts";
+var __dirname = dirname(fileURLToPath(import.meta.url));
+function findGuardSrc() {
+  const candidates = [
+    join3(__dirname, "guard.js"),
+    join3(__dirname, "..", "dist", "guard.js")
+  ];
+  return candidates.find((c) => existsSync3(c)) ?? null;
+}
+var GUARD_PROTECTIONS = [
+  { value: "secrets", label: "Block committed secrets", hint: "API keys, tokens, private keys" },
+  { value: "envFiles", label: "Block .env files", hint: "allows .env.example / .sample / .template" },
+  { value: "depDirs", label: "Block dependency/cache dirs", hint: "node_modules, __pycache__, venv" },
+  { value: "generatedDirs", label: "Warn on generated dirs", hint: "dist, build, .next, coverage" },
+  { value: "junkFiles", label: "Warn on log / OS junk files", hint: ".log, .DS_Store, Thumbs.db" },
+  { value: "largeFiles", label: "Warn on files over 5 MB", hint: "oversized blobs" }
+];
+function findGitRoot(start) {
+  let dir = resolve(start);
+  for (; ; ) {
+    if (existsSync3(join3(dir, ".git"))) return dir;
+    const parent = dirname(dir);
+    if (parent === dir) return null;
+    dir = parent;
+  }
+}
+function currentHooksPath(root) {
+  try {
+    return execFileSync2("git", ["-C", root, "config", "--get", "core.hooksPath"], { encoding: "utf8" }).trim();
+  } catch {
+    return "";
+  }
+}
+async function setupGitHooks(opts, interactive) {
+  const root = findGitRoot(process.cwd());
+  if (!root) {
+    p.log.error("Not inside a git repository (no .git found). Run this from your project root.");
+    return false;
+  }
+  const guardSrc = findGuardSrc();
+  if (!guardSrc) {
+    p.log.error("Cannot find the built guard (dist/guard.js). Run 'npm run build' first.");
+    return false;
+  }
+  const current = currentHooksPath(root);
+  if (current && current !== ".githooks" && !opts.force) {
+    p.log.warn(`core.hooksPath is already set to '${current}'.`);
+    if (interactive) {
+      const ok = await p.confirm({ message: `Override existing core.hooksPath '${current}' with '.githooks'?` });
+      if (p.isCancel(ok) || !ok) {
+        p.log.info("Left git hooks unchanged.");
+        return false;
+      }
+    } else {
+      p.log.info("Re-run with --force to override.");
+      return false;
+    }
+  }
+  let enabled = opts.protections;
+  if (!enabled && interactive) {
+    const r = await p.multiselect({
+      message: "Which protections should the commit guard enforce?",
+      options: GUARD_PROTECTIONS,
+      initialValues: GUARD_PROTECTIONS.map((o) => o.value),
+      required: true
+    });
+    if (p.isCancel(r)) {
+      p.log.info("Left git hooks unchanged.");
+      return false;
+    }
+    enabled = r;
+  }
+  const config = {};
+  for (const o of GUARD_PROTECTIONS) config[o.value] = enabled ? enabled.includes(o.value) : true;
+  const hooksDir = join3(root, ".githooks");
+  mkdirSync(hooksDir, { recursive: true });
+  cpSync(guardSrc, join3(hooksDir, "guard.mjs"), { force: true });
+  writeFileSync(join3(hooksDir, "enigma-guard.json"), JSON.stringify(config, null, 2) + "\n");
+  const shimPath = join3(hooksDir, "pre-commit");
+  const shim = [
+    "#!/bin/sh",
+    "# Managed by enigma (enigma-cli) - blocks committed secrets, .env files, and dependency dirs.",
+    "# Toggle protections in .githooks/enigma-guard.json. Bypass once: git commit --no-verify",
+    'exec node "$(git rev-parse --show-toplevel)/.githooks/guard.mjs" "$@"',
+    ""
+  ].join("\n");
+  writeFileSync(shimPath, shim);
+  try {
+    chmodSync(shimPath, 493);
+  } catch {
+  }
+  try {
+    chmodSync(join3(hooksDir, "guard.mjs"), 493);
+  } catch {
+  }
+  try {
+    execFileSync2("git", ["-C", root, "config", "core.hooksPath", ".githooks"]);
+  } catch (err) {
+    p.log.error(`Failed to set core.hooksPath: ${err.message}`);
+    return false;
+  }
+  const on = Object.entries(config).filter(([, v]) => v).map(([k]) => k);
+  p.log.success(`Git security hooks installed in ${relative(process.cwd(), hooksDir) || ".githooks"} (core.hooksPath set).`);
+  p.log.info(`Enforcing: ${on.join(", ") || "nothing"}. Commit .githooks/ so your team inherits it.`);
+  if (isOnPath("gh")) {
+    p.log.info("GitHub CLI (gh) detected: these hooks also run for commits made via gh, since gh uses git underneath.");
+  }
+  return true;
+}
+async function maybeOfferGitHooks(interactive, opts) {
+  if (!interactive || opts.security) return;
+  const root = findGitRoot(process.cwd());
+  if (!root) return;
+  if (currentHooksPath(root) === ".githooks") return;
+  const ok = await p.confirm({ message: "Set up git security hooks here too (block secrets, .env, node_modules)?" });
+  if (!p.isCancel(ok) && ok) await setupGitHooks({ ...opts, protections: void 0 }, interactive);
+}
+
+// src/claude.ts
+import { homedir as homedir2 } from "os";
+import { join as join4 } from "path";
+import { mkdirSync as mkdirSync2, writeFileSync as writeFileSync2 } from "fs";
+function claudeSettingsPath(scope) {
+  return scope === "global" ? join4(homedir2(), ".claude", "settings.json") : join4(process.cwd(), ".claude", "settings.json");
+}
+function disableClaudeAttribution(scope) {
+  const path = claudeSettingsPath(scope);
+  const current = readJson(path) || {};
+  const attribution = typeof current.attribution === "object" && current.attribution !== null ? current.attribution : {};
+  const alreadyOff = attribution.commit === "" && attribution.pr === "" && current.includeCoAuthoredBy === false;
+  if (alreadyOff) return false;
+  const next = {
+    ...current,
+    attribution: { ...attribution, commit: "", pr: "" },
+    includeCoAuthoredBy: false
+  };
+  const dir = join4(path, "..");
+  if (!isDir(dir)) mkdirSync2(dir, { recursive: true });
+  writeFileSync2(path, JSON.stringify(next, null, 2) + "\n");
+  return true;
+}
+
+// src/skills.ts
+var __dirname2 = dirname2(fileURLToPath2(import.meta.url));
+var PKG_ROOT = resolve2(__dirname2, "..");
+var ASSETS = join5(PKG_ROOT, "assets");
+var SKILLS_ROOT = join5(ASSETS, "skills");
+var MEMORY_ROOT = join5(ASSETS, "memory");
+function cliVersion() {
+  return (readJson(join5(PKG_ROOT, "package.json")) || {}).version || "0.0.0";
+}
+function serializeMeta(meta) {
+  const ordered = {};
+  for (const k of ["name", "version", "provider", "description", "cliVersion", "sha"]) {
+    if (meta[k] !== void 0) ordered[k] = meta[k];
+  }
+  for (const k of Object.keys(meta)) if (!(k in ordered)) ordered[k] = meta[k];
+  return JSON.stringify(ordered, null, 2) + "\n";
+}
+function readSkillMeta(skillDir) {
+  return readJson(join5(skillDir, "skill.json")) || {};
+}
+function listFilesRel(dir, base = dir) {
+  const out = [];
+  for (const e of readdirSync(dir)) {
+    const full = join5(dir, e);
+    if (isDir(full)) out.push(...listFilesRel(full, base));
+    else out.push(relative2(base, full).split(sep2).join("/"));
+  }
+  return out;
+}
+function computeContentSha(dir) {
+  const files = listFilesRel(dir).filter((f) => f !== "skill.json").sort();
+  const h = createHash("sha256");
+  for (const f of files) {
+    h.update(f);
+    h.update("\0");
+    h.update(readFileSync2(join5(dir, f)));
+    h.update("\0");
+  }
+  return h.digest("hex");
+}
+function skillStatus(destDir, srcMeta) {
+  if (!existsSync4(destDir)) return { kind: "install", from: null, to: srcMeta.version || null };
+  const destMeta = readSkillMeta(destDir);
+  const from = destMeta.version || null;
+  const to = srcMeta.version || null;
+  if (from && to && from !== to) return { kind: "update", from, to };
+  const recordedSha = destMeta.sha || null;
+  if (!recordedSha) return { kind: "reinstall", from, to };
+  const actualSha = computeContentSha(destDir);
+  if (actualSha !== recordedSha) return { kind: "tampered", from, to };
+  return { kind: "identical", from, to };
+}
+function statusLabel(st) {
+  switch (st.kind) {
+    case "install":
+      return st.to ? `install v${st.to}` : "install";
+    case "update":
+      return `update ${st.from} -> ${st.to}`;
+    case "identical":
+      return st.to ? `up-to-date v${st.to} (skip)` : "up-to-date (skip)";
+    case "tampered":
+      return st.to ? `MODIFIED locally v${st.to}` : "MODIFIED locally";
+    default:
+      return st.to ? `reinstall v${st.to}` : "reinstall";
+  }
+}
+function filesEqual(a, b) {
+  try {
+    return readFileSync2(a).equals(readFileSync2(b));
+  } catch {
+    return false;
+  }
+}
+function memoryStatus(srcFile, destFile) {
+  if (!existsSync4(destFile)) return "install";
+  return filesEqual(srcFile, destFile) ? "identical" : "overwrite";
+}
+function computePrune(destSkillsDir, sourceNames) {
+  if (!isDir(destSkillsDir)) return [];
+  return readdirSync(destSkillsDir).filter((e) => isDir(join5(destSkillsDir, e)) && existsSync4(join5(destSkillsDir, e, "SKILL.md"))).filter((e) => !sourceNames.includes(e)).map((e) => ({ name: e, dir: join5(destSkillsDir, e), meta: readSkillMeta(join5(destSkillsDir, e)) })).filter((s) => isManagedProvider(s.meta.provider));
+}
+function inspectSkills() {
+  if (!isDir(SKILLS_ROOT)) return [];
+  return readdirSync(SKILLS_ROOT).filter((e) => isDir(join5(SKILLS_ROOT, e)) && existsSync4(join5(SKILLS_ROOT, e, "SKILL.md"))).map((e) => ({ name: e, src: join5(SKILLS_ROOT, e), meta: readSkillMeta(join5(SKILLS_ROOT, e)) }));
+}
+function inspectMemory(agent) {
+  if (!agent.memoryFile) return [];
+  const src = join5(MEMORY_ROOT, agent.memoryFile);
+  return existsSync4(src) ? [{ name: agent.memoryFile, src }] : [];
+}
+function sealSources() {
+  if (!isDir(SKILLS_ROOT)) {
+    console.error(`No skills directory found at ${SKILLS_ROOT}.`);
+    process.exit(1);
+  }
+  const cli = cliVersion();
+  let sealed = 0;
+  for (const name of readdirSync(SKILLS_ROOT)) {
+    const dir = join5(SKILLS_ROOT, name);
+    if (!isDir(dir) || !existsSync4(join5(dir, "SKILL.md"))) continue;
+    const metaPath = join5(dir, "skill.json");
+    const meta = readJson(metaPath) || { name };
+    const before = JSON.stringify(meta);
+    meta.provider = MANAGED_PROVIDER;
+    meta.cliVersion = cli;
+    meta.sha = computeContentSha(dir);
+    const changed = JSON.stringify(meta) !== before;
+    writeFileSync3(metaPath, serializeMeta(meta));
+    console.log(`${changed ? "updated" : "ok     "}  ${name}  cli=${cli}  sha=${meta.sha.slice(0, 12)}`);
+    sealed++;
+  }
+  console.log(`
+Sealed ${sealed} skill(s) at cliVersion ${cli}.`);
+}
+function checkSources() {
+  if (!isDir(SKILLS_ROOT)) {
+    console.error(`No skills directory found at ${SKILLS_ROOT}.`);
+    process.exit(1);
+  }
+  const cli = cliVersion();
+  const problems = [];
+  let checked = 0;
+  for (const name of readdirSync(SKILLS_ROOT)) {
+    const dir = join5(SKILLS_ROOT, name);
+    if (!isDir(dir) || !existsSync4(join5(dir, "SKILL.md"))) continue;
+    checked++;
+    const md = readFileSync2(join5(dir, "SKILL.md"), "utf8");
+    const fm = md.match(/^---\n([\s\S]*?)\n---/);
+    if (!fm) problems.push(`${name}: SKILL.md is missing YAML frontmatter`);
+    else {
+      if (!/^name:\s*\S/m.test(fm[1])) problems.push(`${name}: frontmatter missing 'name'`);
+      if (!/^description:\s*\S/m.test(fm[1])) problems.push(`${name}: frontmatter missing 'description'`);
+    }
+    const metaPath = join5(dir, "skill.json");
+    if (!existsSync4(metaPath)) {
+      problems.push(`${name}: missing skill.json`);
+      continue;
+    }
+    const meta = readJson(metaPath);
+    if (!meta) {
+      problems.push(`${name}: skill.json is not valid JSON`);
+      continue;
+    }
+    if (!isManagedProvider(meta.provider)) problems.push(`${name}: skill.json provider is not ${MANAGED_PROVIDER}`);
+    if (!meta.version) problems.push(`${name}: skill.json missing 'version'`);
+    if (meta.cliVersion !== cli) problems.push(`${name}: stale cliVersion (${meta.cliVersion || "none"} != ${cli}) - run 'enigma seal'`);
+    if (!meta.sha) problems.push(`${name}: not sealed (run 'enigma seal')`);
+    else if (meta.sha !== computeContentSha(dir)) problems.push(`${name}: stale sha - content changed since seal (run 'enigma seal')`);
+  }
+  if (problems.length) {
+    console.error(`Integrity check FAILED (${problems.length} problem(s) across ${checked} skill(s)):`);
+    for (const pr of problems) console.error(`  - ${pr}`);
+    process.exit(1);
+  }
+  console.log(`Integrity check passed: ${checked} skill(s) well-formed and sealed.`);
+}
+async function installSkills(opts, interactive) {
+  const available = discoverAgents();
+  if (available.length === 0) {
+    p2.cancel("No installable agents known.");
+    process.exit(1);
+  }
+  let scope;
+  if (opts.scope) {
+    scope = opts.scope;
+  } else if (interactive) {
+    const r = await p2.select({
+      message: "Where should skills be installed?",
+      options: [
+        { value: "global", label: "Global (user)", hint: "~/.claude, ~/.codex, ~/.config/opencode" },
+        { value: "local", label: "Local (this project)", hint: process.cwd() }
+      ]
+    });
+    if (p2.isCancel(r)) {
+      p2.cancel("Aborted.");
+      return;
+    }
+    scope = r;
+  } else {
+    scope = "global";
+  }
+  const detected = available.filter((a) => a.installed);
+  let chosenAgents = available;
+  if (opts.agents.length) {
+    chosenAgents = available.filter((a) => opts.agents.includes(a.name));
+    const unknown = opts.agents.filter((n) => !available.some((a) => a.name === n));
+    if (unknown.length) p2.log.warn(`Skipping unknown/absent agents: ${unknown.join(", ")}`);
+  } else if (opts.allAgents) {
+    chosenAgents = available;
+  } else if (interactive && available.length > 1) {
+    const preselect = (detected.length ? detected : available).map((a) => a.name);
+    const r = await p2.multiselect({
+      message: "Which agents? (detected on this system are preselected)",
+      options: available.map((a) => ({ value: a.name, label: a.label, hint: a.installed ? "detected" : "not detected" })),
+      initialValues: preselect,
+      required: true
+    });
+    if (p2.isCancel(r)) {
+      p2.cancel("Aborted.");
+      return;
+    }
+    chosenAgents = available.filter((a) => r.includes(a.name));
+  } else if (detected.length) {
+    chosenAgents = detected;
+  } else {
+    chosenAgents = available;
+    p2.log.warn("No installed agents detected; defaulting to all supported agents.");
+  }
+  if (chosenAgents.length === 0) {
+    p2.cancel("No matching agents selected.");
+    process.exit(1);
+  }
+  const claudeScope = chosenAgents.some((a) => a.name === "claude") ? scope : null;
+  const applyClaudeConfig = () => {
+    if (!claudeScope || opts.dryRun) return;
+    if (disableClaudeAttribution(claudeScope)) {
+      p2.log.info("Claude Code: disabled Co-Authored-By and PR attribution in settings.json.");
+    }
+  };
+  const plan = [];
+  for (const agent of chosenAgents) {
+    const target = agent.targets[scope];
+    if (!target) {
+      p2.log.warn(`${agent.label} has no '${scope}' target - skipping.`);
+      continue;
+    }
+    const skills = inspectSkills();
+    const memory = inspectMemory(agent);
+    let chosenSkills = skills;
+    if (!opts.memoryOnly && opts.skills.length) {
+      chosenSkills = skills.filter((s2) => opts.skills.includes(s2.name));
+    } else if (!opts.memoryOnly && interactive && skills.length > 1) {
+      const r = await p2.multiselect({
+        message: `Skills for ${agent.label} - all selected; deselect any you don't want`,
+        options: skills.map((s2) => {
+          const st = skillStatus(join5(target.skills, s2.name), s2.meta);
+          const prov = s2.meta.provider ? ` ${s2.meta.provider}` : "";
+          return { value: s2.name, label: s2.name, hint: `${statusLabel(st)}${prov}` };
+        }),
+        initialValues: skills.map((s2) => s2.name),
+        required: false
+      });
+      if (p2.isCancel(r)) {
+        p2.cancel("Aborted.");
+        return;
+      }
+      chosenSkills = skills.filter((s2) => r.includes(s2.name));
+    }
+    const skillsWithStatus = (opts.memoryOnly ? [] : chosenSkills).map((s2) => ({
+      ...s2,
+      status: skillStatus(join5(target.skills, s2.name), s2.meta),
+      overwrite: true
+    }));
+    const prune = opts.prune && !opts.memoryOnly ? computePrune(target.skills, skills.map((s2) => s2.name)) : [];
+    plan.push({ agent, target, skills: skillsWithStatus, memory: opts.skillsOnly ? [] : memory, prune });
+  }
+  const tampered = plan.flatMap((x) => x.skills.filter((s2) => s2.status.kind === "tampered"));
+  if (tampered.length) {
+    if (opts.keepModified) {
+      for (const s2 of tampered) s2.overwrite = false;
+      p2.log.warn(`${tampered.length} locally-modified skill(s) will be kept (--keep-modified).`);
+    } else if (interactive && !opts.dryRun) {
+      const sel = await p2.multiselect({
+        message: `${tampered.length} skill(s) were modified locally since install. Select which to OVERWRITE`,
+        options: tampered.map((s2, i) => ({ value: i, label: s2.name, hint: s2.meta.version ? `v${s2.meta.version}` : "modified" })),
+        initialValues: tampered.map((_, i) => i),
+        required: false
+      });
+      if (p2.isCancel(sel)) {
+        p2.cancel("Aborted.");
+        return;
+      }
+      tampered.forEach((s2, i) => {
+        s2.overwrite = sel.includes(i);
+      });
+    }
+  }
+  const willCopy = (s2) => s2.status.kind === "install" || s2.status.kind === "update" || s2.status.kind === "reinstall" || s2.status.kind === "tampered" && s2.overwrite;
+  let nInstall = 0, nUpdate = 0, nRemove = 0, nSkip = 0, nKept = 0;
+  const lines = [];
+  for (const x of plan) {
+    lines.push(`${x.agent.label}  (${scope})`);
+    for (const s2 of x.skills) {
+      const prov = s2.meta.provider ? `  [${s2.meta.provider}]` : "";
+      let label;
+      if (s2.status.kind === "identical") {
+        nSkip++;
+        label = statusLabel(s2.status);
+      } else if (s2.status.kind === "tampered" && !s2.overwrite) {
+        nKept++;
+        label = `keep modified v${s2.meta.version || "?"}`;
+      } else if (s2.status.kind === "tampered") {
+        nUpdate++;
+        label = `overwrite modified v${s2.meta.version || "?"}`;
+      } else if (s2.status.kind === "install") {
+        nInstall++;
+        label = statusLabel(s2.status);
+      } else {
+        nUpdate++;
+        label = statusLabel(s2.status);
+      }
+      lines.push(`  ${label.padEnd(26)} skill   ${s2.name}${prov}`);
+    }
+    for (const m of x.memory) {
+      const ms = memoryStatus(m.src, join5(x.target.memory, m.name));
+      if (ms === "identical") {
+        nSkip++;
+        lines.push(`  ${"up-to-date (skip)".padEnd(26)} memory  ${m.name}`);
+      } else if (ms === "install") {
+        nInstall++;
+        lines.push(`  ${"install".padEnd(26)} memory  ${m.name}`);
+      } else {
+        nUpdate++;
+        lines.push(`  ${"overwrite".padEnd(26)} memory  ${m.name}`);
+      }
+    }
+    for (const s2 of x.prune) {
+      nRemove++;
+      const ver = s2.meta.version ? ` v${s2.meta.version}` : "";
+      lines.push(`  ${"remove (orphaned)".padEnd(26)} skill   ${s2.name}  [${s2.meta.provider}${ver}]`);
+    }
+  }
+  if (nInstall + nUpdate + nRemove === 0) {
+    p2.note(lines.join("\n"), "Nothing to do");
+    applyClaudeConfig();
+    await maybeOfferGitHooks(interactive, opts);
+    p2.log.success(`Everything up-to-date - ${nSkip} item(s) unchanged${nKept ? `, ${nKept} kept modified` : ""} (${scope}).`);
+    return;
+  }
+  p2.note(lines.join("\n"), opts.dryRun ? "Dry run - planned changes" : "Planned changes");
+  if (interactive && !opts.dryRun) {
+    const summary = [
+      nInstall && `${nInstall} to install`,
+      nUpdate && `${nUpdate} to update/overwrite`,
+      nRemove && `${nRemove} to remove`,
+      nSkip && `${nSkip} unchanged`
+    ].filter(Boolean).join(", ");
+    const ok = await p2.confirm({ message: `Apply: ${summary}?` });
+    if (p2.isCancel(ok) || !ok) {
+      p2.cancel("Aborted.");
+      return;
+    }
+  }
+  if (opts.dryRun) {
+    p2.log.info("Dry run complete - no files written.");
+    return;
+  }
+  const changedAgents = plan.filter(
+    (x) => x.skills.some(willCopy) || x.memory.some((m) => memoryStatus(m.src, join5(x.target.memory, m.name)) !== "identical") || x.prune.length > 0
+  );
+  const s = p2.spinner();
+  s.start("Installing...");
+  let copied = 0;
+  try {
+    for (const x of plan) {
+      mkdirSync3(x.target.skills, { recursive: true });
+      mkdirSync3(x.target.memory, { recursive: true });
+      for (const sk of x.skills) {
+        if (!willCopy(sk)) continue;
+        cpSync2(sk.src, join5(x.target.skills, sk.name), { recursive: true, force: true });
+        copied++;
+      }
+      for (const m of x.memory) {
+        if (memoryStatus(m.src, join5(x.target.memory, m.name)) === "identical") continue;
+        cpSync2(m.src, join5(x.target.memory, m.name), { force: true });
+        copied++;
+      }
+      for (const pr of x.prune) rmSync(pr.dir, { recursive: true, force: true });
+    }
+  } catch (err) {
+    s.stop("Failed.");
+    p2.cancel(`Error while installing: ${err.message}`);
+    process.exit(1);
+  }
+  s.stop(`Wrote ${copied} item(s)${nRemove ? `, removed ${nRemove}` : ""}.`);
+  applyClaudeConfig();
+  await maybeOfferGitHooks(interactive, opts);
+  p2.log.success(`${nInstall} installed, ${nUpdate} updated/overwritten` + (nRemove ? `, ${nRemove} removed` : "") + (nSkip ? `, ${nSkip} unchanged` : "") + (nKept ? `, ${nKept} kept modified` : "") + ` (${scope}).`);
+  if (changedAgents.length) {
+    const { known, running } = runningStatus(changedAgents.map((x) => x.agent));
+    if (running.size) {
+      const names = changedAgents.filter((x) => running.has(x.agent.name)).map((x) => x.agent.label);
+      p2.log.warn(`Restart ${names.join(", ")} to apply the changes (running now).`);
+    } else if (!known) {
+      const names = changedAgents.map((x) => x.agent.label);
+      p2.log.info(`If any of these agents are running, restart them to apply the changes: ${names.join(", ")}.`);
+    }
+  }
+}
+
+// src/guard.ts
+import { readFileSync as readFileSync3, statSync as statSync2 } from "fs";
+import { execFileSync as execFileSync3 } from "child_process";
+import { basename, extname, dirname as dirname3, join as join6 } from "path";
+import { fileURLToPath as fileURLToPath3 } from "url";
+var LARGE_FILE_BYTES = 5 * 1024 * 1024;
+var ENV_ALLOWED = /(example|sample|template)/i;
+var isForbiddenEnv = (base) => /^\.env(\..+)?$/.test(base) && !ENV_ALLOWED.test(base);
+var BLOCK_DIRS = [
+  /(^|\/)node_modules\//,
+  /(^|\/)bower_components\//,
+  /(^|\/)\.pnp(\/|$)/,
+  /(^|\/)__pycache__\//,
+  /(^|\/)\.venv\//,
+  /(^|\/)venv\//,
+  /(^|\/)\.mypy_cache\//,
+  /(^|\/)\.pytest_cache\//,
+  /(^|\/)\.gradle\//
+];
+var WARN_DIRS = [
+  /(^|\/)dist\//,
+  /(^|\/)build\//,
+  /(^|\/)out\//,
+  /(^|\/)\.next\//,
+  /(^|\/)\.nuxt\//,
+  /(^|\/)\.svelte-kit\//,
+  /(^|\/)\.turbo\//,
+  /(^|\/)coverage\//
+];
+var WARN_FILES = [/\.log$/i, /(^|\/)\.DS_Store$/, /(^|\/)Thumbs\.db$/i];
+var SECRET_SKIP_EXT = /* @__PURE__ */ new Set([
+  ".png",
+  ".jpg",
+  ".jpeg",
+  ".gif",
+  ".webp",
+  ".ico",
+  ".pdf",
+  ".zip",
+  ".gz",
+  ".woff",
+  ".woff2",
+  ".ttf",
+  ".eot",
+  ".mp4",
+  ".mov",
+  ".lock"
+]);
+var SECRET_PATTERNS = [
+  ["AWS access key id", /\bAKIA[0-9A-Z]{16}\b/],
+  ["GitHub token", /\bgh[pousr]_[A-Za-z0-9]{36,}\b/],
+  ["OpenAI API key", /\bsk-(?:proj-)?[A-Za-z0-9_-]{20,}\b/],
+  ["Anthropic API key", /\bsk-ant-[A-Za-z0-9_-]{20,}\b/],
+  ["Slack token", /\bxox[baprs]-[A-Za-z0-9-]{10,}\b/],
+  ["Google API key", /\bAIza[0-9A-Za-z_-]{35}\b/],
+  ["Stripe secret key", /\bsk_live_[0-9A-Za-z]{24,}\b/],
+  ["Private key block", /-----BEGIN (?:RSA |EC |OPENSSH |DSA |PGP )?PRIVATE KEY-----/],
+  ["Generic bearer secret", /\b(?:secret|token|api[_-]?key|passwd|password)\s*[:=]\s*["'][A-Za-z0-9_\-./+]{16,}["']/i]
+];
+var SECRET_SKIP_PATH = [/(^|\/)node_modules\//, /(^|\/)\.git\//, /package-lock\.json$/, /guard\.[mc]?js$/];
+var SELF_DIR = dirname3(fileURLToPath3(import.meta.url));
+function loadConfig() {
+  const defaults = { secrets: true, envFiles: true, depDirs: true, generatedDirs: true, junkFiles: true, largeFiles: true };
+  try {
+    const raw = JSON.parse(readFileSync3(join6(SELF_DIR, "enigma-guard.json"), "utf8"));
+    return { ...defaults, ...raw };
+  } catch {
+    return defaults;
+  }
+}
+function gitFiles(all) {
+  const out = execFileSync3("git", all ? ["ls-files"] : ["diff", "--cached", "--name-only", "--diff-filter=ACM"], { encoding: "utf8" });
+  return out.split("\n").map((s) => s.trim()).filter(Boolean);
+}
+function scanSecrets(file, blocks) {
+  if (SECRET_SKIP_PATH.some((re) => re.test(file))) return;
+  if (SECRET_SKIP_EXT.has(extname(file).toLowerCase())) return;
+  let text;
+  try {
+    text = readFileSync3(file, "utf8");
+  } catch {
+    return;
+  }
+  if (text.includes("\0")) return;
+  text.split("\n").forEach((line, i) => {
+    for (const [label, re] of SECRET_PATTERNS) {
+      if (re.test(line)) blocks.push(`${file}:${i + 1}  [secret: ${label}]`);
+    }
+  });
+}
+function runGuard({ all = false } = {}) {
+  const cfg = loadConfig();
+  let files;
+  try {
+    files = gitFiles(all);
+  } catch {
+    return { ok: true, blocks: [], warns: [], notRepo: true };
+  }
+  const blocks = [];
+  const warns = [];
+  for (const file of files) {
+    const base = basename(file);
+    if (cfg.envFiles && isForbiddenEnv(base)) {
+      blocks.push(`${file}  [env file with secrets - commit .env.example/.template instead]`);
+    }
+    if (cfg.depDirs && BLOCK_DIRS.some((re) => re.test(file))) {
+      blocks.push(`${file}  [dependency/cache dir - must not be committed]`);
+    } else if (cfg.generatedDirs && WARN_DIRS.some((re) => re.test(file))) {
+      warns.push(`${file}  [looks generated - confirm you really want it tracked]`);
+    }
+    if (cfg.junkFiles && WARN_FILES.some((re) => re.test(file))) warns.push(`${file}  [log / OS junk file]`);
+    if (cfg.largeFiles) {
+      try {
+        if (statSync2(file).size > LARGE_FILE_BYTES) warns.push(`${file}  [larger than 5 MB]`);
+      } catch {
+      }
+    }
+    if (cfg.secrets) scanSecrets(file, blocks);
+  }
+  return { ok: blocks.length === 0, blocks, warns, count: files.length, all };
+}
+function runGuardCli(all) {
+  const r = runGuard({ all });
+  if (r.notRepo) {
+    console.error("enigma-guard: not a git repository; nothing to check.");
+    return 0;
+  }
+  if (r.warns.length) {
+    console.error(`enigma-guard: ${r.warns.length} warning(s):`);
+    for (const w of r.warns) console.error(`  ! ${w}`);
+  }
+  if (r.blocks.length) {
+    console.error(`
+enigma-guard: BLOCKED - ${r.blocks.length} problem(s) must be fixed before committing:`);
+    for (const b of r.blocks) console.error(`  x ${b}`);
+    console.error("\nFix the above (move secrets to env/secret manager, gitignore generated paths).");
+    console.error("To bypass intentionally for one commit: git commit --no-verify");
+    return 1;
+  }
+  console.log(`enigma-guard: ${r.count} ${r.all ? "tracked" : "staged"} file(s) checked, no blocking problems.`);
+  return 0;
+}
+var guardEntry = process.argv[1] ?? "";
+var isGuardEntry = /(^|[\\/])guard\.[mc]?[jt]s$/.test(guardEntry);
+if (isGuardEntry && fileURLToPath3(import.meta.url) === guardEntry) {
+  process.exit(runGuardCli(process.argv.includes("--all")));
+}
+
+// src/config.ts
+import { homedir as homedir3 } from "os";
+import { join as join7 } from "path";
+import { existsSync as existsSync5, mkdirSync as mkdirSync4, writeFileSync as writeFileSync4 } from "fs";
+var CONFIG_FILE = ".enigma.json";
+var CONFIG_DEFAULTS = { commitEmoji: true };
+var BOOLEAN_KEYS = ["commitEmoji"];
+var CLI_KEYS = { "commit-emoji": "commitEmoji" };
+function configPath(scope) {
+  return scope === "global" ? join7(homedir3(), CONFIG_FILE) : join7(process.cwd(), CONFIG_FILE);
+}
+function readConfig() {
+  const sources = [];
+  let config = { ...CONFIG_DEFAULTS };
+  for (const scope of ["global", "local"]) {
+    const path = configPath(scope);
+    const raw = existsSync5(path) ? readJson(path) : null;
+    if (raw) {
+      config = { ...config, ...raw };
+      sources.push(path);
+    }
+  }
+  return { config, sources };
+}
+function parseBool(value) {
+  const v = value.toLowerCase();
+  if (["on", "true", "yes", "1", "enable", "enabled"].includes(v)) return true;
+  if (["off", "false", "no", "0", "disable", "disabled"].includes(v)) return false;
+  return null;
+}
+function setValue(scope, key, value) {
+  const path = configPath(scope);
+  const current = readJson(path) || {};
+  const next = { ...current, [key]: value };
+  const dir = join7(path, "..");
+  if (!isDir(dir)) mkdirSync4(dir, { recursive: true });
+  writeFileSync4(path, JSON.stringify(next, null, 2) + "\n");
+  return path;
+}
+function runConfigCli(positionals, scope) {
+  const [rawKey, rawValue] = positionals;
+  if (!rawKey) {
+    const { config, sources } = readConfig();
+    console.log("Effective enigma config:");
+    for (const k of BOOLEAN_KEYS) {
+      const cliKey = Object.keys(CLI_KEYS).find((c) => CLI_KEYS[c] === k) || k;
+      console.log(`  ${cliKey}: ${config[k]}`);
+    }
+    console.log(sources.length ? `
+From: ${sources.join(", ")}` : "\nFrom: built-in defaults (no .enigma.json found)");
+    return 0;
+  }
+  const key = CLI_KEYS[rawKey];
+  if (!key) {
+    console.error(`Unknown config key: ${rawKey}. Known keys: ${Object.keys(CLI_KEYS).join(", ")}.`);
+    return 1;
+  }
+  if (rawValue === void 0) {
+    console.error(`Missing value for '${rawKey}'. Usage: enigma config ${rawKey} <on|off>`);
+    return 1;
+  }
+  const value = parseBool(rawValue);
+  if (value === null) {
+    console.error(`Invalid value '${rawValue}' for '${rawKey}'. Use on or off.`);
+    return 1;
+  }
+  const target = scope || "global";
+  const path = setValue(target, key, value);
+  console.log(`Set ${rawKey} = ${value ? "on" : "off"} (${target}) in ${path}.`);
+  return 0;
+}
+
+// src/cli.ts
+var __dirname3 = dirname4(fileURLToPath4(import.meta.url));
+var PKG = readJson(join8(__dirname3, "..", "package.json")) || {};
+var COMMANDS = /* @__PURE__ */ new Set(["install", "security", "guard", "seal", "check", "config", "help", "version"]);
+function parseArgs(argv) {
+  const opts = {
+    command: null,
+    positionals: [],
+    scope: null,
+    agents: [],
+    allAgents: false,
+    skills: [],
+    skillsOnly: false,
+    memoryOnly: false,
+    prune: true,
+    keepModified: false,
+    force: false,
+    all: false,
+    yes: false,
+    dryRun: false,
+    help: false,
+    version: false
+  };
+  for (let i = 0; i < argv.length; i++) {
+    const a = argv[i];
+    const next = () => argv[++i];
+    if (i === 0 && COMMANDS.has(a)) {
+      opts.command = a;
+      continue;
+    }
+    switch (a) {
+      case "-g":
+      case "--global":
+        opts.scope = "global";
+        break;
+      case "-l":
+      case "--local":
+        opts.scope = "local";
+        break;
+      case "-a":
+      case "--agent":
+        opts.agents.push(...next().split(","));
+        break;
+      case "-s":
+      case "--skill":
+        opts.skills.push(...next().split(","));
+        break;
+      case "--all":
+        opts.allAgents = true;
+        opts.all = true;
+        break;
+      case "--skills-only":
+        opts.skillsOnly = true;
+        break;
+      case "--memory-only":
+        opts.memoryOnly = true;
+        break;
+      case "--no-prune":
+        opts.prune = false;
+        break;
+      case "--keep-modified":
+        opts.keepModified = true;
+        break;
+      case "--force":
+        opts.force = true;
+        break;
+      case "-y":
+      case "--yes":
+        opts.yes = true;
+        break;
+      case "--dry-run":
+        opts.dryRun = true;
+        break;
+      case "-h":
+      case "--help":
+        opts.help = true;
+        break;
+      case "-v":
+      case "--version":
+        opts.version = true;
+        break;
+      default:
+        if (a.startsWith("-")) {
+          console.error(`Unknown option: ${a}`);
+          process.exit(1);
+        } else if (opts.command) {
+          opts.positionals.push(a);
+        } else {
+          console.error(`Unknown command: ${a}`);
+          process.exit(1);
+        }
+    }
+  }
+  return opts;
+}
+function printHelp() {
+  console.log(`
+enigma - everything you need to work with a coding agent
+
+Usage:
+  enigma [command] [options]
+
+Commands:
+  (none)               Interactive menu: pick which features to set up
+  install              Install/update agent skills (Claude Code, Codex, opencode)
+  security             Set up git security hooks in the current repo
+  guard [--all]        Run the commit guard (staged files, or --all for every tracked file)
+  config [key val]     Show/set runtime toggles (e.g. config commit-emoji off)
+  seal                 Maintenance: (re)compute skill content hashes
+  check                Integrity gate: verify skills are well-formed and sealed
+  help, version
+
+Install options:
+  -g, --global         Install at user level
+  -l, --local          Install into the current project
+  -a, --agent <name>   Target agent(s) (default: auto-detect installed)
+  -s, --skill <name>   Skill(s) to install (default: all)
+      --all            Target every supported agent, ignoring detection
+      --skills-only    Only skill folders   --memory-only  Only memory files
+      --no-prune       Keep orphaned skills  --keep-modified  Don't overwrite local edits
+      --dry-run        Show the plan without writing
+
+Security options:
+      --force          Override an existing core.hooksPath
+
+Global:
+  -y, --yes            Non-interactive   -h, --help   -v, --version
+
+Examples:
+  enigma                              # interactive
+  enigma install --global             # skills for detected agents, user level
+  enigma install --all -y             # every supported agent, non-interactive
+  enigma security                     # configure git hooks (choose protections)
+  enigma config                       # show effective runtime config
+  enigma config commit-emoji off      # opt out of commit-message emojis (global)
+`);
+}
+async function run(argv) {
+  const opts = parseArgs(argv);
+  if (opts.help || opts.command === "help") {
+    printHelp();
+    return;
+  }
+  if (opts.version || opts.command === "version") {
+    console.log(PKG.version || "0.0.0");
+    return;
+  }
+  if (opts.command === "seal") return sealSources();
+  if (opts.command === "check") return checkSources();
+  if (opts.command === "guard") {
+    process.exit(runGuardCli(opts.all));
+  }
+  if (opts.command === "config") {
+    process.exit(runConfigCli(opts.positionals, opts.scope));
+  }
+  const interactive = Boolean(process.stdout.isTTY) && !opts.yes;
+  if (opts.command === "install") {
+    p3.intro("enigma - install agent skills");
+    await installSkills(opts, interactive);
+    p3.outro("Done.");
+    return;
+  }
+  if (opts.command === "security") {
+    p3.intro("enigma - git security hooks");
+    const done = await setupGitHooks(opts, interactive);
+    p3.outro(done ? "Git hooks configured." : "No changes made.");
+    return;
+  }
+  p3.intro("enigma");
+  let features;
+  if (interactive) {
+    const r = await p3.multiselect({
+      message: "What do you want to set up?",
+      options: [
+        { value: "skills", label: "Agent skills", hint: "Claude Code, Codex, opencode" },
+        { value: "security", label: "Git security hooks", hint: "block secrets, .env, node_modules on commit" }
+      ],
+      initialValues: ["skills"],
+      required: true
+    });
+    if (p3.isCancel(r)) {
+      p3.cancel("Aborted.");
+      return;
+    }
+    features = r;
+  } else {
+    features = ["skills"];
+  }
+  if (features.includes("skills")) await installSkills(opts, interactive);
+  if (features.includes("security")) await setupGitHooks(opts, interactive);
+  p3.outro("Done.");
+}
+
+// src/bin/enigma.ts
+run(process.argv.slice(2)).catch((err) => {
+  console.error(err);
+  process.exit(1);
+});