enigma-cli 1.1.0 → 1.1.2

package/assets/skills/backend-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Backend/API architecture: controller-service-repository layering, API and request optimization, server-side caching (Redis), and Zod boundary validation.",
-  "cliVersion": "1.1.0",
+  "cliVersion": "1.1.2",
   "sha": "c442bc9e39a7710cb709ef2abb8d15ecd8aa16ed4f5c8af92b7af6877401cba4"
 }

package/assets/skills/ciphera-style-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.1.0",
   "provider": "FJRG2007/enigma",
   "description": "Ciphera code style conventions (formatting, naming, imports, comments, code-level anti-patterns; TypeScript-first, language-agnostic).",
-  "cliVersion": "1.1.0",
+  "cliVersion": "1.1.2",
   "sha": "f8602bb79fbbe063ab39fbd59d0b7844a22c3a1583fcd11c1b4f98a2fe8ddc86"
 }

package/assets/skills/code-review-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Pre-delivery self-review gate, prioritized review dimensions, and change-quality criteria.",
-  "cliVersion": "1.1.0",
+  "cliVersion": "1.1.2",
   "sha": "3d3bbe0602d5bbb4afe37648fe3c2fa39376b1bcbac5d8c441f01fad1e866ed0"
 }

package/assets/skills/core-engineering-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.4.0",
   "provider": "FJRG2007/enigma",
   "description": "Core engineering execution policy and harness orchestration (highest-authority rules).",
-  "cliVersion": "1.1.0",
+  "cliVersion": "1.1.2",
   "sha": "c9c69c59516794311cb7b306ed4d4ad971824de3689a39c2b86c7669c73f2e8b"
 }

package/assets/skills/database-expert/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Senior database architecture policy: query optimization, anti-duplication/normalization, scalability, and RGPD/GDPR encryption.",
-  "cliVersion": "1.1.0",
+  "cliVersion": "1.1.2",
   "sha": "c4617ee8d1a57d9621c81bef3093e94de91f79eec0cc0ead41f6d18dd443e623"
 }

package/assets/skills/debugging-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Reproduce-isolate-fix debugging methodology with root-cause discipline and regression verification.",
-  "cliVersion": "1.1.0",
+  "cliVersion": "1.1.2",
   "sha": "14b0064c8b33a0dc85e51464b05005cf5801c756b1101789a6924b9548420f6b"
 }

package/assets/skills/dependency-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Dependency and supply-chain security: lockfiles and reproducible installs, version pinning, vulnerability auditing, vetting/minimizing packages, vendoring, and SBOM/provenance.",
-  "cliVersion": "1.1.0",
+  "cliVersion": "1.1.2",
   "sha": "6375d835c2aef2c9bd31ce116444dc3d796f510f9970a213aa3ac4696d7e21b9"
 }

package/assets/skills/frontend-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Frontend architecture: reusable components, abstraction thresholds, state management, and optimistic UI with rollback.",
-  "cliVersion": "1.1.0",
+  "cliVersion": "1.1.2",
   "sha": "b0355b0e15f9f528d32adf19f0722d2727cd64d6b3544307ecc7a3141338f023"
 }

package/assets/skills/git-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.2.0",
   "provider": "FJRG2007/enigma",
   "description": "Git & contribution policy (senior engineering standards).",
-  "cliVersion": "1.1.0",
+  "cliVersion": "1.1.2",
   "sha": "ada4b7eb5bb7e013429e23703c271c0f34b0d76327c059efa148ea2794f96178"
 }

package/assets/skills/security-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Application and AI-agent security: secrets, authn/authz (least privilege), OWASP Top 10, transport/crypto baseline, secure logging, and agent/MCP/tool-use safety.",
-  "cliVersion": "1.1.0",
+  "cliVersion": "1.1.2",
   "sha": "9971e9d9127397d0152e89d24aad3191e2935e55a8483db7fd15f5d4d7a60e7a"
 }

package/assets/skills/testing-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Test strategy, coverage gates, deterministic tests, mocking discipline, and regression-first bug fixing.",
-  "cliVersion": "1.1.0",
+  "cliVersion": "1.1.2",
   "sha": "d19fa8ec7985ed231478be504d3c80360897f555d0bc0624bea19c091f459fb0"
 }

package/assets/skills/validation-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Strict frontend + backend schema validation, schema consistency, and safe client-facing error handling.",
-  "cliVersion": "1.1.0",
+  "cliVersion": "1.1.2",
   "sha": "a33622a2f810ee4cea39824cb1a7ca34b355a917d4224025df50d77dd74f0b3a"
 }

package/dist/enigma.js

@@ -1,9 +1,9 @@
 #!/usr/bin/env node
 
 // src/cli.ts
-import { dirname as dirname4, join as join9 } from "path";
+import { dirname as dirname4, join as join10 } from "path";
 import { fileURLToPath as fileURLToPath4 } from "url";
-import * as p4 from "@clack/prompts";
+import * as p6 from "@clack/prompts";
 
 // src/util.ts
 import { existsSync, statSync, readFileSync } from "fs";
@@ -257,6 +257,54 @@ function disableClaudeAttribution(scope) {
   writeFileSync2(path, JSON.stringify(next, null, 2) + "\n");
   return true;
 }
+function getClaudeAttribution(scope) {
+  const current = readJson(claudeSettingsPath(scope)) || {};
+  const attribution = current.attribution;
+  const disabled = Boolean(attribution) && attribution.commit === "" && attribution.pr === "" && current.includeCoAuthoredBy === false;
+  return !disabled;
+}
+function setClaudeAttribution(scope, enabled) {
+  if (!enabled) return disableClaudeAttribution(scope);
+  const path = claudeSettingsPath(scope);
+  const current = readJson(path) || {};
+  const attribution = typeof current.attribution === "object" && current.attribution !== null ? { ...current.attribution } : {};
+  let changed = false;
+  if (attribution.commit === "") {
+    delete attribution.commit;
+    changed = true;
+  }
+  if (attribution.pr === "") {
+    delete attribution.pr;
+    changed = true;
+  }
+  if (current.includeCoAuthoredBy === false) changed = true;
+  if (!changed) return false;
+  const next = { ...current };
+  if (Object.keys(attribution).length) next.attribution = attribution;
+  else delete next.attribution;
+  delete next.includeCoAuthoredBy;
+  writeClaudeSettings(path, next);
+  return true;
+}
+function getClaudeBypass(scope) {
+  const current = readJson(claudeSettingsPath(scope)) || {};
+  const permissions = current.permissions;
+  return Boolean(permissions) && permissions.defaultMode === "bypassPermissions";
+}
+function setClaudeBypass(scope, on, dryRun) {
+  if (on) return enableClaudeBypass(scope, dryRun);
+  const path = claudeSettingsPath(scope);
+  const current = readJson(path) || {};
+  const permissions = typeof current.permissions === "object" && current.permissions !== null ? { ...current.permissions } : {};
+  if (permissions.defaultMode !== "bypassPermissions") return { path, changed: false };
+  if (dryRun) return { path, changed: true };
+  delete permissions.defaultMode;
+  const next = { ...current };
+  if (Object.keys(permissions).length) next.permissions = permissions;
+  else delete next.permissions;
+  writeClaudeSettings(path, next);
+  return { path, changed: true };
+}
 function enableClaudeBypass(scope, dryRun) {
   const path = claudeSettingsPath(scope);
   const current = readJson(path) || {};
@@ -264,10 +312,13 @@ function enableClaudeBypass(scope, dryRun) {
   if (permissions.defaultMode === "bypassPermissions") return { path, changed: false };
   if (dryRun) return { path, changed: true };
   const next = { ...current, permissions: { ...permissions, defaultMode: "bypassPermissions" } };
+  writeClaudeSettings(path, next);
+  return { path, changed: true };
+}
+function writeClaudeSettings(path, data) {
   const dir = join4(path, "..");
   if (!isDir(dir)) mkdirSync2(dir, { recursive: true });
-  writeFileSync2(path, JSON.stringify(next, null, 2) + "\n");
-  return { path, changed: true };
+  writeFileSync2(path, JSON.stringify(data, null, 2) + "\n");
 }
 
 // src/permissions.ts
@@ -323,6 +374,74 @@ function enableFor(name, scope, dryRun) {
       return null;
   }
 }
+function getBypass(name, scope) {
+  switch (name) {
+    case "claude":
+      return getClaudeBypass(scope);
+    case "codex":
+      return getCodexBypass();
+    case "opencode":
+      return getOpencodeBypass(scope);
+    default:
+      return false;
+  }
+}
+function setBypass(name, scope, on, dryRun) {
+  switch (name) {
+    case "claude":
+      return setClaudeBypass(scope, on, dryRun);
+    case "codex":
+      return on ? enableCodexBypass(dryRun) : disableCodexBypass(dryRun);
+    case "opencode":
+      return on ? enableOpencodeBypass(scope, dryRun) : disableOpencodeBypass(scope, dryRun);
+    default:
+      return null;
+  }
+}
+function getCodexBypass() {
+  const path = join5(homedir3(), ".codex", "config.toml");
+  const content = existsSync4(path) ? readFileSync2(path, "utf8") : "";
+  return getTomlTopLevelKey(content, "approval_policy") === '"never"';
+}
+function disableCodexBypass(dryRun) {
+  const path = join5(homedir3(), ".codex", "config.toml");
+  const before = existsSync4(path) ? readFileSync2(path, "utf8") : "";
+  let after = removeTomlTopLevelKey(before, "approval_policy");
+  after = removeTomlTopLevelKey(after, "sandbox_mode");
+  const changed = after !== before;
+  if (changed && !dryRun) writeFileSync3(path, after);
+  return { path, changed };
+}
+function getOpencodeBypass(scope) {
+  const path = opencodeConfigPath(scope);
+  const perm = (readJson(path) || {}).permission;
+  return perm === "allow" || typeof perm === "object" && perm !== null && perm["*"] === "allow";
+}
+function disableOpencodeBypass(scope, dryRun) {
+  const path = opencodeConfigPath(scope);
+  const current = readJson(path) || {};
+  const perm = current.permission;
+  if (!getOpencodeBypass(scope)) return { path, changed: false };
+  if (dryRun) return { path, changed: true };
+  const next = { ...current };
+  if (typeof perm === "object" && perm !== null) {
+    const rest = {};
+    for (const k of Object.keys(perm)) {
+      if (k !== "*") rest[k] = perm[k];
+    }
+    if (Object.keys(rest).length) next.permission = rest;
+    else delete next.permission;
+  } else {
+    delete next.permission;
+  }
+  const dir = join5(path, "..");
+  if (!isDir(dir)) mkdirSync3(dir, { recursive: true });
+  writeFileSync3(path, JSON.stringify(next, null, 2) + "\n");
+  return { path, changed: true };
+}
+function opencodeConfigPath(scope) {
+  return scope === "global" ? join5(homedir3(), ".config", "opencode", "opencode.json") : join5(process.cwd(), "opencode.json");
+}
 function enableCodexBypass(dryRun) {
   const path = join5(homedir3(), ".codex", "config.toml");
   const before = existsSync4(path) ? readFileSync2(path, "utf8") : "";
@@ -337,7 +456,7 @@ function enableCodexBypass(dryRun) {
   return { path, changed };
 }
 function enableOpencodeBypass(scope, dryRun) {
-  const path = scope === "global" ? join5(homedir3(), ".config", "opencode", "opencode.json") : join5(process.cwd(), "opencode.json");
+  const path = opencodeConfigPath(scope);
   const current = readJson(path) || {};
   const perm = current.permission;
   const alreadyAllowAll = perm === "allow" || typeof perm === "object" && perm !== null && perm["*"] === "allow";
@@ -372,6 +491,27 @@ function setTomlTopLevelKey(content, key, tomlValue) {
   lines.splice(insertAt, 0, ...followsTable ? [assign, ""] : [assign]);
   return normalizeTrailingNewline(lines.join("\n"));
 }
+function getTomlTopLevelKey(content, key) {
+  const lines = content.split("\n");
+  const firstTable = lines.findIndex((l) => /^\s*\[/.test(l));
+  const scanEnd = firstTable === -1 ? lines.length : firstTable;
+  const keyRe = new RegExp(`^\\s*${key}\\s*=\\s*(.+?)\\s*$`);
+  for (let i = 0; i < scanEnd; i++) {
+    const m = keyRe.exec(lines[i]);
+    if (m) return m[1];
+  }
+  return null;
+}
+function removeTomlTopLevelKey(content, key) {
+  if (content.trim() === "") return content;
+  const lines = content.split("\n");
+  const firstTable = lines.findIndex((l) => /^\s*\[/.test(l));
+  const scanEnd = firstTable === -1 ? lines.length : firstTable;
+  const keyRe = new RegExp(`^\\s*${key}\\s*=`);
+  const kept = lines.filter((l, i) => !(i < scanEnd && keyRe.test(l)));
+  if (kept.length === lines.length) return content;
+  return normalizeTrailingNewline(kept.join("\n"));
+}
 function normalizeTrailingNewline(s) {
   return `${s.replace(/\s+$/, "")}
 `;
@@ -920,14 +1060,15 @@ if (isGuardEntry && fileURLToPath3(import.meta.url) === guardEntry) {
   process.exit(runGuardCli(process.argv.includes("--all")));
 }
 
+// src/settings.ts
+import * as p4 from "@clack/prompts";
+
 // src/config.ts
 import { homedir as homedir4 } from "os";
 import { join as join8 } from "path";
 import { existsSync as existsSync6, mkdirSync as mkdirSync5, writeFileSync as writeFileSync5 } from "fs";
 var CONFIG_FILE = ".enigma.json";
-var CONFIG_DEFAULTS = { commitEmoji: true };
-var BOOLEAN_KEYS = ["commitEmoji"];
-var CLI_KEYS = { "commit-emoji": "commitEmoji" };
+var CONFIG_DEFAULTS = { commitEmoji: true, updateNotifier: true };
 function configPath(scope) {
   return scope === "global" ? join8(homedir4(), CONFIG_FILE) : join8(process.cwd(), CONFIG_FILE);
 }
@@ -944,13 +1085,7 @@ function readConfig() {
   }
   return { config, sources };
 }
-function parseBool(value) {
-  const v = value.toLowerCase();
-  if (["on", "true", "yes", "1", "enable", "enabled"].includes(v)) return true;
-  if (["off", "false", "no", "0", "disable", "disabled"].includes(v)) return false;
-  return null;
-}
-function setValue(scope, key, value) {
+function setEnigmaToggle(key, value, scope) {
   const path = configPath(scope);
   const current = readJson(path) || {};
   const next = { ...current, [key]: value };
@@ -959,26 +1094,156 @@ function setValue(scope, key, value) {
   writeFileSync5(path, JSON.stringify(next, null, 2) + "\n");
   return path;
 }
-function runConfigCli(positionals, scope) {
+
+// src/settings.ts
+function enigmaToggle(key, field, label, hint) {
+  return {
+    key,
+    label,
+    hint,
+    read: () => readConfig().config[field],
+    write: (value, scope) => ({ path: setEnigmaToggle(field, value, scope), changed: true })
+  };
+}
+var CATEGORIES = [
+  {
+    title: "General",
+    blurb: "enigma runtime toggles (.enigma.json)",
+    settings: [
+      enigmaToggle("commit-emoji", "commitEmoji", "Commit subject emoji", "leading gitmoji on commit subjects"),
+      enigmaToggle("update-notifier", "updateNotifier", "Update notifications", "notify when a newer enigma-cli is published")
+    ]
+  },
+  {
+    title: "Git & attribution",
+    blurb: "how the coding agent attributes its work in git",
+    settings: [
+      {
+        key: "claude-attribution",
+        label: "Claude commit attribution",
+        hint: "let Claude Code commit as its own contributor (Co-Authored-By / PR footer); enigma default: off",
+        read: (scope) => getClaudeAttribution(scope),
+        write: (value, scope) => ({ changed: setClaudeAttribution(scope, value) })
+      }
+    ]
+  },
+  {
+    title: "Permissions",
+    blurb: "approval-prompt bypass per agent (security trade-off)",
+    settings: BYPASS_SUPPORTED.map((name) => ({
+      key: `bypass-${name}`,
+      label: `${AGENTS[name]?.label || name} approval bypass`,
+      hint: name === "codex" ? "skip approval prompts (global ~/.codex only)" : "skip per-action approval prompts",
+      globalOnly: name === "codex",
+      read: (scope) => getBypass(name, scope),
+      write: (value, scope) => setBypass(name, scope, value, false) || { changed: false }
+    }))
+  }
+];
+var ALL_SETTINGS = CATEGORIES.flatMap((c) => c.settings);
+function valueLabel(on) {
+  return on ? "on" : "off";
+}
+function parseBool(value) {
+  const v = value.toLowerCase();
+  if (["on", "true", "yes", "1", "enable", "enabled"].includes(v)) return true;
+  if (["off", "false", "no", "0", "disable", "disabled"].includes(v)) return false;
+  return null;
+}
+async function runSettingsMenu() {
+  for (; ; ) {
+    const choice = await p4.select({
+      message: "Settings - choose a category",
+      options: [
+        ...CATEGORIES.map((c) => ({ value: c.title, label: c.title, hint: c.blurb })),
+        { value: "__back", label: "< Back" }
+      ]
+    });
+    if (p4.isCancel(choice) || choice === "__back") return;
+    await runCategory(CATEGORIES.find((c) => c.title === choice));
+  }
+}
+async function runCategory(category) {
+  for (; ; ) {
+    const choice = await p4.select({
+      message: `${category.title} - ${category.blurb}`,
+      options: [
+        ...category.settings.map((s) => ({
+          value: s.key,
+          label: `${s.label}: ${valueLabel(s.read("global"))}`,
+          hint: s.hint
+        })),
+        { value: "__back", label: "< Back" }
+      ]
+    });
+    if (p4.isCancel(choice) || choice === "__back") return;
+    await editSetting(category.settings.find((s) => s.key === choice));
+  }
+}
+async function editSetting(setting) {
+  let scope = "global";
+  if (!setting.globalOnly) {
+    const picked2 = await p4.select({
+      message: `Apply "${setting.label}" to which scope?`,
+      options: [
+        { value: "global", label: "Global", hint: "all projects (~)" },
+        { value: "local", label: "This project", hint: "current directory" }
+      ],
+      initialValue: "global"
+    });
+    if (p4.isCancel(picked2)) return;
+    scope = picked2;
+  }
+  const current = setting.read(scope);
+  const picked = await p4.select({
+    message: `${setting.label} (${scope})`,
+    options: [{ value: "on", label: "On" }, { value: "off", label: "Off" }],
+    initialValue: current ? "on" : "off"
+  });
+  if (p4.isCancel(picked)) return;
+  const value = picked === "on";
+  if (value === current) {
+    p4.log.info(`${setting.label}: unchanged (${valueLabel(current)}).`);
+    return;
+  }
+  const result = setting.write(value, scope);
+  if (result.changed) {
+    const where = result.path ? ` -> ${result.path}` : "";
+    p4.log.success(`${setting.label}: ${valueLabel(value)} (${scope})${where}.`);
+  } else {
+    p4.log.info(`${setting.label}: already ${valueLabel(value)} (${scope}).`);
+  }
+}
+function printEffective() {
+  console.log("Effective enigma settings:\n");
+  for (const category of CATEGORIES) {
+    console.log(`${category.title}:`);
+    for (const s of category.settings) console.log(`  ${s.key}: ${valueLabel(s.read("global"))}`);
+    console.log("");
+  }
+  const { sources } = readConfig();
+  console.log(sources.length ? `.enigma.json sources: ${sources.join(", ")}` : ".enigma.json: built-in defaults (no file found)");
+  console.log("Agent settings (attribution, bypass) reflect each agent's own config at the global scope.");
+}
+async function runConfigCli(positionals, scope, interactive) {
   const [rawKey, rawValue] = positionals;
   if (!rawKey) {
-    const { config, sources } = readConfig();
-    console.log("Effective enigma config:");
-    for (const k of BOOLEAN_KEYS) {
-      const cliKey = Object.keys(CLI_KEYS).find((c) => CLI_KEYS[c] === k) || k;
-      console.log(`  ${cliKey}: ${config[k]}`);
+    if (interactive) {
+      p4.intro("enigma config");
+      await runSettingsMenu();
+      p4.outro("Done.");
+    } else {
+      printEffective();
     }
-    console.log(sources.length ? `
-From: ${sources.join(", ")}` : "\nFrom: built-in defaults (no .enigma.json found)");
     return 0;
   }
-  const key = CLI_KEYS[rawKey];
-  if (!key) {
-    console.error(`Unknown config key: ${rawKey}. Known keys: ${Object.keys(CLI_KEYS).join(", ")}.`);
+  const setting = ALL_SETTINGS.find((s) => s.key === rawKey);
+  if (!setting) {
+    console.error(`Unknown config key: ${rawKey}. Known keys: ${ALL_SETTINGS.map((s) => s.key).join(", ")}.`);
     return 1;
   }
   if (rawValue === void 0) {
-    console.error(`Missing value for '${rawKey}'. Usage: enigma config ${rawKey} <on|off>`);
+    console.error(`Missing value for '${rawKey}'. Usage: enigma config ${rawKey} <on|off> [-g|-l]`);
     return 1;
   }
   const value = parseBool(rawValue);
@@ -986,15 +1251,113 @@ From: ${sources.join(", ")}` : "\nFrom: built-in defaults (no .enigma.json found
     console.error(`Invalid value '${rawValue}' for '${rawKey}'. Use on or off.`);
     return 1;
   }
-  const target = scope || "global";
-  const path = setValue(target, key, value);
-  console.log(`Set ${rawKey} = ${value ? "on" : "off"} (${target}) in ${path}.`);
+  const target = setting.globalOnly ? "global" : scope || "global";
+  const result = setting.write(value, target);
+  const where = result.path ? ` in ${result.path}` : "";
+  console.log(`Set ${rawKey} = ${valueLabel(value)} (${target})${where}.`);
   return 0;
 }
 
+// src/update.ts
+import { homedir as homedir5 } from "os";
+import { join as join9 } from "path";
+import { writeFileSync as writeFileSync6 } from "fs";
+import { spawn, spawnSync } from "child_process";
+import * as p5 from "@clack/prompts";
+var REGISTRY_URL = "https://registry.npmjs.org/enigma-cli/latest";
+var UPDATE_COMMAND = "npm i -g enigma-cli@latest";
+var CACHE_FILE = join9(homedir5(), ".enigma-update-check.json");
+var CHECK_INTERVAL_MS = 24 * 60 * 60 * 1e3;
+var CHILD_SCRIPT = [
+  "const fs = require('fs');",
+  "const ctrl = new AbortController();",
+  "const t = setTimeout(() => ctrl.abort(), 5000);",
+  "fetch(process.env.E_URL, { signal: ctrl.signal, headers: { 'user-agent': 'enigma-cli-update-check' } })",
+  "  .then((r) => (r.ok ? r.json() : null))",
+  "  .then((d) => { if (d && d.version) fs.writeFileSync(process.env.E_FILE, JSON.stringify({ latest: d.version, checkedAt: Date.now() })); })",
+  "  .catch(() => {})",
+  "  .finally(() => clearTimeout(t));"
+].join("\n");
+function parseVersion(version) {
+  const core = String(version).trim().replace(/^v/, "").split("-")[0];
+  const [major, minor, patch] = core.split(".").map((n) => parseInt(n, 10) || 0);
+  return [major || 0, minor || 0, patch || 0];
+}
+function isNewer(latest, current) {
+  const a = parseVersion(latest);
+  const b = parseVersion(current);
+  for (let i = 0; i < 3; i++) {
+    if (a[i] > b[i]) return true;
+    if (a[i] < b[i]) return false;
+  }
+  return false;
+}
+function paint(text, code) {
+  return process.stdout.isTTY && !process.env.NO_COLOR ? `\x1B[${code}m${text}\x1B[0m` : text;
+}
+function renderUpdateBox(current, latest) {
+  const lines = [
+    { text: `Update available  ${current} -> ${latest}`, color: "1;33" },
+    { text: `Run ${UPDATE_COMMAND} to update`, color: "36" }
+  ];
+  const width = Math.max(...lines.map((l) => l.text.length));
+  const border = `+${"-".repeat(width + 4)}+`;
+  const blank = `|${" ".repeat(width + 4)}|`;
+  const rows = lines.map((l) => `|${paint(`  ${l.text}${" ".repeat(width - l.text.length)}  `, l.color)}|`);
+  return [border, blank, ...rows, blank, border].join("\n");
+}
+function readCache() {
+  return readJson(CACHE_FILE);
+}
+function scheduleUpdateCheck() {
+  try {
+    const cache = readCache();
+    if (cache && Date.now() - cache.checkedAt < CHECK_INTERVAL_MS) return;
+    writeFileSync6(CACHE_FILE, JSON.stringify({ latest: cache?.latest ?? null, checkedAt: Date.now() }));
+    const child = spawn(process.execPath, ["-e", CHILD_SCRIPT], {
+      detached: true,
+      stdio: "ignore",
+      windowsHide: true,
+      env: { ...process.env, E_URL: REGISTRY_URL, E_FILE: CACHE_FILE }
+    });
+    child.unref();
+  } catch {
+  }
+}
+function runUpdate() {
+  try {
+    const result = spawnSync("npm", ["i", "-g", "enigma-cli@latest"], {
+      stdio: "inherit",
+      shell: process.platform === "win32"
+    });
+    if (result.status === 0) console.log("Updated. Re-run your command to use the new version.");
+    else console.log(`Update did not complete. Run '${UPDATE_COMMAND}' manually.`);
+  } catch {
+    console.log(`Could not run the update. Run '${UPDATE_COMMAND}' manually.`);
+  }
+}
+async function notifyUpdate(current, interactive) {
+  if (!process.stdout.isTTY || process.env.CI) return;
+  try {
+    if (!readConfig().config.updateNotifier) return;
+    scheduleUpdateCheck();
+    const cache = readCache();
+    const latest = cache?.latest ? String(cache.latest).replace(/[^\w.+-]/g, "") : "";
+    if (!latest || !isNewer(latest, current)) return;
+    process.stdout.write(`
+${renderUpdateBox(current, latest)}
+`);
+    if (!interactive) return;
+    const ok = await p5.confirm({ message: `Update now with ${UPDATE_COMMAND}?`, initialValue: true });
+    if (p5.isCancel(ok) || !ok) return;
+    runUpdate();
+  } catch {
+  }
+}
+
 // src/cli.ts
 var __dirname3 = dirname4(fileURLToPath4(import.meta.url));
-var PKG = readJson(join9(__dirname3, "..", "package.json")) || {};
+var PKG = readJson(join10(__dirname3, "..", "package.json")) || {};
 var COMMANDS = /* @__PURE__ */ new Set(["install", "security", "guard", "seal", "check", "config", "help", "version"]);
 function parseArgs(argv) {
   const opts = {
@@ -1103,15 +1466,19 @@ Usage:
   enigma [command] [options]
 
 Commands:
-  (none)               Interactive menu: pick which features to set up
+  (none)               Interactive hub: configure settings or set up features
   install              Install/update agent skills (Claude Code, Codex, opencode)
   security             Set up git security hooks in the current repo
   guard [--all]        Run the commit guard (staged files, or --all for every tracked file)
-  config [key val]     Show/set runtime toggles (e.g. config commit-emoji off)
+  config [key val]     Configure settings: no args opens the interactive menu;
+                       'config <key> <on|off> [-g|-l]' sets one (e.g. config claude-attribution on)
   seal                 Maintenance: (re)compute skill content hashes
   check                Integrity gate: verify skills are well-formed and sealed
   help, version
 
+Config keys: commit-emoji, update-notifier, claude-attribution,
+             bypass-claude, bypass-codex, bypass-opencode
+
 Install options:
   -g, --global         Install at user level
   -l, --local          Install into the current project
@@ -1142,12 +1509,16 @@ Examples:
 }
 async function run(argv) {
   const opts = parseArgs(argv);
+  const interactive = Boolean(process.stdout.isTTY) && !opts.yes;
+  const version = PKG.version || "0.0.0";
   if (opts.help || opts.command === "help") {
     printHelp();
+    await notifyUpdate(version, interactive);
     return;
   }
   if (opts.version || opts.command === "version") {
-    console.log(PKG.version || "0.0.0");
+    console.log(version);
+    await notifyUpdate(version, interactive);
     return;
   }
   if (opts.command === "seal") return sealSources();
@@ -1156,44 +1527,45 @@ async function run(argv) {
     process.exit(runGuardCli(opts.all));
   }
   if (opts.command === "config") {
-    process.exit(runConfigCli(opts.positionals, opts.scope));
+    process.exit(await runConfigCli(opts.positionals, opts.scope, interactive));
   }
-  const interactive = Boolean(process.stdout.isTTY) && !opts.yes;
   if (opts.command === "install") {
-    p4.intro("enigma - install agent skills");
+    p6.intro("enigma - install agent skills");
     await installSkills(opts, interactive);
-    p4.outro("Done.");
+    p6.outro("Done.");
+    await notifyUpdate(version, interactive);
     return;
   }
   if (opts.command === "security") {
-    p4.intro("enigma - git security hooks");
+    p6.intro("enigma - git security hooks");
     const done = await setupGitHooks(opts, interactive);
-    p4.outro(done ? "Git hooks configured." : "No changes made.");
+    p6.outro(done ? "Git hooks configured." : "No changes made.");
+    await notifyUpdate(version, interactive);
+    return;
+  }
+  if (!interactive) {
+    await installSkills(opts, interactive);
+    await notifyUpdate(version, interactive);
     return;
   }
-  p4.intro("enigma");
-  let features;
-  if (interactive) {
-    const r = await p4.multiselect({
-      message: "What do you want to set up?",
+  p6.intro("enigma");
+  for (; ; ) {
+    const action = await p6.select({
+      message: "What would you like to do?",
       options: [
-        { value: "skills", label: "Agent skills", hint: "Claude Code, Codex, opencode" },
-        { value: "security", label: "Git security hooks", hint: "block secrets, .env, node_modules on commit" }
-      ],
-      initialValues: ["skills"],
-      required: true
+        { value: "config", label: "Configure settings", hint: "emoji, attribution, permission bypass, ..." },
+        { value: "skills", label: "Install agent skills", hint: "Claude Code, Codex, opencode" },
+        { value: "security", label: "Git security hooks", hint: "block secrets, .env, node_modules on commit" },
+        { value: "exit", label: "Exit" }
+      ]
     });
-    if (p4.isCancel(r)) {
-      p4.cancel("Aborted.");
-      return;
-    }
-    features = r;
-  } else {
-    features = ["skills"];
+    if (p6.isCancel(action) || action === "exit") break;
+    if (action === "config") await runSettingsMenu();
+    else if (action === "skills") await installSkills(opts, interactive);
+    else if (action === "security") await setupGitHooks(opts, interactive);
   }
-  if (features.includes("skills")) await installSkills(opts, interactive);
-  if (features.includes("security")) await setupGitHooks(opts, interactive);
-  p4.outro("Done.");
+  p6.outro("Done.");
+  await notifyUpdate(version, interactive);
 }
 
 // src/bin/enigma.ts

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "enigma-cli",
-  "version": "1.1.0",
+  "version": "1.1.2",
   "description": "Everything you need to work with a coding agent: install shared policy skills for Claude Code, OpenAI Codex and opencode, and set up portable git security hooks.",
   "type": "module",
   "bin": {