enigma-cli 1.6.9 → 1.7.0

package/README.md

@@ -8,12 +8,24 @@ committed.
 
 ## Install
 
+One command, no global install, no prompts - deploy the skills to every supported
+agent at user level:
+
+```bash
+npx enigma-cli@latest install --all --yes
+```
+
+Or install the command and pick interactively:
+
 ```bash
 npm install -g enigma-cli      # provides the `enigma` command
-enigma                         # interactive: pick what to set up
+enigma                         # interactive hub: pick what to set up
 ```
 
-Or run once without installing: `npx enigma-cli`.
+That first install is the only one you ever need to run by hand: afterwards,
+launching a tool through enigma (e.g. `enigma claude`) auto-syncs the deployed
+skills and memory with the installed package version (see
+[Auto-sync](#auto-sync-on-launch)).
 
 ## Commands
 
@@ -23,7 +35,8 @@ enigma install         Install/update agent skills
 enigma security        Set up git security hooks in the current repo
 enigma guard [--all]   Run the commit guard (staged files, or all tracked)
 enigma config [k v]    Show or set runtime toggles (e.g. config commit-emoji off)
-enigma claude [acct]   Launch Claude Code using an account (active if omitted)
+enigma claude [acct]   Launch Claude Code using an account (active if omitted);
+                       auto-syncs deployed skills first
 enigma account ...     Manage Claude Code accounts (list/add/use/login/remove)
 enigma seal            Maintenance: (re)compute skill content hashes
 enigma check           Integrity gate: verify skills are well-formed and sealed
@@ -45,6 +58,29 @@ preselects them; `--all` targets every supported agent.
 
 (`--local` installs into the current project instead.)
 
+## Auto-sync on launch
+
+After the first `enigma install`, you never need to run it again: whenever you
+launch a tool through enigma (`enigma claude`, `enigma account run work`), enigma
+first compares the deployed skills/memory against the installed package version
+and silently refreshes anything that changed (new skills, updated versions,
+removed skills, memory-file edits). On by default; opt out with:
+
+```bash
+enigma config auto-sync off
+```
+
+Auto-sync is deliberately conservative:
+
+- It only touches agents/scopes that **already have** a deployment - it never
+  performs a first install (that stays your explicit `enigma install`).
+- Skills you modified locally are **never overwritten** (same rule as
+  `--keep-modified`).
+- The memory file (`CLAUDE.md` / `AGENTS.md`) is only rewritten when it is
+  byte-identical to what enigma last wrote (tracked in `~/.enigma/state.json`) -
+  a file you authored or edited is never touched.
+- A sync failure never blocks the launch; the tool starts anyway.
+
 ## Git security hooks
 
 `enigma security` drops a portable, dependency-free commit guard into any repo:
@@ -110,6 +146,21 @@ The mechanism is tool-agnostic by design: only Claude Code is wired up today, bu
 the same per-account-config-dir approach extends to other agents (e.g. Codex via
 `CODEX_HOME`). Target another tool with `--tool <name>` on `account` commands.
 
+## GitHub CLI telemetry (default off)
+
+If the GitHub CLI (`gh`) is installed, `enigma install` disables its usage
+telemetry (`gh config set telemetry disabled`). This is pure privacy upside -
+telemetry is usage analytics only (command, flags, OS/version, device ids) and
+no gh feature depends on it - and it also avoids a known Windows bug where the
+detached `gh send-telemetry` subprocess spawns `tzutil.exe` without hiding its
+window, flashing a terminal on gh invocations
+([cli/cli#13354](https://github.com/cli/cli/issues/13354)). Re-enable any time:
+
+```bash
+enigma config gh-telemetry on     # restore gh's default
+enigma config gh-telemetry off    # disable again
+```
+
 ## Commit emojis
 
 By default the policy skills make commit subjects carry a leading type emoji

package/assets/skills/backend-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Backend/API architecture: controller-service-repository layering, API and request optimization, server-side caching (Redis), and Zod boundary validation.",
-  "cliVersion": "1.6.9",
+  "cliVersion": "1.7.0",
   "sha": "c442bc9e39a7710cb709ef2abb8d15ecd8aa16ed4f5c8af92b7af6877401cba4"
 }

package/assets/skills/ciphera-style-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.1.1",
   "provider": "FJRG2007/enigma",
   "description": "Ciphera code style conventions (formatting, naming, imports, comments, code-level anti-patterns; TypeScript-first, language-agnostic).",
-  "cliVersion": "1.6.9",
+  "cliVersion": "1.7.0",
   "sha": "74f638aec13e8c93257fe1ad604c28b07e9a7c456796a4ceefcc99217d9e7039"
 }

package/assets/skills/code-review-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Pre-delivery self-review gate, prioritized review dimensions, and change-quality criteria.",
-  "cliVersion": "1.6.9",
+  "cliVersion": "1.7.0",
   "sha": "3d3bbe0602d5bbb4afe37648fe3c2fa39376b1bcbac5d8c441f01fad1e866ed0"
 }

package/assets/skills/core-engineering-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.4.0",
   "provider": "FJRG2007/enigma",
   "description": "Core engineering execution policy and harness orchestration (highest-authority rules).",
-  "cliVersion": "1.6.9",
+  "cliVersion": "1.7.0",
   "sha": "c9c69c59516794311cb7b306ed4d4ad971824de3689a39c2b86c7669c73f2e8b"
 }

package/assets/skills/database-expert/skill.json

@@ -3,6 +3,6 @@
   "version": "1.1.0",
   "provider": "FJRG2007/enigma",
   "description": "Senior database architecture policy: query optimization, anti-duplication/normalization, scalability, and RGPD/GDPR encryption.",
-  "cliVersion": "1.6.9",
+  "cliVersion": "1.7.0",
   "sha": "2883bcecb3202683ae6f81b073c3d6a9cec9c55029e011bdd06ba7ac3537297e"
 }

package/assets/skills/debugging-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Reproduce-isolate-fix debugging methodology with root-cause discipline and regression verification.",
-  "cliVersion": "1.6.9",
+  "cliVersion": "1.7.0",
   "sha": "14b0064c8b33a0dc85e51464b05005cf5801c756b1101789a6924b9548420f6b"
 }

package/assets/skills/dependency-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Dependency and supply-chain security: lockfiles and reproducible installs, version pinning, vulnerability auditing, vetting/minimizing packages, vendoring, and SBOM/provenance.",
-  "cliVersion": "1.6.9",
+  "cliVersion": "1.7.0",
   "sha": "6375d835c2aef2c9bd31ce116444dc3d796f510f9970a213aa3ac4696d7e21b9"
 }

package/assets/skills/frontend-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.1.0",
   "provider": "FJRG2007/enigma",
   "description": "Frontend architecture: reusable components, abstraction thresholds, state management, and optimistic UI with rollback.",
-  "cliVersion": "1.6.9",
+  "cliVersion": "1.7.0",
   "sha": "33fa1e9f667ef26203a3d6c892121efe12b0cddb706c195492fa97e080fba115"
 }

package/assets/skills/git-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.2.0",
   "provider": "FJRG2007/enigma",
   "description": "Git & contribution policy (senior engineering standards).",
-  "cliVersion": "1.6.9",
+  "cliVersion": "1.7.0",
   "sha": "ada4b7eb5bb7e013429e23703c271c0f34b0d76327c059efa148ea2794f96178"
 }

package/assets/skills/security-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Application and AI-agent security: secrets, authn/authz (least privilege), OWASP Top 10, transport/crypto baseline, secure logging, and agent/MCP/tool-use safety.",
-  "cliVersion": "1.6.9",
+  "cliVersion": "1.7.0",
   "sha": "9971e9d9127397d0152e89d24aad3191e2935e55a8483db7fd15f5d4d7a60e7a"
 }

package/assets/skills/testing-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Test strategy, coverage gates, deterministic tests, mocking discipline, and regression-first bug fixing.",
-  "cliVersion": "1.6.9",
+  "cliVersion": "1.7.0",
   "sha": "d19fa8ec7985ed231478be504d3c80360897f555d0bc0624bea19c091f459fb0"
 }

package/assets/skills/validation-policy/skill.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "provider": "FJRG2007/enigma",
   "description": "Strict frontend + backend schema validation, schema consistency, and safe client-facing error handling.",
-  "cliVersion": "1.6.9",
+  "cliVersion": "1.7.0",
   "sha": "a33622a2f810ee4cea39824cb1a7ca34b355a917d4224025df50d77dd74f0b3a"
 }

package/bin/checksums.json

@@ -1,6 +1,6 @@
 {
-  "enigma-darwin-arm64": "57310bf3dab21a5c2ba6c82e49d26d946373aa921a987c6e5fb9fbbf5ee4550f",
-  "enigma-linux-arm64": "88caa899230e94cac5d64d6aaab2c152bf45a730ed658a1121c98e187606fb0d",
-  "enigma-linux-x64": "0712bb2983ebb63d7b3bdbef94eb123af6531683f70e58e443a51ef6a2a0c010",
-  "enigma-win32-x64.exe": "003dbd8071d188931c83f7abe81f05ebab575a70b1844d1d36462a7ffce7f840"
+  "enigma-darwin-arm64": "772de23d6f9a752cdc138d8fdc009ab9d49397e489e91b18d8c655e840c5d40c",
+  "enigma-linux-arm64": "29a19f50fe2468c59f01c8b934f729d78fb7c9df1fed89941fab318cb0e02659",
+  "enigma-linux-x64": "96d2da3190504ecd78ba6a06e17d893662a93cd4eacd6946b68b5669f945f034",
+  "enigma-win32-x64.exe": "2ea53901a4b7a7ddb845b91122bbd248bcc82bd6fed335e712aa6e1e8f9f4af1"
 }

package/bin/download.mjs

@@ -11,10 +11,10 @@
  * Used by bin/postinstall.mjs (at install) and bin/enigma.mjs (lazy, first run when
  * install scripts were skipped). Node builtins only.
  */
-
+import { dirname } from "node:path";
 import { createHash } from "node:crypto";
 import { chmodSync, existsSync, mkdirSync, renameSync, unlinkSync, writeFileSync } from "node:fs";
-import { dirname } from "node:path";
+
 import {
     ARCH,
     PLATFORM,
@@ -23,7 +23,7 @@ import {
     isWindows,
     loadChecksums,
     packageVersion,
-    platformKeys,
+    platformKeys
 } from "./platform.mjs";
 
 const DEFAULT_BASE = "https://github.com/FJRG2007/enigma/releases/download";
@@ -37,7 +37,7 @@ function selectAsset() {
         if (checksums[asset]) return { asset, sha256: checksums[asset] };
     }
     return null;
-}
+};
 
 /** Resolve the release-asset URL, allowing an env override for mirrors/tests. */
 function assetUrl(asset) {
@@ -45,13 +45,13 @@ function assetUrl(asset) {
     const url = `${base}/${asset}`;
     if (!url.startsWith("https://")) throw new Error(`Refusing non-HTTPS download URL: ${url}`);
     return url;
-}
+};
 
 /** Returns the installed binary path if already present, else null. */
 export function installedBinary() {
     const target = binTargetPath();
     return existsSync(target) ? target : null;
-}
+};
 
 /**
  * Download, verify and atomically install the binary. Returns its path.
@@ -59,10 +59,7 @@ export function installedBinary() {
  */
 export async function downloadBinary({ log = () => {} } = {}) {
     const choice = selectAsset();
-    if (!choice) {
-        const tried = platformKeys().map(assetName).join(", ") || `${PLATFORM}-${ARCH}`;
-        throw new Error(`No prebuilt enigma binary is available for this platform (looked for: ${tried}).`);
-    }
+    if (!choice) throw new Error(`No prebuilt enigma binary is available for this platform (looked for: ${platformKeys().map(assetName).join(", ") || `${PLATFORM}-${ARCH}`}).`);
 
     const url = assetUrl(choice.asset);
     log(`Downloading ${choice.asset}...`);
@@ -79,20 +76,16 @@ export async function downloadBinary({ log = () => {} } = {}) {
     }
 
     const actual = createHash("sha256").update(buffer).digest("hex");
-    if (actual !== choice.sha256) {
-        throw new Error(`Checksum mismatch for ${choice.asset}: expected ${choice.sha256}, got ${actual}.`);
-    }
-
+    if (actual !== choice.sha256) throw new Error(`Checksum mismatch for ${choice.asset}: expected ${choice.sha256}, got ${actual}.`);
+    
     const target = binTargetPath();
     mkdirSync(dirname(target), { recursive: true });
     const tmp = `${target}.download-${process.pid}`;
     writeFileSync(tmp, buffer);
     if (!isWindows) chmodSync(tmp, 0o755);
     // rename is atomic on POSIX; on Windows it fails over an existing file, so drop it first.
-    if (existsSync(target)) {
-        try { unlinkSync(target); } catch { /* in use; rename will surface the error */ }
-    }
+    if (existsSync(target)) try { unlinkSync(target); } catch { /* in use; rename will surface the error */ }
     renameSync(tmp, target);
     log(`Installed ${choice.asset} -> ${target}`);
     return target;
-}
+};

package/bin/enigma.mjs

@@ -39,7 +39,7 @@ function readOutputStyle() {
         } catch { /* missing/invalid .enigma.json - ignore */ }
     }
     return style;
-}
+};
 if (process.argv[2] === "statusline") {
     try {
         const style = readOutputStyle();
@@ -56,7 +56,7 @@ async function resolveBinary() {
     if (existing) return existing;
     // Lazy path (e.g. `npm i --ignore-scripts`): fetch + verify before first use.
     return downloadBinary({ log: (message) => process.stderr.write(`enigma: ${message}\n`) });
-}
+};
 
 let binary;
 try {
@@ -93,4 +93,4 @@ child.on("exit", (code) => {
     // can hang up (close) the controlling terminal. A signal exit from the interactive
     // binary - e.g. quitting the TUI - is treated as a clean exit.
     process.exit(code ?? 0);
-});
+});

package/bin/platform.mjs

@@ -11,10 +11,10 @@
  * path. Node builtins only - no dependencies (it runs during install).
  */
 
-import { existsSync, readFileSync } from "node:fs";
-import { dirname, join } from "node:path";
-import { fileURLToPath } from "node:url";
 import os from "node:os";
+import { fileURLToPath } from "node:url";
+import { dirname, join } from "node:path";
+import { existsSync, readFileSync } from "node:fs";
 
 // npm/Node "os" identifiers (win32, not "windows"); kept stable across the toolchain.
 const PLATFORMS = { win32: "win32", darwin: "darwin", linux: "linux" };
@@ -37,7 +37,7 @@ function isMusl() {
     } catch {
         return false;
     }
-}
+};
 
 /**
  * Ordered platform keys to try for this host, most specific first. The downloader
@@ -49,22 +49,22 @@ export function platformKeys() {
     const base = `${PLATFORM}-${ARCH}`;
     if (PLATFORM === "linux" && isMusl()) return [`${base}-musl`, base];
     return [base];
-}
+};
 
 /** Release asset name for a platform key, e.g. "enigma-win32-x64.exe". */
 export function assetName(key) {
     return `enigma-${key}${isWindows ? ".exe" : ""}`;
-}
+};
 
 /** On-disk path of the installed binary inside this package's bin/ directory. */
 export function binTargetPath() {
     return join(pkgRoot, "bin", isWindows ? "enigma-bin.exe" : "enigma-bin");
-}
+};
 
 /** This package's declared version (release tag is `v<version>`). */
 export function packageVersion() {
     return JSON.parse(readFileSync(join(pkgRoot, "package.json"), "utf8")).version;
-}
+};
 
 /** Parsed bin/checksums.json (asset name -> sha256 hex), or {} if absent. */
 export function loadChecksums() {
@@ -75,4 +75,4 @@ export function loadChecksums() {
     } catch {
         return {};
     }
-}
+};

package/bin/postinstall.mjs

@@ -19,6 +19,13 @@ async function main() {
 
     try {
         await downloadBinary({ log: (message) => process.stdout.write(`enigma: ${message}\n`) });
+        // Next-step hint: the binary is ready, but skills only deploy when the user
+        // asks (explicit consent for writes to agent config dirs). After that first
+        // install, launching a tool via enigma keeps the deployment auto-synced.
+        process.stdout.write(
+            "enigma: ready. Next step: run `enigma` to set up your agents " +
+            "(non-interactive: `enigma install --all --yes`).\n",
+        );
     } catch (error) {
         process.stdout.write(
             `enigma: could not download the binary now (${error.message}). ` +
@@ -28,4 +35,4 @@ async function main() {
     }
 }
 
-await main();
+await main();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "enigma-cli",
-  "version": "1.6.9",
+  "version": "1.7.0",
   "description": "Everything you need to work with a coding agent: install shared policy skills for Claude Code, OpenAI Codex and opencode, and set up portable git security hooks.",
   "type": "module",
   "bin": {