enigma-cli 1.1.2 → 1.1.3

package/assets/skills/backend-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Backend/API architecture: controller-service-repository layering, API and request optimization, server-side caching (Redis), and Zod boundary validation.",
-  "cliVersion": "1.1.2",
+  "cliVersion": "1.1.3",
   "sha": "c442bc9e39a7710cb709ef2abb8d15ecd8aa16ed4f5c8af92b7af6877401cba4"
 }

package/assets/skills/ciphera-style-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.1.0",
   "provider": "FJRG2007/enigma",
   "description": "Ciphera code style conventions (formatting, naming, imports, comments, code-level anti-patterns; TypeScript-first, language-agnostic).",
-  "cliVersion": "1.1.2",
+  "cliVersion": "1.1.3",
   "sha": "f8602bb79fbbe063ab39fbd59d0b7844a22c3a1583fcd11c1b4f98a2fe8ddc86"
 }

package/assets/skills/code-review-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Pre-delivery self-review gate, prioritized review dimensions, and change-quality criteria.",
-  "cliVersion": "1.1.2",
+  "cliVersion": "1.1.3",
   "sha": "3d3bbe0602d5bbb4afe37648fe3c2fa39376b1bcbac5d8c441f01fad1e866ed0"
 }

package/assets/skills/core-engineering-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.4.0",
   "provider": "FJRG2007/enigma",
   "description": "Core engineering execution policy and harness orchestration (highest-authority rules).",
-  "cliVersion": "1.1.2",
+  "cliVersion": "1.1.3",
   "sha": "c9c69c59516794311cb7b306ed4d4ad971824de3689a39c2b86c7669c73f2e8b"
 }

package/assets/skills/database-expert/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Senior database architecture policy: query optimization, anti-duplication/normalization, scalability, and RGPD/GDPR encryption.",
-  "cliVersion": "1.1.2",
+  "cliVersion": "1.1.3",
   "sha": "c4617ee8d1a57d9621c81bef3093e94de91f79eec0cc0ead41f6d18dd443e623"
 }

package/assets/skills/debugging-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Reproduce-isolate-fix debugging methodology with root-cause discipline and regression verification.",
-  "cliVersion": "1.1.2",
+  "cliVersion": "1.1.3",
   "sha": "14b0064c8b33a0dc85e51464b05005cf5801c756b1101789a6924b9548420f6b"
 }

package/assets/skills/dependency-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Dependency and supply-chain security: lockfiles and reproducible installs, version pinning, vulnerability auditing, vetting/minimizing packages, vendoring, and SBOM/provenance.",
-  "cliVersion": "1.1.2",
+  "cliVersion": "1.1.3",
   "sha": "6375d835c2aef2c9bd31ce116444dc3d796f510f9970a213aa3ac4696d7e21b9"
 }

package/assets/skills/frontend-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Frontend architecture: reusable components, abstraction thresholds, state management, and optimistic UI with rollback.",
-  "cliVersion": "1.1.2",
+  "cliVersion": "1.1.3",
   "sha": "b0355b0e15f9f528d32adf19f0722d2727cd64d6b3544307ecc7a3141338f023"
 }

package/assets/skills/git-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.2.0",
   "provider": "FJRG2007/enigma",
   "description": "Git & contribution policy (senior engineering standards).",
-  "cliVersion": "1.1.2",
+  "cliVersion": "1.1.3",
   "sha": "ada4b7eb5bb7e013429e23703c271c0f34b0d76327c059efa148ea2794f96178"
 }

package/assets/skills/security-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Application and AI-agent security: secrets, authn/authz (least privilege), OWASP Top 10, transport/crypto baseline, secure logging, and agent/MCP/tool-use safety.",
-  "cliVersion": "1.1.2",
+  "cliVersion": "1.1.3",
   "sha": "9971e9d9127397d0152e89d24aad3191e2935e55a8483db7fd15f5d4d7a60e7a"
 }

package/assets/skills/testing-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Test strategy, coverage gates, deterministic tests, mocking discipline, and regression-first bug fixing.",
-  "cliVersion": "1.1.2",
+  "cliVersion": "1.1.3",
   "sha": "d19fa8ec7985ed231478be504d3c80360897f555d0bc0624bea19c091f459fb0"
 }

package/assets/skills/validation-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Strict frontend + backend schema validation, schema consistency, and safe client-facing error handling.",
-  "cliVersion": "1.1.2",
+  "cliVersion": "1.1.3",
   "sha": "a33622a2f810ee4cea39824cb1a7ca34b355a917d4224025df50d77dd74f0b3a"
 }

package/dist/enigma.js

@@ -1,9 +1,13 @@
 #!/usr/bin/env node
-
-// src/cli.ts
-import { dirname as dirname4, join as join10 } from "path";
-import { fileURLToPath as fileURLToPath4 } from "url";
-import * as p6 from "@clack/prompts";
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
 
 // src/util.ts
 import { existsSync, statSync, readFileSync } from "fs";
@@ -27,58 +31,20 @@ function isOnPath(bin) {
   const exts = sep === "\\" ? (process.env.PATHEXT || ".EXE;.CMD;.BAT;.COM").split(";").map((e) => e.toLowerCase()) : [""];
   return dirs.some((d) => exts.some((ext) => existsSync(join(d, bin + ext))));
 }
-
-// src/skills.ts
-import { existsSync as existsSync5, readdirSync, readFileSync as readFileSync3, writeFileSync as writeFileSync4, cpSync as cpSync2, mkdirSync as mkdirSync4, rmSync } from "fs";
-import { dirname as dirname2, join as join6, resolve as resolve2, relative as relative2, sep as sep2 } from "path";
-import { fileURLToPath as fileURLToPath2 } from "url";
-import { createHash } from "crypto";
-import * as p3 from "@clack/prompts";
+var init_util = __esm({
+  "src/util.ts"() {
+    "use strict";
+  }
+});
 
 // src/agents.ts
 import { homedir } from "os";
 import { join as join2 } from "path";
 import { existsSync as existsSync2 } from "fs";
 import { execFileSync } from "child_process";
-var HOME = homedir();
-var MANAGED_PROVIDER = "FJRG2007/enigma";
-var LEGACY_PROVIDERS = ["FJRG2007"];
 function isManagedProvider(provider) {
   return provider === MANAGED_PROVIDER || typeof provider === "string" && LEGACY_PROVIDERS.includes(provider);
 }
-var AGENTS = {
-  claude: {
-    label: "Claude Code",
-    memoryFile: "CLAUDE.md",
-    detect: { bins: ["claude"], dirs: [join2(HOME, ".claude")] },
-    targets: {
-      global: { skills: join2(HOME, ".claude", "skills"), memory: join2(HOME, ".claude") },
-      local: { skills: join2(process.cwd(), ".claude", "skills"), memory: process.cwd() }
-    }
-  },
-  codex: {
-    label: "OpenAI Codex",
-    memoryFile: "AGENTS.md",
-    // Codex reads AGENTS.md from its home (~/.codex) and project root, but
-    // discovers skills from the shared `.agents/skills` location, not ~/.codex/skills.
-    detect: { bins: ["codex"], dirs: [join2(HOME, ".codex")] },
-    targets: {
-      global: { skills: join2(HOME, ".agents", "skills"), memory: join2(HOME, ".codex") },
-      local: { skills: join2(process.cwd(), ".agents", "skills"), memory: process.cwd() }
-    }
-  },
-  opencode: {
-    label: "opencode",
-    memoryFile: "AGENTS.md",
-    // opencode reads AGENTS.md from ~/.config/opencode (global) or the project
-    // root (local); skills from ~/.config/opencode/skills and .opencode/skills.
-    detect: { bins: ["opencode"], dirs: [join2(HOME, ".config", "opencode"), join2(HOME, ".opencode")] },
-    targets: {
-      global: { skills: join2(HOME, ".config", "opencode", "skills"), memory: join2(HOME, ".config", "opencode") },
-      local: { skills: join2(process.cwd(), ".opencode", "skills"), memory: process.cwd() }
-    }
-  }
-};
 function isInstalled(agent) {
   const det = agent.detect || {};
   return (det.dirs || []).some((d) => existsSync2(d)) || (det.bins || []).some((b) => isOnPath(b));
@@ -110,129 +76,49 @@ function runningStatus(agents) {
   }
   return { known: true, running };
 }
-
-// src/security.ts
-import { existsSync as existsSync3, mkdirSync, cpSync, writeFileSync, chmodSync } from "fs";
-import { dirname, join as join3, resolve, relative } from "path";
-import { fileURLToPath } from "url";
-import { execFileSync as execFileSync2 } from "child_process";
-import * as p from "@clack/prompts";
-var __dirname = dirname(fileURLToPath(import.meta.url));
-function findGuardSrc() {
-  const candidates = [
-    join3(__dirname, "guard.js"),
-    join3(__dirname, "..", "dist", "guard.js")
-  ];
-  return candidates.find((c) => existsSync3(c)) ?? null;
-}
-var GUARD_PROTECTIONS = [
-  { value: "secrets", label: "Block committed secrets", hint: "API keys, tokens, private keys" },
-  { value: "envFiles", label: "Block .env files", hint: "allows .env.example / .sample / .template" },
-  { value: "depDirs", label: "Block dependency/cache dirs", hint: "node_modules, __pycache__, venv" },
-  { value: "generatedDirs", label: "Warn on generated dirs", hint: "dist, build, .next, coverage" },
-  { value: "junkFiles", label: "Warn on log / OS junk files", hint: ".log, .DS_Store, Thumbs.db" },
-  { value: "largeFiles", label: "Warn on files over 5 MB", hint: "oversized blobs" }
-];
-function findGitRoot(start) {
-  let dir = resolve(start);
-  for (; ; ) {
-    if (existsSync3(join3(dir, ".git"))) return dir;
-    const parent = dirname(dir);
-    if (parent === dir) return null;
-    dir = parent;
-  }
-}
-function currentHooksPath(root) {
-  try {
-    return execFileSync2("git", ["-C", root, "config", "--get", "core.hooksPath"], { encoding: "utf8" }).trim();
-  } catch {
-    return "";
-  }
-}
-async function setupGitHooks(opts, interactive) {
-  const root = findGitRoot(process.cwd());
-  if (!root) {
-    p.log.error("Not inside a git repository (no .git found). Run this from your project root.");
-    return false;
-  }
-  const guardSrc = findGuardSrc();
-  if (!guardSrc) {
-    p.log.error("Cannot find the built guard (dist/guard.js). Run 'npm run build' first.");
-    return false;
-  }
-  const current = currentHooksPath(root);
-  if (current && current !== ".githooks" && !opts.force) {
-    p.log.warn(`core.hooksPath is already set to '${current}'.`);
-    if (interactive) {
-      const ok = await p.confirm({ message: `Override existing core.hooksPath '${current}' with '.githooks'?` });
-      if (p.isCancel(ok) || !ok) {
-        p.log.info("Left git hooks unchanged.");
-        return false;
+var HOME, MANAGED_PROVIDER, LEGACY_PROVIDERS, AGENTS;
+var init_agents = __esm({
+  "src/agents.ts"() {
+    "use strict";
+    init_util();
+    HOME = homedir();
+    MANAGED_PROVIDER = "FJRG2007/enigma";
+    LEGACY_PROVIDERS = ["FJRG2007"];
+    AGENTS = {
+      claude: {
+        label: "Claude Code",
+        memoryFile: "CLAUDE.md",
+        detect: { bins: ["claude"], dirs: [join2(HOME, ".claude")] },
+        targets: {
+          global: { skills: join2(HOME, ".claude", "skills"), memory: join2(HOME, ".claude") },
+          local: { skills: join2(process.cwd(), ".claude", "skills"), memory: process.cwd() }
+        }
+      },
+      codex: {
+        label: "OpenAI Codex",
+        memoryFile: "AGENTS.md",
+        // Codex reads AGENTS.md from its home (~/.codex) and project root, but
+        // discovers skills from the shared `.agents/skills` location, not ~/.codex/skills.
+        detect: { bins: ["codex"], dirs: [join2(HOME, ".codex")] },
+        targets: {
+          global: { skills: join2(HOME, ".agents", "skills"), memory: join2(HOME, ".codex") },
+          local: { skills: join2(process.cwd(), ".agents", "skills"), memory: process.cwd() }
+        }
+      },
+      opencode: {
+        label: "opencode",
+        memoryFile: "AGENTS.md",
+        // opencode reads AGENTS.md from ~/.config/opencode (global) or the project
+        // root (local); skills from ~/.config/opencode/skills and .opencode/skills.
+        detect: { bins: ["opencode"], dirs: [join2(HOME, ".config", "opencode"), join2(HOME, ".opencode")] },
+        targets: {
+          global: { skills: join2(HOME, ".config", "opencode", "skills"), memory: join2(HOME, ".config", "opencode") },
+          local: { skills: join2(process.cwd(), ".opencode", "skills"), memory: process.cwd() }
+        }
       }
-    } else {
-      p.log.info("Re-run with --force to override.");
-      return false;
-    }
+    };
   }
-  let enabled = opts.protections;
-  if (!enabled && interactive) {
-    const r = await p.multiselect({
-      message: "Which protections should the commit guard enforce?",
-      options: GUARD_PROTECTIONS,
-      initialValues: GUARD_PROTECTIONS.map((o) => o.value),
-      required: true
-    });
-    if (p.isCancel(r)) {
-      p.log.info("Left git hooks unchanged.");
-      return false;
-    }
-    enabled = r;
-  }
-  const config = {};
-  for (const o of GUARD_PROTECTIONS) config[o.value] = enabled ? enabled.includes(o.value) : true;
-  const hooksDir = join3(root, ".githooks");
-  mkdirSync(hooksDir, { recursive: true });
-  cpSync(guardSrc, join3(hooksDir, "guard.mjs"), { force: true });
-  writeFileSync(join3(hooksDir, "enigma-guard.json"), JSON.stringify(config, null, 2) + "\n");
-  const shimPath = join3(hooksDir, "pre-commit");
-  const shim = [
-    "#!/bin/sh",
-    "# Managed by enigma (enigma-cli) - blocks committed secrets, .env files, and dependency dirs.",
-    "# Toggle protections in .githooks/enigma-guard.json. Bypass once: git commit --no-verify",
-    'exec node "$(git rev-parse --show-toplevel)/.githooks/guard.mjs" "$@"',
-    ""
-  ].join("\n");
-  writeFileSync(shimPath, shim);
-  try {
-    chmodSync(shimPath, 493);
-  } catch {
-  }
-  try {
-    chmodSync(join3(hooksDir, "guard.mjs"), 493);
-  } catch {
-  }
-  try {
-    execFileSync2("git", ["-C", root, "config", "core.hooksPath", ".githooks"]);
-  } catch (err) {
-    p.log.error(`Failed to set core.hooksPath: ${err.message}`);
-    return false;
-  }
-  const on = Object.entries(config).filter(([, v]) => v).map(([k]) => k);
-  p.log.success(`Git security hooks installed in ${relative(process.cwd(), hooksDir) || ".githooks"} (core.hooksPath set).`);
-  p.log.info(`Enforcing: ${on.join(", ") || "nothing"}. Commit .githooks/ so your team inherits it.`);
-  if (isOnPath("gh")) {
-    p.log.info("GitHub CLI (gh) detected: these hooks also run for commits made via gh, since gh uses git underneath.");
-  }
-  return true;
-}
-async function maybeOfferGitHooks(interactive, opts) {
-  if (!interactive || opts.security) return;
-  const root = findGitRoot(process.cwd());
-  if (!root) return;
-  if (currentHooksPath(root) === ".githooks") return;
-  const ok = await p.confirm({ message: "Set up git security hooks here too (block secrets, .env, node_modules)?" });
-  if (!p.isCancel(ok) && ok) await setupGitHooks({ ...opts, protections: void 0 }, interactive);
-}
+});
 
 // src/claude.ts
 import { homedir as homedir2 } from "os";
@@ -320,14 +206,18 @@ function writeClaudeSettings(path, data) {
   if (!isDir(dir)) mkdirSync2(dir, { recursive: true });
   writeFileSync2(path, JSON.stringify(data, null, 2) + "\n");
 }
+var init_claude = __esm({
+  "src/claude.ts"() {
+    "use strict";
+    init_util();
+  }
+});
 
 // src/permissions.ts
 import { homedir as homedir3 } from "os";
 import { join as join5 } from "path";
 import { existsSync as existsSync4, mkdirSync as mkdirSync3, readFileSync as readFileSync2, writeFileSync as writeFileSync3 } from "fs";
 import * as p2 from "@clack/prompts";
-var BYPASS_SUPPORTED = ["claude", "codex", "opencode"];
-var BYPASS_DEFAULT_ON = /* @__PURE__ */ new Set(["claude", "codex"]);
 async function resolveBypassSelection(candidates, opts, interactive) {
   const supported = candidates.filter((a) => BYPASS_SUPPORTED.includes(a.name));
   if (!supported.length || opts.noBypass) return [];
@@ -516,8 +406,391 @@ function normalizeTrailingNewline(s) {
   return `${s.replace(/\s+$/, "")}
 `;
 }
+var BYPASS_SUPPORTED, BYPASS_DEFAULT_ON;
+var init_permissions = __esm({
+  "src/permissions.ts"() {
+    "use strict";
+    init_agents();
+    init_util();
+    init_claude();
+    BYPASS_SUPPORTED = ["claude", "codex", "opencode"];
+    BYPASS_DEFAULT_ON = /* @__PURE__ */ new Set(["claude", "codex"]);
+  }
+});
+
+// src/config.ts
+import { homedir as homedir4 } from "os";
+import { join as join8 } from "path";
+import { existsSync as existsSync6, mkdirSync as mkdirSync5, writeFileSync as writeFileSync5 } from "fs";
+function configPath(scope) {
+  return scope === "global" ? join8(homedir4(), CONFIG_FILE) : join8(process.cwd(), CONFIG_FILE);
+}
+function readConfig() {
+  const sources = [];
+  let config = { ...CONFIG_DEFAULTS };
+  for (const scope of ["global", "local"]) {
+    const path = configPath(scope);
+    const raw = existsSync6(path) ? readJson(path) : null;
+    if (raw) {
+      config = { ...config, ...raw };
+      sources.push(path);
+    }
+  }
+  return { config, sources };
+}
+function setEnigmaToggle(key, value, scope) {
+  const path = configPath(scope);
+  const current = readJson(path) || {};
+  const next = { ...current, [key]: value };
+  const dir = join8(path, "..");
+  if (!isDir(dir)) mkdirSync5(dir, { recursive: true });
+  writeFileSync5(path, JSON.stringify(next, null, 2) + "\n");
+  return path;
+}
+var CONFIG_FILE, CONFIG_DEFAULTS;
+var init_config = __esm({
+  "src/config.ts"() {
+    "use strict";
+    init_util();
+    CONFIG_FILE = ".enigma.json";
+    CONFIG_DEFAULTS = { commitEmoji: true, updateNotifier: true };
+  }
+});
+
+// src/settings-registry.ts
+function enigmaToggle(key, field, label, hint) {
+  return {
+    key,
+    label,
+    hint,
+    read: () => readConfig().config[field],
+    write: (value, scope) => ({ path: setEnigmaToggle(field, value, scope), changed: true })
+  };
+}
+function valueLabel(on) {
+  return on ? "on" : "off";
+}
+function parseBool(value) {
+  const v = value.toLowerCase();
+  if (["on", "true", "yes", "1", "enable", "enabled"].includes(v)) return true;
+  if (["off", "false", "no", "0", "disable", "disabled"].includes(v)) return false;
+  return null;
+}
+var CATEGORIES, ALL_SETTINGS;
+var init_settings_registry = __esm({
+  "src/settings-registry.ts"() {
+    "use strict";
+    init_agents();
+    init_config();
+    init_claude();
+    init_permissions();
+    CATEGORIES = [
+      {
+        title: "General",
+        blurb: "enigma runtime toggles (.enigma.json)",
+        settings: [
+          enigmaToggle("commit-emoji", "commitEmoji", "Commit subject emoji", "leading gitmoji on commit subjects"),
+          enigmaToggle("update-notifier", "updateNotifier", "Update notifications", "notify when a newer enigma-cli is published")
+        ]
+      },
+      {
+        title: "Git & attribution",
+        blurb: "how the coding agent attributes its work in git",
+        settings: [
+          {
+            key: "claude-attribution",
+            label: "Claude commit attribution",
+            hint: "let Claude Code commit as its own contributor (Co-Authored-By / PR footer); enigma default: off",
+            read: (scope) => getClaudeAttribution(scope),
+            write: (value, scope) => ({ changed: setClaudeAttribution(scope, value) })
+          }
+        ]
+      },
+      {
+        title: "Permissions",
+        blurb: "approval-prompt bypass per agent (security trade-off)",
+        settings: BYPASS_SUPPORTED.map((name) => ({
+          key: `bypass-${name}`,
+          label: `${AGENTS[name]?.label || name} approval bypass`,
+          hint: name === "codex" ? "skip approval prompts (global ~/.codex only)" : "skip per-action approval prompts",
+          globalOnly: name === "codex",
+          read: (scope) => getBypass(name, scope),
+          write: (value, scope) => setBypass(name, scope, value, false) || { changed: false }
+        }))
+      }
+    ];
+    ALL_SETTINGS = CATEGORIES.flatMap((c) => c.settings);
+  }
+});
+
+// src/tui/settings.ts
+var settings_exports = {};
+__export(settings_exports, {
+  runSettingsTui: () => runSettingsTui
+});
+async function runSettingsTui() {
+  if (!process.stdout.isTTY) return;
+  const React = (await import("react")).default;
+  const ink = await import("ink");
+  const { render, useApp, useInput } = ink;
+  const Box = ink.Box;
+  const Text = ink.Text;
+  const { useState } = React;
+  const h = React.createElement;
+  function App() {
+    const { exit } = useApp();
+    const [scope, setScope] = useState("global");
+    const [focusSettings, setFocusSettings] = useState(false);
+    const [catIndex, setCatIndex] = useState(0);
+    const [setIndex, setSetIndex] = useState(0);
+    const [, bump] = useState(0);
+    const category = CATEGORIES[catIndex];
+    const settings = category.settings;
+    useInput((input, key) => {
+      if (input === "q" || key.escape || key.ctrl && input === "c") {
+        exit();
+        return;
+      }
+      if (input === "g") {
+        setScope((s) => s === "global" ? "local" : "global");
+        return;
+      }
+      if (key.tab) {
+        setFocusSettings((f) => !f);
+        return;
+      }
+      if (key.leftArrow || input === "h") {
+        setFocusSettings(false);
+        return;
+      }
+      if (key.rightArrow || input === "l") {
+        setFocusSettings(true);
+        return;
+      }
+      if (key.upArrow || input === "k") {
+        if (focusSettings) setSetIndex((i) => Math.max(0, i - 1));
+        else {
+          setCatIndex((i) => Math.max(0, i - 1));
+          setSetIndex(0);
+        }
+        return;
+      }
+      if (key.downArrow || input === "j") {
+        if (focusSettings) setSetIndex((i) => Math.min(settings.length - 1, i + 1));
+        else {
+          setCatIndex((i) => Math.min(CATEGORIES.length - 1, i + 1));
+          setSetIndex(0);
+        }
+        return;
+      }
+      if (key.return || input === " ") {
+        if (!focusSettings) {
+          setFocusSettings(true);
+          return;
+        }
+        const setting = settings[setIndex];
+        setting.write(!setting.read(scope), scope);
+        bump((n) => n + 1);
+      }
+    });
+    const header = h(
+      Box,
+      { marginBottom: 1 },
+      h(Text, { bold: true, color: "cyan" }, "enigma settings"),
+      h(Text, { dimColor: true }, "    scope: "),
+      h(Text, { bold: true, color: scope === "global" ? "green" : "yellow" }, scope),
+      h(Text, { dimColor: true }, "  (g to change)")
+    );
+    const left = h(Box, {
+      flexDirection: "column",
+      borderStyle: "round",
+      borderColor: focusSettings ? "gray" : "cyan",
+      paddingX: 1,
+      width: 26,
+      marginRight: 1
+    }, CATEGORIES.map((c, i) => h(Text, {
+      key: c.title,
+      color: i === catIndex ? "cyan" : void 0,
+      inverse: !focusSettings && i === catIndex
+    }, `${i === catIndex ? ">" : " "} ${c.title}`)));
+    const right = h(Box, {
+      flexDirection: "column",
+      borderStyle: "round",
+      borderColor: focusSettings ? "cyan" : "gray",
+      paddingX: 1,
+      flexGrow: 1
+    }, [
+      h(Text, { key: "__blurb", dimColor: true }, category.blurb),
+      ...settings.map((s, i) => {
+        const on = s.read(scope);
+        const selected = focusSettings && i === setIndex;
+        return h(
+          Box,
+          { key: s.key, justifyContent: "space-between" },
+          h(Text, { inverse: selected }, `${selected ? ">" : " "} ${s.label}${s.globalOnly ? " (global)" : ""}`),
+          h(Text, { bold: true, color: on ? "green" : "gray" }, ` ${valueLabel(on)}`)
+        );
+      })
+    ]);
+    const footer = h(Box, { marginTop: 1 }, h(
+      Text,
+      { dimColor: true },
+      "up/down move  -  tab/left/right switch pane  -  enter/space toggle  -  g scope  -  q quit"
+    ));
+    return h(Box, { flexDirection: "column" }, header, h(Box, {}, left, right), footer);
+  }
+  const app = render(h(App));
+  await app.waitUntilExit();
+}
+var init_settings = __esm({
+  "src/tui/settings.ts"() {
+    "use strict";
+    init_settings_registry();
+  }
+});
+
+// src/cli.ts
+init_util();
+import { dirname as dirname4, join as join10 } from "path";
+import { fileURLToPath as fileURLToPath4 } from "url";
+import * as p5 from "@clack/prompts";
+
+// src/skills.ts
+init_util();
+init_agents();
+import { existsSync as existsSync5, readdirSync, readFileSync as readFileSync3, writeFileSync as writeFileSync4, cpSync as cpSync2, mkdirSync as mkdirSync4, rmSync } from "fs";
+import { dirname as dirname2, join as join6, resolve as resolve2, relative as relative2, sep as sep2 } from "path";
+import { fileURLToPath as fileURLToPath2 } from "url";
+import { createHash } from "crypto";
+import * as p3 from "@clack/prompts";
+
+// src/security.ts
+init_util();
+import { existsSync as existsSync3, mkdirSync, cpSync, writeFileSync, chmodSync } from "fs";
+import { dirname, join as join3, resolve, relative } from "path";
+import { fileURLToPath } from "url";
+import { execFileSync as execFileSync2 } from "child_process";
+import * as p from "@clack/prompts";
+var __dirname = dirname(fileURLToPath(import.meta.url));
+function findGuardSrc() {
+  const candidates = [
+    join3(__dirname, "guard.js"),
+    join3(__dirname, "..", "dist", "guard.js")
+  ];
+  return candidates.find((c) => existsSync3(c)) ?? null;
+}
+var GUARD_PROTECTIONS = [
+  { value: "secrets", label: "Block committed secrets", hint: "API keys, tokens, private keys" },
+  { value: "envFiles", label: "Block .env files", hint: "allows .env.example / .sample / .template" },
+  { value: "depDirs", label: "Block dependency/cache dirs", hint: "node_modules, __pycache__, venv" },
+  { value: "generatedDirs", label: "Warn on generated dirs", hint: "dist, build, .next, coverage" },
+  { value: "junkFiles", label: "Warn on log / OS junk files", hint: ".log, .DS_Store, Thumbs.db" },
+  { value: "largeFiles", label: "Warn on files over 5 MB", hint: "oversized blobs" }
+];
+function findGitRoot(start) {
+  let dir = resolve(start);
+  for (; ; ) {
+    if (existsSync3(join3(dir, ".git"))) return dir;
+    const parent = dirname(dir);
+    if (parent === dir) return null;
+    dir = parent;
+  }
+}
+function currentHooksPath(root) {
+  try {
+    return execFileSync2("git", ["-C", root, "config", "--get", "core.hooksPath"], { encoding: "utf8" }).trim();
+  } catch {
+    return "";
+  }
+}
+async function setupGitHooks(opts, interactive) {
+  const root = findGitRoot(process.cwd());
+  if (!root) {
+    p.log.error("Not inside a git repository (no .git found). Run this from your project root.");
+    return false;
+  }
+  const guardSrc = findGuardSrc();
+  if (!guardSrc) {
+    p.log.error("Cannot find the built guard (dist/guard.js). Run 'npm run build' first.");
+    return false;
+  }
+  const current = currentHooksPath(root);
+  if (current && current !== ".githooks" && !opts.force) {
+    p.log.warn(`core.hooksPath is already set to '${current}'.`);
+    if (interactive) {
+      const ok = await p.confirm({ message: `Override existing core.hooksPath '${current}' with '.githooks'?` });
+      if (p.isCancel(ok) || !ok) {
+        p.log.info("Left git hooks unchanged.");
+        return false;
+      }
+    } else {
+      p.log.info("Re-run with --force to override.");
+      return false;
+    }
+  }
+  let enabled = opts.protections;
+  if (!enabled && interactive) {
+    const r = await p.multiselect({
+      message: "Which protections should the commit guard enforce?",
+      options: GUARD_PROTECTIONS,
+      initialValues: GUARD_PROTECTIONS.map((o) => o.value),
+      required: true
+    });
+    if (p.isCancel(r)) {
+      p.log.info("Left git hooks unchanged.");
+      return false;
+    }
+    enabled = r;
+  }
+  const config = {};
+  for (const o of GUARD_PROTECTIONS) config[o.value] = enabled ? enabled.includes(o.value) : true;
+  const hooksDir = join3(root, ".githooks");
+  mkdirSync(hooksDir, { recursive: true });
+  cpSync(guardSrc, join3(hooksDir, "guard.mjs"), { force: true });
+  writeFileSync(join3(hooksDir, "enigma-guard.json"), JSON.stringify(config, null, 2) + "\n");
+  const shimPath = join3(hooksDir, "pre-commit");
+  const shim = [
+    "#!/bin/sh",
+    "# Managed by enigma (enigma-cli) - blocks committed secrets, .env files, and dependency dirs.",
+    "# Toggle protections in .githooks/enigma-guard.json. Bypass once: git commit --no-verify",
+    'exec node "$(git rev-parse --show-toplevel)/.githooks/guard.mjs" "$@"',
+    ""
+  ].join("\n");
+  writeFileSync(shimPath, shim);
+  try {
+    chmodSync(shimPath, 493);
+  } catch {
+  }
+  try {
+    chmodSync(join3(hooksDir, "guard.mjs"), 493);
+  } catch {
+  }
+  try {
+    execFileSync2("git", ["-C", root, "config", "core.hooksPath", ".githooks"]);
+  } catch (err) {
+    p.log.error(`Failed to set core.hooksPath: ${err.message}`);
+    return false;
+  }
+  const on = Object.entries(config).filter(([, v]) => v).map(([k]) => k);
+  p.log.success(`Git security hooks installed in ${relative(process.cwd(), hooksDir) || ".githooks"} (core.hooksPath set).`);
+  p.log.info(`Enforcing: ${on.join(", ") || "nothing"}. Commit .githooks/ so your team inherits it.`);
+  if (isOnPath("gh")) {
+    p.log.info("GitHub CLI (gh) detected: these hooks also run for commits made via gh, since gh uses git underneath.");
+  }
+  return true;
+}
+async function maybeOfferGitHooks(interactive, opts) {
+  if (!interactive || opts.security) return;
+  const root = findGitRoot(process.cwd());
+  if (!root) return;
+  if (currentHooksPath(root) === ".githooks") return;
+  const ok = await p.confirm({ message: "Set up git security hooks here too (block secrets, .env, node_modules)?" });
+  if (!p.isCancel(ok) && ok) await setupGitHooks({ ...opts, protections: void 0 }, interactive);
+}
 
 // src/skills.ts
+init_claude();
+init_permissions();
 var __dirname2 = dirname2(fileURLToPath2(import.meta.url));
 var PKG_ROOT = resolve2(__dirname2, "..");
 var ASSETS = join6(PKG_ROOT, "assets");
@@ -1061,159 +1334,8 @@ if (isGuardEntry && fileURLToPath3(import.meta.url) === guardEntry) {
 }
 
 // src/settings.ts
-import * as p4 from "@clack/prompts";
-
-// src/config.ts
-import { homedir as homedir4 } from "os";
-import { join as join8 } from "path";
-import { existsSync as existsSync6, mkdirSync as mkdirSync5, writeFileSync as writeFileSync5 } from "fs";
-var CONFIG_FILE = ".enigma.json";
-var CONFIG_DEFAULTS = { commitEmoji: true, updateNotifier: true };
-function configPath(scope) {
-  return scope === "global" ? join8(homedir4(), CONFIG_FILE) : join8(process.cwd(), CONFIG_FILE);
-}
-function readConfig() {
-  const sources = [];
-  let config = { ...CONFIG_DEFAULTS };
-  for (const scope of ["global", "local"]) {
-    const path = configPath(scope);
-    const raw = existsSync6(path) ? readJson(path) : null;
-    if (raw) {
-      config = { ...config, ...raw };
-      sources.push(path);
-    }
-  }
-  return { config, sources };
-}
-function setEnigmaToggle(key, value, scope) {
-  const path = configPath(scope);
-  const current = readJson(path) || {};
-  const next = { ...current, [key]: value };
-  const dir = join8(path, "..");
-  if (!isDir(dir)) mkdirSync5(dir, { recursive: true });
-  writeFileSync5(path, JSON.stringify(next, null, 2) + "\n");
-  return path;
-}
-
-// src/settings.ts
-function enigmaToggle(key, field, label, hint) {
-  return {
-    key,
-    label,
-    hint,
-    read: () => readConfig().config[field],
-    write: (value, scope) => ({ path: setEnigmaToggle(field, value, scope), changed: true })
-  };
-}
-var CATEGORIES = [
-  {
-    title: "General",
-    blurb: "enigma runtime toggles (.enigma.json)",
-    settings: [
-      enigmaToggle("commit-emoji", "commitEmoji", "Commit subject emoji", "leading gitmoji on commit subjects"),
-      enigmaToggle("update-notifier", "updateNotifier", "Update notifications", "notify when a newer enigma-cli is published")
-    ]
-  },
-  {
-    title: "Git & attribution",
-    blurb: "how the coding agent attributes its work in git",
-    settings: [
-      {
-        key: "claude-attribution",
-        label: "Claude commit attribution",
-        hint: "let Claude Code commit as its own contributor (Co-Authored-By / PR footer); enigma default: off",
-        read: (scope) => getClaudeAttribution(scope),
-        write: (value, scope) => ({ changed: setClaudeAttribution(scope, value) })
-      }
-    ]
-  },
-  {
-    title: "Permissions",
-    blurb: "approval-prompt bypass per agent (security trade-off)",
-    settings: BYPASS_SUPPORTED.map((name) => ({
-      key: `bypass-${name}`,
-      label: `${AGENTS[name]?.label || name} approval bypass`,
-      hint: name === "codex" ? "skip approval prompts (global ~/.codex only)" : "skip per-action approval prompts",
-      globalOnly: name === "codex",
-      read: (scope) => getBypass(name, scope),
-      write: (value, scope) => setBypass(name, scope, value, false) || { changed: false }
-    }))
-  }
-];
-var ALL_SETTINGS = CATEGORIES.flatMap((c) => c.settings);
-function valueLabel(on) {
-  return on ? "on" : "off";
-}
-function parseBool(value) {
-  const v = value.toLowerCase();
-  if (["on", "true", "yes", "1", "enable", "enabled"].includes(v)) return true;
-  if (["off", "false", "no", "0", "disable", "disabled"].includes(v)) return false;
-  return null;
-}
-async function runSettingsMenu() {
-  for (; ; ) {
-    const choice = await p4.select({
-      message: "Settings - choose a category",
-      options: [
-        ...CATEGORIES.map((c) => ({ value: c.title, label: c.title, hint: c.blurb })),
-        { value: "__back", label: "< Back" }
-      ]
-    });
-    if (p4.isCancel(choice) || choice === "__back") return;
-    await runCategory(CATEGORIES.find((c) => c.title === choice));
-  }
-}
-async function runCategory(category) {
-  for (; ; ) {
-    const choice = await p4.select({
-      message: `${category.title} - ${category.blurb}`,
-      options: [
-        ...category.settings.map((s) => ({
-          value: s.key,
-          label: `${s.label}: ${valueLabel(s.read("global"))}`,
-          hint: s.hint
-        })),
-        { value: "__back", label: "< Back" }
-      ]
-    });
-    if (p4.isCancel(choice) || choice === "__back") return;
-    await editSetting(category.settings.find((s) => s.key === choice));
-  }
-}
-async function editSetting(setting) {
-  let scope = "global";
-  if (!setting.globalOnly) {
-    const picked2 = await p4.select({
-      message: `Apply "${setting.label}" to which scope?`,
-      options: [
-        { value: "global", label: "Global", hint: "all projects (~)" },
-        { value: "local", label: "This project", hint: "current directory" }
-      ],
-      initialValue: "global"
-    });
-    if (p4.isCancel(picked2)) return;
-    scope = picked2;
-  }
-  const current = setting.read(scope);
-  const picked = await p4.select({
-    message: `${setting.label} (${scope})`,
-    options: [{ value: "on", label: "On" }, { value: "off", label: "Off" }],
-    initialValue: current ? "on" : "off"
-  });
-  if (p4.isCancel(picked)) return;
-  const value = picked === "on";
-  if (value === current) {
-    p4.log.info(`${setting.label}: unchanged (${valueLabel(current)}).`);
-    return;
-  }
-  const result = setting.write(value, scope);
-  if (result.changed) {
-    const where = result.path ? ` -> ${result.path}` : "";
-    p4.log.success(`${setting.label}: ${valueLabel(value)} (${scope})${where}.`);
-  } else {
-    p4.log.info(`${setting.label}: already ${valueLabel(value)} (${scope}).`);
-  }
-}
+init_config();
+init_settings_registry();
 function printEffective() {
   console.log("Effective enigma settings:\n");
   for (const category of CATEGORIES) {
@@ -1229,9 +1351,8 @@ async function runConfigCli(positionals, scope, interactive) {
   const [rawKey, rawValue] = positionals;
   if (!rawKey) {
     if (interactive) {
-      p4.intro("enigma config");
-      await runSettingsMenu();
-      p4.outro("Done.");
+      const { runSettingsTui: runSettingsTui2 } = await Promise.resolve().then(() => (init_settings(), settings_exports));
+      await runSettingsTui2();
     } else {
       printEffective();
     }
@@ -1259,11 +1380,13 @@ async function runConfigCli(positionals, scope, interactive) {
 }
 
 // src/update.ts
+init_util();
+init_config();
 import { homedir as homedir5 } from "os";
 import { join as join9 } from "path";
 import { writeFileSync as writeFileSync6 } from "fs";
 import { spawn, spawnSync } from "child_process";
-import * as p5 from "@clack/prompts";
+import * as p4 from "@clack/prompts";
 var REGISTRY_URL = "https://registry.npmjs.org/enigma-cli/latest";
 var UPDATE_COMMAND = "npm i -g enigma-cli@latest";
 var CACHE_FILE = join9(homedir5(), ".enigma-update-check.json");
@@ -1348,8 +1471,8 @@ async function notifyUpdate(current, interactive) {
 ${renderUpdateBox(current, latest)}
 `);
     if (!interactive) return;
-    const ok = await p5.confirm({ message: `Update now with ${UPDATE_COMMAND}?`, initialValue: true });
-    if (p5.isCancel(ok) || !ok) return;
+    const ok = await p4.confirm({ message: `Update now with ${UPDATE_COMMAND}?`, initialValue: true });
+    if (p4.isCancel(ok) || !ok) return;
     runUpdate();
   } catch {
   }
@@ -1530,16 +1653,16 @@ async function run(argv) {
     process.exit(await runConfigCli(opts.positionals, opts.scope, interactive));
   }
   if (opts.command === "install") {
-    p6.intro("enigma - install agent skills");
+    p5.intro("enigma - install agent skills");
     await installSkills(opts, interactive);
-    p6.outro("Done.");
+    p5.outro("Done.");
     await notifyUpdate(version, interactive);
     return;
   }
   if (opts.command === "security") {
-    p6.intro("enigma - git security hooks");
+    p5.intro("enigma - git security hooks");
     const done = await setupGitHooks(opts, interactive);
-    p6.outro(done ? "Git hooks configured." : "No changes made.");
+    p5.outro(done ? "Git hooks configured." : "No changes made.");
     await notifyUpdate(version, interactive);
     return;
   }
@@ -1548,9 +1671,9 @@ async function run(argv) {
     await notifyUpdate(version, interactive);
     return;
   }
-  p6.intro("enigma");
+  p5.intro("enigma");
   for (; ; ) {
-    const action = await p6.select({
+    const action = await p5.select({
       message: "What would you like to do?",
       options: [
         { value: "config", label: "Configure settings", hint: "emoji, attribution, permission bypass, ..." },
@@ -1559,12 +1682,14 @@ async function run(argv) {
         { value: "exit", label: "Exit" }
       ]
     });
-    if (p6.isCancel(action) || action === "exit") break;
-    if (action === "config") await runSettingsMenu();
-    else if (action === "skills") await installSkills(opts, interactive);
+    if (p5.isCancel(action) || action === "exit") break;
+    if (action === "config") {
+      const { runSettingsTui: runSettingsTui2 } = await Promise.resolve().then(() => (init_settings(), settings_exports));
+      await runSettingsTui2();
+    } else if (action === "skills") await installSkills(opts, interactive);
     else if (action === "security") await setupGitHooks(opts, interactive);
   }
-  p6.outro("Done.");
+  p5.outro("Done.");
   await notifyUpdate(version, interactive);
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "enigma-cli",
-  "version": "1.1.2",
+  "version": "1.1.3",
   "description": "Everything you need to work with a coding agent: install shared policy skills for Claude Code, OpenAI Codex and opencode, and set up portable git security hooks.",
   "type": "module",
   "bin": {
@@ -9,7 +9,8 @@
   "scripts": {
     "enigma": "tsx src/bin/enigma.ts",
     "build": "tsup",
-    "dev": "tsup --watch",
+    "dev": "node scripts/dev.mjs",
+    "dev:watch": "tsup --watch",
     "typecheck": "tsc --noEmit",
     "seal": "tsx src/bin/enigma.ts seal",
     "check": "tsx src/bin/enigma.ts check",
@@ -27,10 +28,13 @@
     "node": ">=18"
   },
   "dependencies": {
-    "@clack/prompts": "^0.7.0"
+    "@clack/prompts": "^0.7.0",
+    "ink": "^5.2.1",
+    "react": "^18.3.1"
   },
   "devDependencies": {
     "@types/node": "^22.0.0",
+    "@types/react": "^18.3.29",
     "tsup": "^8.0.0",
     "tsx": "^4.0.0",
     "typescript": "^5.0.0"