enigma-cli 1.1.1 → 1.1.3

package/assets/skills/backend-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Backend/API architecture: controller-service-repository layering, API and request optimization, server-side caching (Redis), and Zod boundary validation.",
-  "cliVersion": "1.1.1",
+  "cliVersion": "1.1.3",
   "sha": "c442bc9e39a7710cb709ef2abb8d15ecd8aa16ed4f5c8af92b7af6877401cba4"
 }

package/assets/skills/ciphera-style-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.1.0",
   "provider": "FJRG2007/enigma",
   "description": "Ciphera code style conventions (formatting, naming, imports, comments, code-level anti-patterns; TypeScript-first, language-agnostic).",
-  "cliVersion": "1.1.1",
+  "cliVersion": "1.1.3",
   "sha": "f8602bb79fbbe063ab39fbd59d0b7844a22c3a1583fcd11c1b4f98a2fe8ddc86"
 }

package/assets/skills/code-review-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Pre-delivery self-review gate, prioritized review dimensions, and change-quality criteria.",
-  "cliVersion": "1.1.1",
+  "cliVersion": "1.1.3",
   "sha": "3d3bbe0602d5bbb4afe37648fe3c2fa39376b1bcbac5d8c441f01fad1e866ed0"
 }

package/assets/skills/core-engineering-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.4.0",
   "provider": "FJRG2007/enigma",
   "description": "Core engineering execution policy and harness orchestration (highest-authority rules).",
-  "cliVersion": "1.1.1",
+  "cliVersion": "1.1.3",
   "sha": "c9c69c59516794311cb7b306ed4d4ad971824de3689a39c2b86c7669c73f2e8b"
 }

package/assets/skills/database-expert/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Senior database architecture policy: query optimization, anti-duplication/normalization, scalability, and RGPD/GDPR encryption.",
-  "cliVersion": "1.1.1",
+  "cliVersion": "1.1.3",
   "sha": "c4617ee8d1a57d9621c81bef3093e94de91f79eec0cc0ead41f6d18dd443e623"
 }

package/assets/skills/debugging-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Reproduce-isolate-fix debugging methodology with root-cause discipline and regression verification.",
-  "cliVersion": "1.1.1",
+  "cliVersion": "1.1.3",
   "sha": "14b0064c8b33a0dc85e51464b05005cf5801c756b1101789a6924b9548420f6b"
 }

package/assets/skills/dependency-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Dependency and supply-chain security: lockfiles and reproducible installs, version pinning, vulnerability auditing, vetting/minimizing packages, vendoring, and SBOM/provenance.",
-  "cliVersion": "1.1.1",
+  "cliVersion": "1.1.3",
   "sha": "6375d835c2aef2c9bd31ce116444dc3d796f510f9970a213aa3ac4696d7e21b9"
 }

package/assets/skills/frontend-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Frontend architecture: reusable components, abstraction thresholds, state management, and optimistic UI with rollback.",
-  "cliVersion": "1.1.1",
+  "cliVersion": "1.1.3",
   "sha": "b0355b0e15f9f528d32adf19f0722d2727cd64d6b3544307ecc7a3141338f023"
 }

package/assets/skills/git-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.2.0",
   "provider": "FJRG2007/enigma",
   "description": "Git & contribution policy (senior engineering standards).",
-  "cliVersion": "1.1.1",
+  "cliVersion": "1.1.3",
   "sha": "ada4b7eb5bb7e013429e23703c271c0f34b0d76327c059efa148ea2794f96178"
 }

package/assets/skills/security-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Application and AI-agent security: secrets, authn/authz (least privilege), OWASP Top 10, transport/crypto baseline, secure logging, and agent/MCP/tool-use safety.",
-  "cliVersion": "1.1.1",
+  "cliVersion": "1.1.3",
   "sha": "9971e9d9127397d0152e89d24aad3191e2935e55a8483db7fd15f5d4d7a60e7a"
 }

package/assets/skills/testing-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Test strategy, coverage gates, deterministic tests, mocking discipline, and regression-first bug fixing.",
-  "cliVersion": "1.1.1",
+  "cliVersion": "1.1.3",
   "sha": "d19fa8ec7985ed231478be504d3c80360897f555d0bc0624bea19c091f459fb0"
 }

package/assets/skills/validation-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Strict frontend + backend schema validation, schema consistency, and safe client-facing error handling.",
-  "cliVersion": "1.1.1",
+  "cliVersion": "1.1.3",
   "sha": "a33622a2f810ee4cea39824cb1a7ca34b355a917d4224025df50d77dd74f0b3a"
 }

package/dist/enigma.js

@@ -1,9 +1,13 @@
 #!/usr/bin/env node
-
-// src/cli.ts
-import { dirname as dirname4, join as join10 } from "path";
-import { fileURLToPath as fileURLToPath4 } from "url";
-import * as p5 from "@clack/prompts";
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
 
 // src/util.ts
 import { existsSync, statSync, readFileSync } from "fs";
@@ -27,58 +31,20 @@ function isOnPath(bin) {
   const exts = sep === "\\" ? (process.env.PATHEXT || ".EXE;.CMD;.BAT;.COM").split(";").map((e) => e.toLowerCase()) : [""];
   return dirs.some((d) => exts.some((ext) => existsSync(join(d, bin + ext))));
 }
-
-// src/skills.ts
-import { existsSync as existsSync5, readdirSync, readFileSync as readFileSync3, writeFileSync as writeFileSync4, cpSync as cpSync2, mkdirSync as mkdirSync4, rmSync } from "fs";
-import { dirname as dirname2, join as join6, resolve as resolve2, relative as relative2, sep as sep2 } from "path";
-import { fileURLToPath as fileURLToPath2 } from "url";
-import { createHash } from "crypto";
-import * as p3 from "@clack/prompts";
+var init_util = __esm({
+  "src/util.ts"() {
+    "use strict";
+  }
+});
 
 // src/agents.ts
 import { homedir } from "os";
 import { join as join2 } from "path";
 import { existsSync as existsSync2 } from "fs";
 import { execFileSync } from "child_process";
-var HOME = homedir();
-var MANAGED_PROVIDER = "FJRG2007/enigma";
-var LEGACY_PROVIDERS = ["FJRG2007"];
 function isManagedProvider(provider) {
   return provider === MANAGED_PROVIDER || typeof provider === "string" && LEGACY_PROVIDERS.includes(provider);
 }
-var AGENTS = {
-  claude: {
-    label: "Claude Code",
-    memoryFile: "CLAUDE.md",
-    detect: { bins: ["claude"], dirs: [join2(HOME, ".claude")] },
-    targets: {
-      global: { skills: join2(HOME, ".claude", "skills"), memory: join2(HOME, ".claude") },
-      local: { skills: join2(process.cwd(), ".claude", "skills"), memory: process.cwd() }
-    }
-  },
-  codex: {
-    label: "OpenAI Codex",
-    memoryFile: "AGENTS.md",
-    // Codex reads AGENTS.md from its home (~/.codex) and project root, but
-    // discovers skills from the shared `.agents/skills` location, not ~/.codex/skills.
-    detect: { bins: ["codex"], dirs: [join2(HOME, ".codex")] },
-    targets: {
-      global: { skills: join2(HOME, ".agents", "skills"), memory: join2(HOME, ".codex") },
-      local: { skills: join2(process.cwd(), ".agents", "skills"), memory: process.cwd() }
-    }
-  },
-  opencode: {
-    label: "opencode",
-    memoryFile: "AGENTS.md",
-    // opencode reads AGENTS.md from ~/.config/opencode (global) or the project
-    // root (local); skills from ~/.config/opencode/skills and .opencode/skills.
-    detect: { bins: ["opencode"], dirs: [join2(HOME, ".config", "opencode"), join2(HOME, ".opencode")] },
-    targets: {
-      global: { skills: join2(HOME, ".config", "opencode", "skills"), memory: join2(HOME, ".config", "opencode") },
-      local: { skills: join2(process.cwd(), ".opencode", "skills"), memory: process.cwd() }
-    }
-  }
-};
 function isInstalled(agent) {
   const det = agent.detect || {};
   return (det.dirs || []).some((d) => existsSync2(d)) || (det.bins || []).some((b) => isOnPath(b));
@@ -110,129 +76,49 @@ function runningStatus(agents) {
   }
   return { known: true, running };
 }
-
-// src/security.ts
-import { existsSync as existsSync3, mkdirSync, cpSync, writeFileSync, chmodSync } from "fs";
-import { dirname, join as join3, resolve, relative } from "path";
-import { fileURLToPath } from "url";
-import { execFileSync as execFileSync2 } from "child_process";
-import * as p from "@clack/prompts";
-var __dirname = dirname(fileURLToPath(import.meta.url));
-function findGuardSrc() {
-  const candidates = [
-    join3(__dirname, "guard.js"),
-    join3(__dirname, "..", "dist", "guard.js")
-  ];
-  return candidates.find((c) => existsSync3(c)) ?? null;
-}
-var GUARD_PROTECTIONS = [
-  { value: "secrets", label: "Block committed secrets", hint: "API keys, tokens, private keys" },
-  { value: "envFiles", label: "Block .env files", hint: "allows .env.example / .sample / .template" },
-  { value: "depDirs", label: "Block dependency/cache dirs", hint: "node_modules, __pycache__, venv" },
-  { value: "generatedDirs", label: "Warn on generated dirs", hint: "dist, build, .next, coverage" },
-  { value: "junkFiles", label: "Warn on log / OS junk files", hint: ".log, .DS_Store, Thumbs.db" },
-  { value: "largeFiles", label: "Warn on files over 5 MB", hint: "oversized blobs" }
-];
-function findGitRoot(start) {
-  let dir = resolve(start);
-  for (; ; ) {
-    if (existsSync3(join3(dir, ".git"))) return dir;
-    const parent = dirname(dir);
-    if (parent === dir) return null;
-    dir = parent;
-  }
-}
-function currentHooksPath(root) {
-  try {
-    return execFileSync2("git", ["-C", root, "config", "--get", "core.hooksPath"], { encoding: "utf8" }).trim();
-  } catch {
-    return "";
-  }
-}
-async function setupGitHooks(opts, interactive) {
-  const root = findGitRoot(process.cwd());
-  if (!root) {
-    p.log.error("Not inside a git repository (no .git found). Run this from your project root.");
-    return false;
-  }
-  const guardSrc = findGuardSrc();
-  if (!guardSrc) {
-    p.log.error("Cannot find the built guard (dist/guard.js). Run 'npm run build' first.");
-    return false;
-  }
-  const current = currentHooksPath(root);
-  if (current && current !== ".githooks" && !opts.force) {
-    p.log.warn(`core.hooksPath is already set to '${current}'.`);
-    if (interactive) {
-      const ok = await p.confirm({ message: `Override existing core.hooksPath '${current}' with '.githooks'?` });
-      if (p.isCancel(ok) || !ok) {
-        p.log.info("Left git hooks unchanged.");
-        return false;
+var HOME, MANAGED_PROVIDER, LEGACY_PROVIDERS, AGENTS;
+var init_agents = __esm({
+  "src/agents.ts"() {
+    "use strict";
+    init_util();
+    HOME = homedir();
+    MANAGED_PROVIDER = "FJRG2007/enigma";
+    LEGACY_PROVIDERS = ["FJRG2007"];
+    AGENTS = {
+      claude: {
+        label: "Claude Code",
+        memoryFile: "CLAUDE.md",
+        detect: { bins: ["claude"], dirs: [join2(HOME, ".claude")] },
+        targets: {
+          global: { skills: join2(HOME, ".claude", "skills"), memory: join2(HOME, ".claude") },
+          local: { skills: join2(process.cwd(), ".claude", "skills"), memory: process.cwd() }
+        }
+      },
+      codex: {
+        label: "OpenAI Codex",
+        memoryFile: "AGENTS.md",
+        // Codex reads AGENTS.md from its home (~/.codex) and project root, but
+        // discovers skills from the shared `.agents/skills` location, not ~/.codex/skills.
+        detect: { bins: ["codex"], dirs: [join2(HOME, ".codex")] },
+        targets: {
+          global: { skills: join2(HOME, ".agents", "skills"), memory: join2(HOME, ".codex") },
+          local: { skills: join2(process.cwd(), ".agents", "skills"), memory: process.cwd() }
+        }
+      },
+      opencode: {
+        label: "opencode",
+        memoryFile: "AGENTS.md",
+        // opencode reads AGENTS.md from ~/.config/opencode (global) or the project
+        // root (local); skills from ~/.config/opencode/skills and .opencode/skills.
+        detect: { bins: ["opencode"], dirs: [join2(HOME, ".config", "opencode"), join2(HOME, ".opencode")] },
+        targets: {
+          global: { skills: join2(HOME, ".config", "opencode", "skills"), memory: join2(HOME, ".config", "opencode") },
+          local: { skills: join2(process.cwd(), ".opencode", "skills"), memory: process.cwd() }
+        }
       }
-    } else {
-      p.log.info("Re-run with --force to override.");
-      return false;
-    }
-  }
-  let enabled = opts.protections;
-  if (!enabled && interactive) {
-    const r = await p.multiselect({
-      message: "Which protections should the commit guard enforce?",
-      options: GUARD_PROTECTIONS,
-      initialValues: GUARD_PROTECTIONS.map((o) => o.value),
-      required: true
-    });
-    if (p.isCancel(r)) {
-      p.log.info("Left git hooks unchanged.");
-      return false;
-    }
-    enabled = r;
+    };
   }
-  const config = {};
-  for (const o of GUARD_PROTECTIONS) config[o.value] = enabled ? enabled.includes(o.value) : true;
-  const hooksDir = join3(root, ".githooks");
-  mkdirSync(hooksDir, { recursive: true });
-  cpSync(guardSrc, join3(hooksDir, "guard.mjs"), { force: true });
-  writeFileSync(join3(hooksDir, "enigma-guard.json"), JSON.stringify(config, null, 2) + "\n");
-  const shimPath = join3(hooksDir, "pre-commit");
-  const shim = [
-    "#!/bin/sh",
-    "# Managed by enigma (enigma-cli) - blocks committed secrets, .env files, and dependency dirs.",
-    "# Toggle protections in .githooks/enigma-guard.json. Bypass once: git commit --no-verify",
-    'exec node "$(git rev-parse --show-toplevel)/.githooks/guard.mjs" "$@"',
-    ""
-  ].join("\n");
-  writeFileSync(shimPath, shim);
-  try {
-    chmodSync(shimPath, 493);
-  } catch {
-  }
-  try {
-    chmodSync(join3(hooksDir, "guard.mjs"), 493);
-  } catch {
-  }
-  try {
-    execFileSync2("git", ["-C", root, "config", "core.hooksPath", ".githooks"]);
-  } catch (err) {
-    p.log.error(`Failed to set core.hooksPath: ${err.message}`);
-    return false;
-  }
-  const on = Object.entries(config).filter(([, v]) => v).map(([k]) => k);
-  p.log.success(`Git security hooks installed in ${relative(process.cwd(), hooksDir) || ".githooks"} (core.hooksPath set).`);
-  p.log.info(`Enforcing: ${on.join(", ") || "nothing"}. Commit .githooks/ so your team inherits it.`);
-  if (isOnPath("gh")) {
-    p.log.info("GitHub CLI (gh) detected: these hooks also run for commits made via gh, since gh uses git underneath.");
-  }
-  return true;
-}
-async function maybeOfferGitHooks(interactive, opts) {
-  if (!interactive || opts.security) return;
-  const root = findGitRoot(process.cwd());
-  if (!root) return;
-  if (currentHooksPath(root) === ".githooks") return;
-  const ok = await p.confirm({ message: "Set up git security hooks here too (block secrets, .env, node_modules)?" });
-  if (!p.isCancel(ok) && ok) await setupGitHooks({ ...opts, protections: void 0 }, interactive);
-}
+});
 
 // src/claude.ts
 import { homedir as homedir2 } from "os";
@@ -257,6 +143,54 @@ function disableClaudeAttribution(scope) {
   writeFileSync2(path, JSON.stringify(next, null, 2) + "\n");
   return true;
 }
+function getClaudeAttribution(scope) {
+  const current = readJson(claudeSettingsPath(scope)) || {};
+  const attribution = current.attribution;
+  const disabled = Boolean(attribution) && attribution.commit === "" && attribution.pr === "" && current.includeCoAuthoredBy === false;
+  return !disabled;
+}
+function setClaudeAttribution(scope, enabled) {
+  if (!enabled) return disableClaudeAttribution(scope);
+  const path = claudeSettingsPath(scope);
+  const current = readJson(path) || {};
+  const attribution = typeof current.attribution === "object" && current.attribution !== null ? { ...current.attribution } : {};
+  let changed = false;
+  if (attribution.commit === "") {
+    delete attribution.commit;
+    changed = true;
+  }
+  if (attribution.pr === "") {
+    delete attribution.pr;
+    changed = true;
+  }
+  if (current.includeCoAuthoredBy === false) changed = true;
+  if (!changed) return false;
+  const next = { ...current };
+  if (Object.keys(attribution).length) next.attribution = attribution;
+  else delete next.attribution;
+  delete next.includeCoAuthoredBy;
+  writeClaudeSettings(path, next);
+  return true;
+}
+function getClaudeBypass(scope) {
+  const current = readJson(claudeSettingsPath(scope)) || {};
+  const permissions = current.permissions;
+  return Boolean(permissions) && permissions.defaultMode === "bypassPermissions";
+}
+function setClaudeBypass(scope, on, dryRun) {
+  if (on) return enableClaudeBypass(scope, dryRun);
+  const path = claudeSettingsPath(scope);
+  const current = readJson(path) || {};
+  const permissions = typeof current.permissions === "object" && current.permissions !== null ? { ...current.permissions } : {};
+  if (permissions.defaultMode !== "bypassPermissions") return { path, changed: false };
+  if (dryRun) return { path, changed: true };
+  delete permissions.defaultMode;
+  const next = { ...current };
+  if (Object.keys(permissions).length) next.permissions = permissions;
+  else delete next.permissions;
+  writeClaudeSettings(path, next);
+  return { path, changed: true };
+}
 function enableClaudeBypass(scope, dryRun) {
   const path = claudeSettingsPath(scope);
   const current = readJson(path) || {};
@@ -264,19 +198,26 @@ function enableClaudeBypass(scope, dryRun) {
   if (permissions.defaultMode === "bypassPermissions") return { path, changed: false };
   if (dryRun) return { path, changed: true };
   const next = { ...current, permissions: { ...permissions, defaultMode: "bypassPermissions" } };
+  writeClaudeSettings(path, next);
+  return { path, changed: true };
+}
+function writeClaudeSettings(path, data) {
   const dir = join4(path, "..");
   if (!isDir(dir)) mkdirSync2(dir, { recursive: true });
-  writeFileSync2(path, JSON.stringify(next, null, 2) + "\n");
-  return { path, changed: true };
+  writeFileSync2(path, JSON.stringify(data, null, 2) + "\n");
 }
+var init_claude = __esm({
+  "src/claude.ts"() {
+    "use strict";
+    init_util();
+  }
+});
 
 // src/permissions.ts
 import { homedir as homedir3 } from "os";
 import { join as join5 } from "path";
 import { existsSync as existsSync4, mkdirSync as mkdirSync3, readFileSync as readFileSync2, writeFileSync as writeFileSync3 } from "fs";
 import * as p2 from "@clack/prompts";
-var BYPASS_SUPPORTED = ["claude", "codex", "opencode"];
-var BYPASS_DEFAULT_ON = /* @__PURE__ */ new Set(["claude", "codex"]);
 async function resolveBypassSelection(candidates, opts, interactive) {
   const supported = candidates.filter((a) => BYPASS_SUPPORTED.includes(a.name));
   if (!supported.length || opts.noBypass) return [];
@@ -323,6 +264,74 @@ function enableFor(name, scope, dryRun) {
       return null;
   }
 }
+function getBypass(name, scope) {
+  switch (name) {
+    case "claude":
+      return getClaudeBypass(scope);
+    case "codex":
+      return getCodexBypass();
+    case "opencode":
+      return getOpencodeBypass(scope);
+    default:
+      return false;
+  }
+}
+function setBypass(name, scope, on, dryRun) {
+  switch (name) {
+    case "claude":
+      return setClaudeBypass(scope, on, dryRun);
+    case "codex":
+      return on ? enableCodexBypass(dryRun) : disableCodexBypass(dryRun);
+    case "opencode":
+      return on ? enableOpencodeBypass(scope, dryRun) : disableOpencodeBypass(scope, dryRun);
+    default:
+      return null;
+  }
+}
+function getCodexBypass() {
+  const path = join5(homedir3(), ".codex", "config.toml");
+  const content = existsSync4(path) ? readFileSync2(path, "utf8") : "";
+  return getTomlTopLevelKey(content, "approval_policy") === '"never"';
+}
+function disableCodexBypass(dryRun) {
+  const path = join5(homedir3(), ".codex", "config.toml");
+  const before = existsSync4(path) ? readFileSync2(path, "utf8") : "";
+  let after = removeTomlTopLevelKey(before, "approval_policy");
+  after = removeTomlTopLevelKey(after, "sandbox_mode");
+  const changed = after !== before;
+  if (changed && !dryRun) writeFileSync3(path, after);
+  return { path, changed };
+}
+function getOpencodeBypass(scope) {
+  const path = opencodeConfigPath(scope);
+  const perm = (readJson(path) || {}).permission;
+  return perm === "allow" || typeof perm === "object" && perm !== null && perm["*"] === "allow";
+}
+function disableOpencodeBypass(scope, dryRun) {
+  const path = opencodeConfigPath(scope);
+  const current = readJson(path) || {};
+  const perm = current.permission;
+  if (!getOpencodeBypass(scope)) return { path, changed: false };
+  if (dryRun) return { path, changed: true };
+  const next = { ...current };
+  if (typeof perm === "object" && perm !== null) {
+    const rest = {};
+    for (const k of Object.keys(perm)) {
+      if (k !== "*") rest[k] = perm[k];
+    }
+    if (Object.keys(rest).length) next.permission = rest;
+    else delete next.permission;
+  } else {
+    delete next.permission;
+  }
+  const dir = join5(path, "..");
+  if (!isDir(dir)) mkdirSync3(dir, { recursive: true });
+  writeFileSync3(path, JSON.stringify(next, null, 2) + "\n");
+  return { path, changed: true };
+}
+function opencodeConfigPath(scope) {
+  return scope === "global" ? join5(homedir3(), ".config", "opencode", "opencode.json") : join5(process.cwd(), "opencode.json");
+}
 function enableCodexBypass(dryRun) {
   const path = join5(homedir3(), ".codex", "config.toml");
   const before = existsSync4(path) ? readFileSync2(path, "utf8") : "";
@@ -337,7 +346,7 @@ function enableCodexBypass(dryRun) {
   return { path, changed };
 }
 function enableOpencodeBypass(scope, dryRun) {
-  const path = scope === "global" ? join5(homedir3(), ".config", "opencode", "opencode.json") : join5(process.cwd(), "opencode.json");
+  const path = opencodeConfigPath(scope);
   const current = readJson(path) || {};
   const perm = current.permission;
   const alreadyAllowAll = perm === "allow" || typeof perm === "object" && perm !== null && perm["*"] === "allow";
@@ -372,12 +381,416 @@ function setTomlTopLevelKey(content, key, tomlValue) {
   lines.splice(insertAt, 0, ...followsTable ? [assign, ""] : [assign]);
   return normalizeTrailingNewline(lines.join("\n"));
 }
+function getTomlTopLevelKey(content, key) {
+  const lines = content.split("\n");
+  const firstTable = lines.findIndex((l) => /^\s*\[/.test(l));
+  const scanEnd = firstTable === -1 ? lines.length : firstTable;
+  const keyRe = new RegExp(`^\\s*${key}\\s*=\\s*(.+?)\\s*$`);
+  for (let i = 0; i < scanEnd; i++) {
+    const m = keyRe.exec(lines[i]);
+    if (m) return m[1];
+  }
+  return null;
+}
+function removeTomlTopLevelKey(content, key) {
+  if (content.trim() === "") return content;
+  const lines = content.split("\n");
+  const firstTable = lines.findIndex((l) => /^\s*\[/.test(l));
+  const scanEnd = firstTable === -1 ? lines.length : firstTable;
+  const keyRe = new RegExp(`^\\s*${key}\\s*=`);
+  const kept = lines.filter((l, i) => !(i < scanEnd && keyRe.test(l)));
+  if (kept.length === lines.length) return content;
+  return normalizeTrailingNewline(kept.join("\n"));
+}
 function normalizeTrailingNewline(s) {
   return `${s.replace(/\s+$/, "")}
 `;
 }
+var BYPASS_SUPPORTED, BYPASS_DEFAULT_ON;
+var init_permissions = __esm({
+  "src/permissions.ts"() {
+    "use strict";
+    init_agents();
+    init_util();
+    init_claude();
+    BYPASS_SUPPORTED = ["claude", "codex", "opencode"];
+    BYPASS_DEFAULT_ON = /* @__PURE__ */ new Set(["claude", "codex"]);
+  }
+});
+
+// src/config.ts
+import { homedir as homedir4 } from "os";
+import { join as join8 } from "path";
+import { existsSync as existsSync6, mkdirSync as mkdirSync5, writeFileSync as writeFileSync5 } from "fs";
+function configPath(scope) {
+  return scope === "global" ? join8(homedir4(), CONFIG_FILE) : join8(process.cwd(), CONFIG_FILE);
+}
+function readConfig() {
+  const sources = [];
+  let config = { ...CONFIG_DEFAULTS };
+  for (const scope of ["global", "local"]) {
+    const path = configPath(scope);
+    const raw = existsSync6(path) ? readJson(path) : null;
+    if (raw) {
+      config = { ...config, ...raw };
+      sources.push(path);
+    }
+  }
+  return { config, sources };
+}
+function setEnigmaToggle(key, value, scope) {
+  const path = configPath(scope);
+  const current = readJson(path) || {};
+  const next = { ...current, [key]: value };
+  const dir = join8(path, "..");
+  if (!isDir(dir)) mkdirSync5(dir, { recursive: true });
+  writeFileSync5(path, JSON.stringify(next, null, 2) + "\n");
+  return path;
+}
+var CONFIG_FILE, CONFIG_DEFAULTS;
+var init_config = __esm({
+  "src/config.ts"() {
+    "use strict";
+    init_util();
+    CONFIG_FILE = ".enigma.json";
+    CONFIG_DEFAULTS = { commitEmoji: true, updateNotifier: true };
+  }
+});
+
+// src/settings-registry.ts
+function enigmaToggle(key, field, label, hint) {
+  return {
+    key,
+    label,
+    hint,
+    read: () => readConfig().config[field],
+    write: (value, scope) => ({ path: setEnigmaToggle(field, value, scope), changed: true })
+  };
+}
+function valueLabel(on) {
+  return on ? "on" : "off";
+}
+function parseBool(value) {
+  const v = value.toLowerCase();
+  if (["on", "true", "yes", "1", "enable", "enabled"].includes(v)) return true;
+  if (["off", "false", "no", "0", "disable", "disabled"].includes(v)) return false;
+  return null;
+}
+var CATEGORIES, ALL_SETTINGS;
+var init_settings_registry = __esm({
+  "src/settings-registry.ts"() {
+    "use strict";
+    init_agents();
+    init_config();
+    init_claude();
+    init_permissions();
+    CATEGORIES = [
+      {
+        title: "General",
+        blurb: "enigma runtime toggles (.enigma.json)",
+        settings: [
+          enigmaToggle("commit-emoji", "commitEmoji", "Commit subject emoji", "leading gitmoji on commit subjects"),
+          enigmaToggle("update-notifier", "updateNotifier", "Update notifications", "notify when a newer enigma-cli is published")
+        ]
+      },
+      {
+        title: "Git & attribution",
+        blurb: "how the coding agent attributes its work in git",
+        settings: [
+          {
+            key: "claude-attribution",
+            label: "Claude commit attribution",
+            hint: "let Claude Code commit as its own contributor (Co-Authored-By / PR footer); enigma default: off",
+            read: (scope) => getClaudeAttribution(scope),
+            write: (value, scope) => ({ changed: setClaudeAttribution(scope, value) })
+          }
+        ]
+      },
+      {
+        title: "Permissions",
+        blurb: "approval-prompt bypass per agent (security trade-off)",
+        settings: BYPASS_SUPPORTED.map((name) => ({
+          key: `bypass-${name}`,
+          label: `${AGENTS[name]?.label || name} approval bypass`,
+          hint: name === "codex" ? "skip approval prompts (global ~/.codex only)" : "skip per-action approval prompts",
+          globalOnly: name === "codex",
+          read: (scope) => getBypass(name, scope),
+          write: (value, scope) => setBypass(name, scope, value, false) || { changed: false }
+        }))
+      }
+    ];
+    ALL_SETTINGS = CATEGORIES.flatMap((c) => c.settings);
+  }
+});
+
+// src/tui/settings.ts
+var settings_exports = {};
+__export(settings_exports, {
+  runSettingsTui: () => runSettingsTui
+});
+async function runSettingsTui() {
+  if (!process.stdout.isTTY) return;
+  const React = (await import("react")).default;
+  const ink = await import("ink");
+  const { render, useApp, useInput } = ink;
+  const Box = ink.Box;
+  const Text = ink.Text;
+  const { useState } = React;
+  const h = React.createElement;
+  function App() {
+    const { exit } = useApp();
+    const [scope, setScope] = useState("global");
+    const [focusSettings, setFocusSettings] = useState(false);
+    const [catIndex, setCatIndex] = useState(0);
+    const [setIndex, setSetIndex] = useState(0);
+    const [, bump] = useState(0);
+    const category = CATEGORIES[catIndex];
+    const settings = category.settings;
+    useInput((input, key) => {
+      if (input === "q" || key.escape || key.ctrl && input === "c") {
+        exit();
+        return;
+      }
+      if (input === "g") {
+        setScope((s) => s === "global" ? "local" : "global");
+        return;
+      }
+      if (key.tab) {
+        setFocusSettings((f) => !f);
+        return;
+      }
+      if (key.leftArrow || input === "h") {
+        setFocusSettings(false);
+        return;
+      }
+      if (key.rightArrow || input === "l") {
+        setFocusSettings(true);
+        return;
+      }
+      if (key.upArrow || input === "k") {
+        if (focusSettings) setSetIndex((i) => Math.max(0, i - 1));
+        else {
+          setCatIndex((i) => Math.max(0, i - 1));
+          setSetIndex(0);
+        }
+        return;
+      }
+      if (key.downArrow || input === "j") {
+        if (focusSettings) setSetIndex((i) => Math.min(settings.length - 1, i + 1));
+        else {
+          setCatIndex((i) => Math.min(CATEGORIES.length - 1, i + 1));
+          setSetIndex(0);
+        }
+        return;
+      }
+      if (key.return || input === " ") {
+        if (!focusSettings) {
+          setFocusSettings(true);
+          return;
+        }
+        const setting = settings[setIndex];
+        setting.write(!setting.read(scope), scope);
+        bump((n) => n + 1);
+      }
+    });
+    const header = h(
+      Box,
+      { marginBottom: 1 },
+      h(Text, { bold: true, color: "cyan" }, "enigma settings"),
+      h(Text, { dimColor: true }, "    scope: "),
+      h(Text, { bold: true, color: scope === "global" ? "green" : "yellow" }, scope),
+      h(Text, { dimColor: true }, "  (g to change)")
+    );
+    const left = h(Box, {
+      flexDirection: "column",
+      borderStyle: "round",
+      borderColor: focusSettings ? "gray" : "cyan",
+      paddingX: 1,
+      width: 26,
+      marginRight: 1
+    }, CATEGORIES.map((c, i) => h(Text, {
+      key: c.title,
+      color: i === catIndex ? "cyan" : void 0,
+      inverse: !focusSettings && i === catIndex
+    }, `${i === catIndex ? ">" : " "} ${c.title}`)));
+    const right = h(Box, {
+      flexDirection: "column",
+      borderStyle: "round",
+      borderColor: focusSettings ? "cyan" : "gray",
+      paddingX: 1,
+      flexGrow: 1
+    }, [
+      h(Text, { key: "__blurb", dimColor: true }, category.blurb),
+      ...settings.map((s, i) => {
+        const on = s.read(scope);
+        const selected = focusSettings && i === setIndex;
+        return h(
+          Box,
+          { key: s.key, justifyContent: "space-between" },
+          h(Text, { inverse: selected }, `${selected ? ">" : " "} ${s.label}${s.globalOnly ? " (global)" : ""}`),
+          h(Text, { bold: true, color: on ? "green" : "gray" }, ` ${valueLabel(on)}`)
+        );
+      })
+    ]);
+    const footer = h(Box, { marginTop: 1 }, h(
+      Text,
+      { dimColor: true },
+      "up/down move  -  tab/left/right switch pane  -  enter/space toggle  -  g scope  -  q quit"
+    ));
+    return h(Box, { flexDirection: "column" }, header, h(Box, {}, left, right), footer);
+  }
+  const app = render(h(App));
+  await app.waitUntilExit();
+}
+var init_settings = __esm({
+  "src/tui/settings.ts"() {
+    "use strict";
+    init_settings_registry();
+  }
+});
+
+// src/cli.ts
+init_util();
+import { dirname as dirname4, join as join10 } from "path";
+import { fileURLToPath as fileURLToPath4 } from "url";
+import * as p5 from "@clack/prompts";
 
 // src/skills.ts
+init_util();
+init_agents();
+import { existsSync as existsSync5, readdirSync, readFileSync as readFileSync3, writeFileSync as writeFileSync4, cpSync as cpSync2, mkdirSync as mkdirSync4, rmSync } from "fs";
+import { dirname as dirname2, join as join6, resolve as resolve2, relative as relative2, sep as sep2 } from "path";
+import { fileURLToPath as fileURLToPath2 } from "url";
+import { createHash } from "crypto";
+import * as p3 from "@clack/prompts";
+
+// src/security.ts
+init_util();
+import { existsSync as existsSync3, mkdirSync, cpSync, writeFileSync, chmodSync } from "fs";
+import { dirname, join as join3, resolve, relative } from "path";
+import { fileURLToPath } from "url";
+import { execFileSync as execFileSync2 } from "child_process";
+import * as p from "@clack/prompts";
+var __dirname = dirname(fileURLToPath(import.meta.url));
+function findGuardSrc() {
+  const candidates = [
+    join3(__dirname, "guard.js"),
+    join3(__dirname, "..", "dist", "guard.js")
+  ];
+  return candidates.find((c) => existsSync3(c)) ?? null;
+}
+var GUARD_PROTECTIONS = [
+  { value: "secrets", label: "Block committed secrets", hint: "API keys, tokens, private keys" },
+  { value: "envFiles", label: "Block .env files", hint: "allows .env.example / .sample / .template" },
+  { value: "depDirs", label: "Block dependency/cache dirs", hint: "node_modules, __pycache__, venv" },
+  { value: "generatedDirs", label: "Warn on generated dirs", hint: "dist, build, .next, coverage" },
+  { value: "junkFiles", label: "Warn on log / OS junk files", hint: ".log, .DS_Store, Thumbs.db" },
+  { value: "largeFiles", label: "Warn on files over 5 MB", hint: "oversized blobs" }
+];
+function findGitRoot(start) {
+  let dir = resolve(start);
+  for (; ; ) {
+    if (existsSync3(join3(dir, ".git"))) return dir;
+    const parent = dirname(dir);
+    if (parent === dir) return null;
+    dir = parent;
+  }
+}
+function currentHooksPath(root) {
+  try {
+    return execFileSync2("git", ["-C", root, "config", "--get", "core.hooksPath"], { encoding: "utf8" }).trim();
+  } catch {
+    return "";
+  }
+}
+async function setupGitHooks(opts, interactive) {
+  const root = findGitRoot(process.cwd());
+  if (!root) {
+    p.log.error("Not inside a git repository (no .git found). Run this from your project root.");
+    return false;
+  }
+  const guardSrc = findGuardSrc();
+  if (!guardSrc) {
+    p.log.error("Cannot find the built guard (dist/guard.js). Run 'npm run build' first.");
+    return false;
+  }
+  const current = currentHooksPath(root);
+  if (current && current !== ".githooks" && !opts.force) {
+    p.log.warn(`core.hooksPath is already set to '${current}'.`);
+    if (interactive) {
+      const ok = await p.confirm({ message: `Override existing core.hooksPath '${current}' with '.githooks'?` });
+      if (p.isCancel(ok) || !ok) {
+        p.log.info("Left git hooks unchanged.");
+        return false;
+      }
+    } else {
+      p.log.info("Re-run with --force to override.");
+      return false;
+    }
+  }
+  let enabled = opts.protections;
+  if (!enabled && interactive) {
+    const r = await p.multiselect({
+      message: "Which protections should the commit guard enforce?",
+      options: GUARD_PROTECTIONS,
+      initialValues: GUARD_PROTECTIONS.map((o) => o.value),
+      required: true
+    });
+    if (p.isCancel(r)) {
+      p.log.info("Left git hooks unchanged.");
+      return false;
+    }
+    enabled = r;
+  }
+  const config = {};
+  for (const o of GUARD_PROTECTIONS) config[o.value] = enabled ? enabled.includes(o.value) : true;
+  const hooksDir = join3(root, ".githooks");
+  mkdirSync(hooksDir, { recursive: true });
+  cpSync(guardSrc, join3(hooksDir, "guard.mjs"), { force: true });
+  writeFileSync(join3(hooksDir, "enigma-guard.json"), JSON.stringify(config, null, 2) + "\n");
+  const shimPath = join3(hooksDir, "pre-commit");
+  const shim = [
+    "#!/bin/sh",
+    "# Managed by enigma (enigma-cli) - blocks committed secrets, .env files, and dependency dirs.",
+    "# Toggle protections in .githooks/enigma-guard.json. Bypass once: git commit --no-verify",
+    'exec node "$(git rev-parse --show-toplevel)/.githooks/guard.mjs" "$@"',
+    ""
+  ].join("\n");
+  writeFileSync(shimPath, shim);
+  try {
+    chmodSync(shimPath, 493);
+  } catch {
+  }
+  try {
+    chmodSync(join3(hooksDir, "guard.mjs"), 493);
+  } catch {
+  }
+  try {
+    execFileSync2("git", ["-C", root, "config", "core.hooksPath", ".githooks"]);
+  } catch (err) {
+    p.log.error(`Failed to set core.hooksPath: ${err.message}`);
+    return false;
+  }
+  const on = Object.entries(config).filter(([, v]) => v).map(([k]) => k);
+  p.log.success(`Git security hooks installed in ${relative(process.cwd(), hooksDir) || ".githooks"} (core.hooksPath set).`);
+  p.log.info(`Enforcing: ${on.join(", ") || "nothing"}. Commit .githooks/ so your team inherits it.`);
+  if (isOnPath("gh")) {
+    p.log.info("GitHub CLI (gh) detected: these hooks also run for commits made via gh, since gh uses git underneath.");
+  }
+  return true;
+}
+async function maybeOfferGitHooks(interactive, opts) {
+  if (!interactive || opts.security) return;
+  const root = findGitRoot(process.cwd());
+  if (!root) return;
+  if (currentHooksPath(root) === ".githooks") return;
+  const ok = await p.confirm({ message: "Set up git security hooks here too (block secrets, .env, node_modules)?" });
+  if (!p.isCancel(ok) && ok) await setupGitHooks({ ...opts, protections: void 0 }, interactive);
+}
+
+// src/skills.ts
+init_claude();
+init_permissions();
 var __dirname2 = dirname2(fileURLToPath2(import.meta.url));
 var PKG_ROOT = resolve2(__dirname2, "..");
 var ASSETS = join6(PKG_ROOT, "assets");
@@ -920,65 +1333,38 @@ if (isGuardEntry && fileURLToPath3(import.meta.url) === guardEntry) {
   process.exit(runGuardCli(process.argv.includes("--all")));
 }
 
-// src/config.ts
-import { homedir as homedir4 } from "os";
-import { join as join8 } from "path";
-import { existsSync as existsSync6, mkdirSync as mkdirSync5, writeFileSync as writeFileSync5 } from "fs";
-var CONFIG_FILE = ".enigma.json";
-var CONFIG_DEFAULTS = { commitEmoji: true };
-var BOOLEAN_KEYS = ["commitEmoji"];
-var CLI_KEYS = { "commit-emoji": "commitEmoji" };
-function configPath(scope) {
-  return scope === "global" ? join8(homedir4(), CONFIG_FILE) : join8(process.cwd(), CONFIG_FILE);
+// src/settings.ts
+init_config();
+init_settings_registry();
+function printEffective() {
+  console.log("Effective enigma settings:\n");
+  for (const category of CATEGORIES) {
+    console.log(`${category.title}:`);
+    for (const s of category.settings) console.log(`  ${s.key}: ${valueLabel(s.read("global"))}`);
+    console.log("");
+  }
+  const { sources } = readConfig();
+  console.log(sources.length ? `.enigma.json sources: ${sources.join(", ")}` : ".enigma.json: built-in defaults (no file found)");
+  console.log("Agent settings (attribution, bypass) reflect each agent's own config at the global scope.");
 }
-function readConfig() {
-  const sources = [];
-  let config = { ...CONFIG_DEFAULTS };
-  for (const scope of ["global", "local"]) {
-    const path = configPath(scope);
-    const raw = existsSync6(path) ? readJson(path) : null;
-    if (raw) {
-      config = { ...config, ...raw };
-      sources.push(path);
-    }
-  }
-  return { config, sources };
-}
-function parseBool(value) {
-  const v = value.toLowerCase();
-  if (["on", "true", "yes", "1", "enable", "enabled"].includes(v)) return true;
-  if (["off", "false", "no", "0", "disable", "disabled"].includes(v)) return false;
-  return null;
-}
-function setValue(scope, key, value) {
-  const path = configPath(scope);
-  const current = readJson(path) || {};
-  const next = { ...current, [key]: value };
-  const dir = join8(path, "..");
-  if (!isDir(dir)) mkdirSync5(dir, { recursive: true });
-  writeFileSync5(path, JSON.stringify(next, null, 2) + "\n");
-  return path;
-}
-function runConfigCli(positionals, scope) {
+async function runConfigCli(positionals, scope, interactive) {
   const [rawKey, rawValue] = positionals;
   if (!rawKey) {
-    const { config, sources } = readConfig();
-    console.log("Effective enigma config:");
-    for (const k of BOOLEAN_KEYS) {
-      const cliKey = Object.keys(CLI_KEYS).find((c) => CLI_KEYS[c] === k) || k;
-      console.log(`  ${cliKey}: ${config[k]}`);
+    if (interactive) {
+      const { runSettingsTui: runSettingsTui2 } = await Promise.resolve().then(() => (init_settings(), settings_exports));
+      await runSettingsTui2();
+    } else {
+      printEffective();
     }
-    console.log(sources.length ? `
-From: ${sources.join(", ")}` : "\nFrom: built-in defaults (no .enigma.json found)");
     return 0;
   }
-  const key = CLI_KEYS[rawKey];
-  if (!key) {
-    console.error(`Unknown config key: ${rawKey}. Known keys: ${Object.keys(CLI_KEYS).join(", ")}.`);
+  const setting = ALL_SETTINGS.find((s) => s.key === rawKey);
+  if (!setting) {
+    console.error(`Unknown config key: ${rawKey}. Known keys: ${ALL_SETTINGS.map((s) => s.key).join(", ")}.`);
     return 1;
   }
   if (rawValue === void 0) {
-    console.error(`Missing value for '${rawKey}'. Usage: enigma config ${rawKey} <on|off>`);
+    console.error(`Missing value for '${rawKey}'. Usage: enigma config ${rawKey} <on|off> [-g|-l]`);
     return 1;
   }
   const value = parseBool(rawValue);
@@ -986,13 +1372,16 @@ From: ${sources.join(", ")}` : "\nFrom: built-in defaults (no .enigma.json found
     console.error(`Invalid value '${rawValue}' for '${rawKey}'. Use on or off.`);
     return 1;
   }
-  const target = scope || "global";
-  const path = setValue(target, key, value);
-  console.log(`Set ${rawKey} = ${value ? "on" : "off"} (${target}) in ${path}.`);
+  const target = setting.globalOnly ? "global" : scope || "global";
+  const result = setting.write(value, target);
+  const where = result.path ? ` in ${result.path}` : "";
+  console.log(`Set ${rawKey} = ${valueLabel(value)} (${target})${where}.`);
   return 0;
 }
 
 // src/update.ts
+init_util();
+init_config();
 import { homedir as homedir5 } from "os";
 import { join as join9 } from "path";
 import { writeFileSync as writeFileSync6 } from "fs";
@@ -1073,6 +1462,7 @@ function runUpdate() {
 async function notifyUpdate(current, interactive) {
   if (!process.stdout.isTTY || process.env.CI) return;
   try {
+    if (!readConfig().config.updateNotifier) return;
     scheduleUpdateCheck();
     const cache = readCache();
     const latest = cache?.latest ? String(cache.latest).replace(/[^\w.+-]/g, "") : "";
@@ -1199,15 +1589,19 @@ Usage:
   enigma [command] [options]
 
 Commands:
-  (none)               Interactive menu: pick which features to set up
+  (none)               Interactive hub: configure settings or set up features
   install              Install/update agent skills (Claude Code, Codex, opencode)
   security             Set up git security hooks in the current repo
   guard [--all]        Run the commit guard (staged files, or --all for every tracked file)
-  config [key val]     Show/set runtime toggles (e.g. config commit-emoji off)
+  config [key val]     Configure settings: no args opens the interactive menu;
+                       'config <key> <on|off> [-g|-l]' sets one (e.g. config claude-attribution on)
   seal                 Maintenance: (re)compute skill content hashes
   check                Integrity gate: verify skills are well-formed and sealed
   help, version
 
+Config keys: commit-emoji, update-notifier, claude-attribution,
+             bypass-claude, bypass-codex, bypass-opencode
+
 Install options:
   -g, --global         Install at user level
   -l, --local          Install into the current project
@@ -1256,7 +1650,7 @@ async function run(argv) {
     process.exit(runGuardCli(opts.all));
   }
   if (opts.command === "config") {
-    process.exit(runConfigCli(opts.positionals, opts.scope));
+    process.exit(await runConfigCli(opts.positionals, opts.scope, interactive));
   }
   if (opts.command === "install") {
     p5.intro("enigma - install agent skills");
@@ -1272,28 +1666,29 @@ async function run(argv) {
     await notifyUpdate(version, interactive);
     return;
   }
+  if (!interactive) {
+    await installSkills(opts, interactive);
+    await notifyUpdate(version, interactive);
+    return;
+  }
   p5.intro("enigma");
-  let features;
-  if (interactive) {
-    const r = await p5.multiselect({
-      message: "What do you want to set up?",
+  for (; ; ) {
+    const action = await p5.select({
+      message: "What would you like to do?",
       options: [
-        { value: "skills", label: "Agent skills", hint: "Claude Code, Codex, opencode" },
-        { value: "security", label: "Git security hooks", hint: "block secrets, .env, node_modules on commit" }
-      ],
-      initialValues: ["skills"],
-      required: true
+        { value: "config", label: "Configure settings", hint: "emoji, attribution, permission bypass, ..." },
+        { value: "skills", label: "Install agent skills", hint: "Claude Code, Codex, opencode" },
+        { value: "security", label: "Git security hooks", hint: "block secrets, .env, node_modules on commit" },
+        { value: "exit", label: "Exit" }
+      ]
     });
-    if (p5.isCancel(r)) {
-      p5.cancel("Aborted.");
-      return;
-    }
-    features = r;
-  } else {
-    features = ["skills"];
+    if (p5.isCancel(action) || action === "exit") break;
+    if (action === "config") {
+      const { runSettingsTui: runSettingsTui2 } = await Promise.resolve().then(() => (init_settings(), settings_exports));
+      await runSettingsTui2();
+    } else if (action === "skills") await installSkills(opts, interactive);
+    else if (action === "security") await setupGitHooks(opts, interactive);
   }
-  if (features.includes("skills")) await installSkills(opts, interactive);
-  if (features.includes("security")) await setupGitHooks(opts, interactive);
   p5.outro("Done.");
   await notifyUpdate(version, interactive);
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "enigma-cli",
-  "version": "1.1.1",
+  "version": "1.1.3",
   "description": "Everything you need to work with a coding agent: install shared policy skills for Claude Code, OpenAI Codex and opencode, and set up portable git security hooks.",
   "type": "module",
   "bin": {
@@ -9,7 +9,8 @@
   "scripts": {
     "enigma": "tsx src/bin/enigma.ts",
     "build": "tsup",
-    "dev": "tsup --watch",
+    "dev": "node scripts/dev.mjs",
+    "dev:watch": "tsup --watch",
     "typecheck": "tsc --noEmit",
     "seal": "tsx src/bin/enigma.ts seal",
     "check": "tsx src/bin/enigma.ts check",
@@ -27,10 +28,13 @@
     "node": ">=18"
   },
   "dependencies": {
-    "@clack/prompts": "^0.7.0"
+    "@clack/prompts": "^0.7.0",
+    "ink": "^5.2.1",
+    "react": "^18.3.1"
   },
   "devDependencies": {
     "@types/node": "^22.0.0",
+    "@types/react": "^18.3.29",
     "tsup": "^8.0.0",
     "tsx": "^4.0.0",
     "typescript": "^5.0.0"