enigma-cli 1.3.0 → 1.4.0

package/assets/skills/backend-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Backend/API architecture: controller-service-repository layering, API and request optimization, server-side caching (Redis), and Zod boundary validation.",
-  "cliVersion": "1.3.0",
+  "cliVersion": "1.4.0",
   "sha": "c442bc9e39a7710cb709ef2abb8d15ecd8aa16ed4f5c8af92b7af6877401cba4"
 }

package/assets/skills/ciphera-style-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.1.1",
   "provider": "FJRG2007/enigma",
   "description": "Ciphera code style conventions (formatting, naming, imports, comments, code-level anti-patterns; TypeScript-first, language-agnostic).",
-  "cliVersion": "1.3.0",
+  "cliVersion": "1.4.0",
   "sha": "74f638aec13e8c93257fe1ad604c28b07e9a7c456796a4ceefcc99217d9e7039"
 }

package/assets/skills/code-review-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Pre-delivery self-review gate, prioritized review dimensions, and change-quality criteria.",
-  "cliVersion": "1.3.0",
+  "cliVersion": "1.4.0",
   "sha": "3d3bbe0602d5bbb4afe37648fe3c2fa39376b1bcbac5d8c441f01fad1e866ed0"
 }

package/assets/skills/core-engineering-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.4.0",
   "provider": "FJRG2007/enigma",
   "description": "Core engineering execution policy and harness orchestration (highest-authority rules).",
-  "cliVersion": "1.3.0",
+  "cliVersion": "1.4.0",
   "sha": "c9c69c59516794311cb7b306ed4d4ad971824de3689a39c2b86c7669c73f2e8b"
 }

package/assets/skills/database-expert/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Senior database architecture policy: query optimization, anti-duplication/normalization, scalability, and RGPD/GDPR encryption.",
-  "cliVersion": "1.3.0",
+  "cliVersion": "1.4.0",
   "sha": "c4617ee8d1a57d9621c81bef3093e94de91f79eec0cc0ead41f6d18dd443e623"
 }

package/assets/skills/debugging-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Reproduce-isolate-fix debugging methodology with root-cause discipline and regression verification.",
-  "cliVersion": "1.3.0",
+  "cliVersion": "1.4.0",
   "sha": "14b0064c8b33a0dc85e51464b05005cf5801c756b1101789a6924b9548420f6b"
 }

package/assets/skills/dependency-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Dependency and supply-chain security: lockfiles and reproducible installs, version pinning, vulnerability auditing, vetting/minimizing packages, vendoring, and SBOM/provenance.",
-  "cliVersion": "1.3.0",
+  "cliVersion": "1.4.0",
   "sha": "6375d835c2aef2c9bd31ce116444dc3d796f510f9970a213aa3ac4696d7e21b9"
 }

package/assets/skills/frontend-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.1.0",
   "provider": "FJRG2007/enigma",
   "description": "Frontend architecture: reusable components, abstraction thresholds, state management, and optimistic UI with rollback.",
-  "cliVersion": "1.3.0",
+  "cliVersion": "1.4.0",
   "sha": "33fa1e9f667ef26203a3d6c892121efe12b0cddb706c195492fa97e080fba115"
 }

package/assets/skills/git-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.2.0",
   "provider": "FJRG2007/enigma",
   "description": "Git & contribution policy (senior engineering standards).",
-  "cliVersion": "1.3.0",
+  "cliVersion": "1.4.0",
   "sha": "ada4b7eb5bb7e013429e23703c271c0f34b0d76327c059efa148ea2794f96178"
 }

package/assets/skills/security-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Application and AI-agent security: secrets, authn/authz (least privilege), OWASP Top 10, transport/crypto baseline, secure logging, and agent/MCP/tool-use safety.",
-  "cliVersion": "1.3.0",
+  "cliVersion": "1.4.0",
   "sha": "9971e9d9127397d0152e89d24aad3191e2935e55a8483db7fd15f5d4d7a60e7a"
 }

package/assets/skills/testing-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Test strategy, coverage gates, deterministic tests, mocking discipline, and regression-first bug fixing.",
-  "cliVersion": "1.3.0",
+  "cliVersion": "1.4.0",
   "sha": "d19fa8ec7985ed231478be504d3c80360897f555d0bc0624bea19c091f459fb0"
 }

package/assets/skills/validation-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Strict frontend + backend schema validation, schema consistency, and safe client-facing error handling.",
-  "cliVersion": "1.3.0",
+  "cliVersion": "1.4.0",
   "sha": "a33622a2f810ee4cea39824cb1a7ca34b355a917d4224025df50d77dd74f0b3a"
 }

package/bin/checksums.json

@@ -0,0 +1,6 @@
+{
+  "enigma-darwin-arm64": "e1fa090b07a2cda913537376924b782768ae815d68564fa728153642b2ff139f",
+  "enigma-linux-arm64": "cb3223bd52e9c0ded2799f84de6f0f5ea470d33ec66f3ca7d11130396bd5f7c1",
+  "enigma-linux-x64": "4f27225470f9bf741c1a58731fb423fa42ecac607867a06f29bcdfb15004760a",
+  "enigma-win32-x64.exe": "cd877742df52d74d7a43580dbbc611b000691351fc29123375dae08abc87789f"
+}

package/bin/download.mjs

@@ -0,0 +1,98 @@
+/**
+ * Download and install the host's Bun-compiled enigma binary from its GitHub
+ * Release, the way `npm i -g enigma-cli` obtains the native OpenTUI executable
+ * without shipping a per-platform npm package.
+ *
+ * Integrity: the binary is verified against the SHA256 recorded in bin/checksums.json,
+ * which is published INSIDE the npm tarball (covered by npm provenance), so the trust
+ * chain is tarball -> checksums.json -> downloaded binary. Downloads must be HTTPS and
+ * a checksum entry is mandatory - it fails closed if either is missing.
+ *
+ * Used by bin/postinstall.mjs (at install) and bin/enigma.mjs (lazy, first run when
+ * install scripts were skipped). Node builtins only.
+ */
+
+import { createHash } from "node:crypto";
+import { chmodSync, existsSync, mkdirSync, renameSync, unlinkSync, writeFileSync } from "node:fs";
+import { dirname } from "node:path";
+import {
+    ARCH,
+    PLATFORM,
+    assetName,
+    binTargetPath,
+    isWindows,
+    loadChecksums,
+    packageVersion,
+    platformKeys,
+} from "./platform.mjs";
+
+const DEFAULT_BASE = "https://github.com/FJRG2007/enigma/releases/download";
+const DOWNLOAD_TIMEOUT_MS = 120_000;
+
+/** Pick the first platform key with a published checksum. */
+function selectAsset() {
+    const checksums = loadChecksums();
+    for (const key of platformKeys()) {
+        const asset = assetName(key);
+        if (checksums[asset]) return { asset, sha256: checksums[asset] };
+    }
+    return null;
+}
+
+/** Resolve the release-asset URL, allowing an env override for mirrors/tests. */
+function assetUrl(asset) {
+    const base = (process.env.ENIGMA_DOWNLOAD_BASE || `${DEFAULT_BASE}/v${packageVersion()}`).replace(/\/+$/, "");
+    const url = `${base}/${asset}`;
+    if (!url.startsWith("https://")) throw new Error(`Refusing non-HTTPS download URL: ${url}`);
+    return url;
+}
+
+/** Returns the installed binary path if already present, else null. */
+export function installedBinary() {
+    const target = binTargetPath();
+    return existsSync(target) ? target : null;
+}
+
+/**
+ * Download, verify and atomically install the binary. Returns its path.
+ * Throws on any failure (no checksum, network error, hash mismatch).
+ */
+export async function downloadBinary({ log = () => {} } = {}) {
+    const choice = selectAsset();
+    if (!choice) {
+        const tried = platformKeys().map(assetName).join(", ") || `${PLATFORM}-${ARCH}`;
+        throw new Error(`No prebuilt enigma binary is available for this platform (looked for: ${tried}).`);
+    }
+
+    const url = assetUrl(choice.asset);
+    log(`Downloading ${choice.asset}...`);
+
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), DOWNLOAD_TIMEOUT_MS);
+    let buffer;
+    try {
+        const response = await fetch(url, { redirect: "follow", signal: controller.signal });
+        if (!response.ok) throw new Error(`HTTP ${response.status} fetching ${url}`);
+        buffer = Buffer.from(await response.arrayBuffer());
+    } finally {
+        clearTimeout(timer);
+    }
+
+    const actual = createHash("sha256").update(buffer).digest("hex");
+    if (actual !== choice.sha256) {
+        throw new Error(`Checksum mismatch for ${choice.asset}: expected ${choice.sha256}, got ${actual}.`);
+    }
+
+    const target = binTargetPath();
+    mkdirSync(dirname(target), { recursive: true });
+    const tmp = `${target}.download-${process.pid}`;
+    writeFileSync(tmp, buffer);
+    if (!isWindows) chmodSync(tmp, 0o755);
+    // rename is atomic on POSIX; on Windows it fails over an existing file, so drop it first.
+    if (existsSync(target)) {
+        try { unlinkSync(target); } catch { /* in use; rename will surface the error */ }
+    }
+    renameSync(tmp, target);
+    log(`Installed ${choice.asset} -> ${target}`);
+    return target;
+}

package/bin/enigma.mjs

@@ -0,0 +1,67 @@
+#!/usr/bin/env node
+/**
+ * enigma launcher. This is the ONLY thing that runs under the user's Node: it locates
+ * the Bun-compiled binary for this platform and execs it. The binary embeds the Bun
+ * runtime plus the OpenTUI native core, so the rich TUI (with mouse) works on any npm
+ * install without the user having Bun.
+ *
+ * Distribution (opencode-style mechanism, single npm package): the binary is NOT an
+ * npm dependency. It is downloaded from the matching GitHub Release by the postinstall
+ * hook, or lazily here on first run if install scripts were skipped, and verified
+ * against bin/checksums.json (shipped in the tarball, covered by npm provenance).
+ *
+ * The app's assets (skills/memory) and the commit guard ship as REAL files in this
+ * package, not inside the binary. The binary reads them from disk via the env vars set
+ * here, since its own __dirname lives in Bun's virtual filesystem.
+ */
+
+import { spawn } from "node:child_process";
+import { existsSync } from "node:fs";
+import { join } from "node:path";
+import os from "node:os";
+import { ARCH, PLATFORM, packageVersion, pkgRoot } from "./platform.mjs";
+import { downloadBinary, installedBinary } from "./download.mjs";
+
+/** Resolve the binary, downloading it on first run if the postinstall was skipped. */
+async function resolveBinary() {
+    if (process.env.ENIGMA_BIN_PATH && existsSync(process.env.ENIGMA_BIN_PATH)) return process.env.ENIGMA_BIN_PATH;
+    const existing = installedBinary();
+    if (existing) return existing;
+    // Lazy path (e.g. `npm i --ignore-scripts`): fetch + verify before first use.
+    return downloadBinary({ log: (message) => process.stderr.write(`enigma: ${message}\n`) });
+}
+
+let binary;
+try {
+    binary = await resolveBinary();
+} catch (error) {
+    const platform = PLATFORM && ARCH ? `${PLATFORM}-${ARCH}` : `${os.platform()}-${os.arch()}`;
+    process.stderr.write(
+        `Could not obtain the enigma binary for ${platform}: ${error.message}\n` +
+        `Check your network/proxy, or set ENIGMA_BIN_PATH to a compatible binary.\n`,
+    );
+    process.exit(1);
+}
+
+// Tell the binary where the on-disk assets, guard, and version live (its own
+// __dirname points into Bun's virtual fs and cannot see these).
+const env = { ...process.env };
+env.ENIGMA_ASSETS_DIR ??= join(pkgRoot, "assets");
+env.ENIGMA_GUARD_PATH ??= join(pkgRoot, "dist", "guard.js");
+try {
+    env.ENIGMA_VERSION ??= packageVersion();
+} catch { /* version is best-effort */ }
+
+const child = spawn(binary, process.argv.slice(2), { stdio: "inherit", env });
+
+for (const signal of ["SIGINT", "SIGTERM", "SIGHUP"]) {
+    process.on(signal, () => { try { child.kill(signal); } catch { /* already gone */ } });
+}
+child.on("error", (err) => {
+    process.stderr.write(`Failed to launch enigma binary: ${err.message}\n`);
+    process.exit(1);
+});
+child.on("exit", (code, signal) => {
+    if (signal) { try { process.kill(process.pid, signal); } catch { /* fall through */ } }
+    process.exit(code ?? 1);
+});

package/bin/platform.mjs

@@ -0,0 +1,78 @@
+/**
+ * Shared platform identity for the single-package distribution model.
+ *
+ * enigma ships as ONE npm package (`enigma-cli`). The Bun-compiled binary for the
+ * host is NOT an npm dependency; it is downloaded from the matching GitHub Release
+ * (see bin/download.mjs) and verified against bin/checksums.json, which travels
+ * inside the npm tarball and is therefore covered by npm provenance.
+ *
+ * The launcher, the postinstall hook and the downloader all import this module so
+ * they agree on the platform key, the release asset name and the on-disk binary
+ * path. Node builtins only - no dependencies (it runs during install).
+ */
+
+import { existsSync, readFileSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { fileURLToPath } from "node:url";
+import os from "node:os";
+
+// npm/Node "os" identifiers (win32, not "windows"); kept stable across the toolchain.
+const PLATFORMS = { win32: "win32", darwin: "darwin", linux: "linux" };
+const ARCHES = { x64: "x64", arm64: "arm64" };
+
+export const PLATFORM = PLATFORMS[os.platform()];
+export const ARCH = ARCHES[os.arch()];
+export const isWindows = PLATFORM === "win32";
+
+/** This package's root (the directory holding package.json), i.e. <pkg>/bin/.. */
+export const pkgRoot = dirname(dirname(fileURLToPath(import.meta.url)));
+
+/** Detect musl libc (Alpine) so Linux can prefer a musl build when one exists. */
+function isMusl() {
+    if (PLATFORM !== "linux") return false;
+    try {
+        // glibc runtimes expose glibcVersionRuntime in the process report; musl does not.
+        const header = process.report?.getReport()?.header;
+        return header ? !header.glibcVersionRuntime : false;
+    } catch {
+        return false;
+    }
+}
+
+/**
+ * Ordered platform keys to try for this host, most specific first. The downloader
+ * uses the first key that has a checksum entry, so a musl host falls back to the
+ * glibc build when no musl asset is published.
+ */
+export function platformKeys() {
+    if (!PLATFORM || !ARCH) return [];
+    const base = `${PLATFORM}-${ARCH}`;
+    if (PLATFORM === "linux" && isMusl()) return [`${base}-musl`, base];
+    return [base];
+}
+
+/** Release asset name for a platform key, e.g. "enigma-win32-x64.exe". */
+export function assetName(key) {
+    return `enigma-${key}${isWindows ? ".exe" : ""}`;
+}
+
+/** On-disk path of the installed binary inside this package's bin/ directory. */
+export function binTargetPath() {
+    return join(pkgRoot, "bin", isWindows ? "enigma-bin.exe" : "enigma-bin");
+}
+
+/** This package's declared version (release tag is `v<version>`). */
+export function packageVersion() {
+    return JSON.parse(readFileSync(join(pkgRoot, "package.json"), "utf8")).version;
+}
+
+/** Parsed bin/checksums.json (asset name -> sha256 hex), or {} if absent. */
+export function loadChecksums() {
+    const path = join(pkgRoot, "bin", "checksums.json");
+    if (!existsSync(path)) return {};
+    try {
+        return JSON.parse(readFileSync(path, "utf8"));
+    } catch {
+        return {};
+    }
+}

package/bin/postinstall.mjs

@@ -0,0 +1,31 @@
+/**
+ * Install-time hook: fetch the host's enigma binary from its GitHub Release.
+ *
+ * This is best-effort and NEVER fails the install. If the download fails (offline,
+ * proxy, unsupported platform) or scripts are skipped entirely (`npm i
+ * --ignore-scripts`), the launcher (bin/enigma.mjs) downloads on first run instead.
+ * That keeps `npm install` robust while still verifying the binary before use.
+ */
+
+import { loadChecksums } from "./platform.mjs";
+import { downloadBinary, installedBinary } from "./download.mjs";
+
+async function main() {
+    // An explicit binary (dev/CI) or one already installed: nothing to do.
+    if (process.env.ENIGMA_BIN_PATH || installedBinary()) return;
+    // No checksums.json means this is a source checkout / workspace install, not a
+    // published tarball - there is no release to fetch from, so stay silent.
+    if (Object.keys(loadChecksums()).length === 0) return;
+
+    try {
+        await downloadBinary({ log: (message) => process.stdout.write(`enigma: ${message}\n`) });
+    } catch (error) {
+        process.stdout.write(
+            `enigma: could not download the binary now (${error.message}). ` +
+            `It will be fetched automatically the first time you run \`enigma\`.\n`,
+        );
+        // Intentionally exit 0: a failed postinstall must not break `npm install`.
+    }
+}
+
+await main();

package/package.json

@@ -1,25 +1,28 @@
 {
   "name": "enigma-cli",
-  "version": "1.3.0",
+  "version": "1.4.0",
   "description": "Everything you need to work with a coding agent: install shared policy skills for Claude Code, OpenAI Codex and opencode, and set up portable git security hooks.",
   "type": "module",
   "bin": {
-    "enigma": "dist/enigma.js"
+    "enigma": "bin/enigma.mjs"
   },
   "scripts": {
     "enigma": "tsx src/bin/enigma.ts",
     "build": "tsup",
+    "build:binaries": "bun scripts/build-binaries.ts",
     "dev": "node scripts/dev.mjs",
-    "dev:bun": "node scripts/dev.mjs --bun",
+    "dev:node": "node scripts/dev.mjs --node",
     "dev:watch": "tsup --watch",
     "typecheck": "tsc --noEmit",
     "seal": "tsx src/bin/enigma.ts seal",
     "check": "tsx src/bin/enigma.ts check",
     "guard": "tsx src/guard.ts --all",
     "verify": "npm run typecheck && npm run check && npm run guard",
-    "prepublishOnly": "npm run verify && npm run build"
+    "prepublishOnly": "npm run verify && npm run build",
+    "postinstall": "node bin/postinstall.mjs"
   },
   "files": [
+    "bin",
     "dist",
     "assets",
     "README.md",
@@ -28,18 +31,13 @@
   "engines": {
     "node": ">=18"
   },
-  "dependencies": {
+  "devDependencies": {
     "@clack/prompts": "^0.7.0",
-    "ink": "^7.0.5",
-    "react": "^19.2.0"
-  },
-  "optionalDependencies": {
     "@opentui/core": "^0.3.1",
-    "@opentui/react": "^0.3.1"
-  },
-  "devDependencies": {
+    "@opentui/react": "^0.3.1",
     "@types/node": "^22.0.0",
     "@types/react": "^19.2.0",
+    "react": "^19.2.0",
     "tsup": "^8.0.0",
     "tsx": "^4.0.0",
     "typescript": "^5.0.0"