feed-the-machine 1.0.0

package/ftm-executor/runtime/ftm-runtime.mjs

@@ -0,0 +1,252 @@
+#!/usr/bin/env node
+import { readFileSync, writeFileSync, mkdirSync, existsSync } from 'fs';
+import { resolve } from 'path';
+import { createHash } from 'crypto';
+import { homedir } from 'os';
+
+const STATE_DIR = resolve(homedir(), '.claude', 'ftm-state');
+const STATE_FILE = resolve(STATE_DIR, 'runtime-state.json');
+
+// --- Parsing ---
+
+export function parsePlan(markdown) {
+  const tasks = [];
+  const blocks = markdown.split(/(?=^### Task \d+:)/m).filter(b => b.trim());
+
+  for (const block of blocks) {
+    const idMatch = block.match(/^### Task (\d+):\s*(.+)/m);
+    if (!idMatch) continue;
+
+    const id = parseInt(idMatch[1], 10);
+    const title = idMatch[2].trim();
+
+    const get = (field) => {
+      const m = block.match(new RegExp(`\\*\\*${field}:\\*\\*\\s*(.+)`));
+      return m ? m[1].trim() : '';
+    };
+    const splitList = (raw) => (!raw || raw.toLowerCase() === 'none')
+      ? [] : raw.split(',').map(s => s.trim()).filter(Boolean);
+
+    const rawDeps = get('Dependencies');
+    const dependencies = splitList(rawDeps).map(d => {
+      const m = d.match(/Task\s+(\d+)/i);
+      return m ? parseInt(m[1], 10) : null;
+    }).filter(Boolean);
+
+    const files = splitList(get('Files'));
+
+    const criteriaMatches = [...block.matchAll(/^-\s*\[[ x]\]\s*(.+)/gm)];
+    const acceptance_criteria = criteriaMatches.map(m => m[1].trim());
+
+    tasks.push({
+      id,
+      title,
+      description: get('Description'),
+      files,
+      dependencies,
+      agent_type: get('Agent type'),
+      acceptance_criteria,
+    });
+  }
+
+  tasks.sort((a, b) => a.id - b.id);
+  return tasks;
+}
+
+// --- Wave grouping ---
+
+export function computeWaves(tasks) {
+  const allIds = new Set(tasks.map(t => t.id));
+
+  for (const task of tasks) {
+    for (const dep of task.dependencies) {
+      if (!allIds.has(dep)) {
+        throw new Error(`Task ${task.id} references unknown dependency Task ${dep}`);
+      }
+    }
+  }
+
+  const remaining = new Set(tasks.map(t => t.id));
+  const completed = new Set();
+  const waves = [];
+  const taskMap = Object.fromEntries(tasks.map(t => [t.id, t]));
+
+  while (remaining.size > 0) {
+    const wave = [...remaining].filter(id =>
+      taskMap[id].dependencies.every(dep => completed.has(dep))
+    );
+
+    if (wave.length === 0) {
+      const cycle = [...remaining].join(', ');
+      throw new Error(`Circular dependency detected among tasks: ${cycle}`);
+    }
+
+    waves.push(wave.sort((a, b) => a - b));
+    for (const id of wave) {
+      completed.add(id);
+      remaining.delete(id);
+    }
+  }
+
+  return waves;
+}
+
+// --- State I/O ---
+
+function readState() {
+  if (!existsSync(STATE_FILE)) return null;
+  return JSON.parse(readFileSync(STATE_FILE, 'utf8'));
+}
+
+function requireState() {
+  const s = readState();
+  if (!s) { console.error('Error: No active plan. Run plan-index first.'); process.exit(1); }
+  return s;
+}
+
+function writeState(state) {
+  mkdirSync(STATE_DIR, { recursive: true });
+  state.updated_at = new Date().toISOString();
+  writeFileSync(STATE_FILE, JSON.stringify(state, null, 2));
+}
+
+function hashContent(content) {
+  return createHash('sha256').update(content).digest('hex');
+}
+
+// --- Commands ---
+
+function cmdPlanIndex(planPath) {
+  const absPath = resolve(planPath);
+  if (!existsSync(absPath)) {
+    console.error(`Error: Plan file not found: ${absPath}`);
+    process.exit(1);
+  }
+
+  const content = readFileSync(absPath, 'utf8');
+  const tasks = parsePlan(content);
+  const waves = computeWaves(tasks);
+
+  const taskState = {};
+  for (const task of tasks) {
+    taskState[task.id] = { ...task, status: 'pending', completed_at: null };
+  }
+
+  const state = {
+    plan_path: absPath,
+    plan_hash: hashContent(content),
+    tasks: taskState,
+    waves,
+    current_wave: 0,
+    started_at: new Date().toISOString(),
+    updated_at: new Date().toISOString(),
+  };
+
+  writeState(state);
+
+  console.log(JSON.stringify({
+    tasks,
+    waves,
+    total_tasks: tasks.length,
+    total_waves: waves.length,
+  }, null, 2));
+}
+
+function cmdNextWave() {
+  const state = requireState();
+  const done = { wave_number: null, tasks: [], remaining_waves: 0, complete: true };
+
+  for (let i = 0; i < state.waves.length; i++) {
+    const pending = state.waves[i].filter(id => state.tasks[id]?.status !== 'completed');
+    if (pending.length > 0) {
+      const remaining_waves = state.waves.slice(i + 1)
+        .filter(w => w.some(id => state.tasks[id]?.status !== 'completed')).length;
+      console.log(JSON.stringify({ wave_number: i + 1, tasks: pending.map(id => state.tasks[id]), remaining_waves }, null, 2));
+      return;
+    }
+  }
+  console.log(JSON.stringify(done, null, 2));
+}
+
+function cmdMarkComplete(taskIdArg) {
+  const taskId = parseInt(taskIdArg, 10);
+  if (isNaN(taskId)) { console.error(`Error: Invalid task ID: ${taskIdArg}`); process.exit(1); }
+
+  const state = requireState();
+  if (!state.tasks[taskId]) {
+    console.error(`Error: Task ${taskId} not found in current plan.`); process.exit(1);
+  }
+
+  state.tasks[taskId].status = 'completed';
+  state.tasks[taskId].completed_at = new Date().toISOString();
+
+  const waveIdx = state.waves.findIndex(w => w.includes(taskId));
+  const wave = waveIdx >= 0 ? state.waves[waveIdx] : [];
+  const waveCompleted = wave.filter(id => state.tasks[id]?.status === 'completed').length;
+  const totalCompleted = Object.values(state.tasks).filter(t => t.status === 'completed').length;
+
+  writeState(state);
+
+  console.log(JSON.stringify({
+    task_id: taskId,
+    status: 'completed',
+    wave_progress: `${waveCompleted}/${wave.length}`,
+    plan_progress: `${totalCompleted}/${Object.keys(state.tasks).length}`,
+  }, null, 2));
+}
+
+function cmdStatus() {
+  const state = requireState();
+
+  const tasks = Object.values(state.tasks);
+  const completed = tasks.filter(t => t.status === 'completed').length;
+  const pending = tasks.filter(t => t.status === 'pending').length;
+
+  let current_wave = null;
+  let waves_remaining = 0;
+
+  for (let i = 0; i < state.waves.length; i++) {
+    const wave = state.waves[i];
+    const hasPending = wave.some(id => state.tasks[id]?.status !== 'completed');
+    if (hasPending) {
+      current_wave = i + 1;
+      waves_remaining = state.waves.slice(i).filter(w =>
+        w.some(id => state.tasks[id]?.status !== 'completed')
+      ).length;
+      break;
+    }
+  }
+
+  console.log(JSON.stringify({
+    total_tasks: tasks.length,
+    completed_tasks: completed,
+    current_wave,
+    waves_remaining,
+    tasks_by_status: { pending, completed },
+  }, null, 2));
+}
+
+// --- Entry point ---
+
+const [,, command, ...args] = process.argv;
+
+switch (command) {
+  case 'plan-index':
+    if (!args[0]) { console.error('Usage: ftm-runtime plan-index <plan-path>'); process.exit(1); }
+    cmdPlanIndex(args[0]);
+    break;
+  case 'next-wave':
+    cmdNextWave();
+    break;
+  case 'mark-complete':
+    if (!args[0]) { console.error('Usage: ftm-runtime mark-complete <task-id>'); process.exit(1); }
+    cmdMarkComplete(args[0]);
+    break;
+  case 'status':
+    cmdStatus();
+    break;
+  default:
+    console.error(`Unknown command: ${command}`);
+    console.error('Commands: plan-index, next-wave, mark-complete, status');
+    process.exit(1);
+}

package/ftm-executor/runtime/package.json

@@ -0,0 +1,8 @@
+{
+  "name": "ftm-runtime",
+  "version": "1.0.0",
+  "type": "module",
+  "bin": {
+    "ftm-runtime": "./ftm-runtime.mjs"
+  }
+}

package/ftm-executor.yml

@@ -0,0 +1,2 @@
+name: ftm-executor
+description: Autonomous plan execution engine. Takes any plan document and executes it end-to-end with a dynamically assembled agent team — analyzing tasks, creating purpose-built agents, dispatching them in parallel worktrees, and running each through a commit-review-fix loop until complete. Use this skill whenever the user wants to execute a plan, run a plan doc, launch an agent team on tasks, or says things like "execute this plan", "run this", "launch agents on this doc", "take this plan and go", or points to a plan file and wants it implemented autonomously. Even if they just paste a plan path and say "go" — this is the skill.

package/ftm-git/SKILL.md

@@ -0,0 +1,195 @@
+---
+name: ftm-git
+description: Secret scanning and credential safety gate for git operations. Prevents API keys, tokens, passwords, and other secrets from ever being committed or pushed to remote repositories. Scans staged files, working tree, and git history for hardcoded credentials using regex pattern matching, then auto-remediates by extracting secrets to gitignored .env files and replacing hardcoded values with env var references. Use when user says "scan for secrets", "check for keys", "audit credentials", "ftm-git", "secret scan", "remove api keys", "check before push", or any time git commit/push operations are about to happen. Also auto-invoked by ftm-executor and ftm-mind before any commit or push operation. Even if the user just says "commit this" or "push to remote", this skill MUST run first. Do NOT use for general git workflow operations like branching or merging — that's git-workflow territory. This skill is specifically the security gate.
+---
+
+## Events
+
+### Emits
+- `secrets_found` — when scan detects hardcoded credentials in staged files or working tree
+- `secrets_clear` — when scan completes with no findings (safe to proceed with commit/push)
+- `secrets_remediated` — when auto-fix successfully extracts secrets to .env and refactors source files
+- `task_completed` — when full scan + remediation cycle finishes
+
+### Listens To
+- `code_changed` — run a quick scan on modified files before they get staged
+- `code_committed` — verify the commit doesn't contain secrets (post-commit safety net)
+
+## Blackboard Read
+
+Before starting, load context from the blackboard:
+
+1. Read `~/.claude/ftm-state/blackboard/context.json` — check current_task, recent_decisions, active_constraints
+2. Read `~/.claude/ftm-state/blackboard/experiences/index.json` — filter entries by task_type="security" or tags matching "secrets", "credentials", "api-keys", or "git-safety"
+3. Load top 3-5 matching experience files for previously found secret patterns and effective remediation strategies
+4. Read `~/.claude/ftm-state/blackboard/patterns.json` — check recurring_issues for repeated secret leaks and execution_patterns for which files/directories tend to accumulate secrets
+
+If index.json is empty or no matches found, proceed normally without experience-informed shortcuts.
+
+# FTM Git — Secret Scanning & Credential Safety Gate
+
+This skill exists because secrets pushed to GitHub are compromised the instant they hit the remote — even if you force-push a clean history seconds later. Bots scrape public repos continuously, and private repos are one permissions mistake away from exposure. The only safe secret is one that never enters git history.
+
+This is not a nice-to-have audit. This is a hard gate. Nothing gets committed or pushed until this skill says it's clean.
+
+## Why This Matters
+
+Yesterday we pushed API keys to the repo. That's the kind of mistake that leads to compromised accounts, unexpected bills, and emergency credential rotations. This skill makes it structurally impossible for that to happen again by scanning every file that's about to be committed and blocking the operation if secrets are present — then auto-fixing what it can.
+
+## Phase -1: Install Git Hook (First Invocation Only)
+
+The first time ftm-git runs in a repo, install a pre-commit hook as a hard safety net. This hook runs independently of Claude — it's a shell script that blocks `git commit` if staged files contain Tier 1 secret patterns. Even if this skill is not invoked, or someone runs git directly from the terminal, the hook catches it.
+
+**Check if the hook is already installed:**
+
+```bash
+# Look for ftm-git marker in existing pre-commit hook
+grep -q "ftm-git" .git/hooks/pre-commit 2>/dev/null
+```
+
+**If not installed**, copy the hook script:
+
+```bash
+cp ~/.claude/skills/ftm-git/scripts/pre-commit-secrets.sh .git/hooks/pre-commit
+chmod +x .git/hooks/pre-commit
+```
+
+**If a pre-commit hook already exists** (from husky, pre-commit framework, etc.), don't overwrite it. Instead, append the ftm-git scan to the end of the existing hook:
+
+```bash
+echo "" >> .git/hooks/pre-commit
+echo "# --- ftm-git secret scanner ---" >> .git/hooks/pre-commit
+cat ~/.claude/skills/ftm-git/scripts/pre-commit-secrets.sh >> .git/hooks/pre-commit
+```
+
+Tell the user: "Installed ftm-git pre-commit hook. Commits with hardcoded secrets will be blocked automatically, even outside of Claude."
+
+This only needs to happen once per repo. On subsequent invocations, skip this phase.
+
+## Phase 0: Determine Scan Scope
+
+Before scanning, figure out what needs scanning and why you were invoked.
+
+**Invocation context determines scope:**
+
+| Context | Scope |
+|---|---|
+| Pre-commit (explicit or auto-triggered) | Staged files (`git diff --cached --name-only`) + any files about to be staged |
+| Pre-push | All commits not yet on remote (`git log @{upstream}..HEAD --name-only`) |
+| Manual invocation ("scan for secrets") | Full working tree sweep |
+| Post-commit safety net | The commit that just landed (`git diff-tree --no-commit-id -r HEAD`) |
+
+**Always also check these regardless of invocation context:**
+- Any `.env` file that is NOT in `.gitignore` — this is itself a finding
+- Any file matching `*credentials*`, `*secret*`, `*token*` in the filename
+
+## Phase 1: Pattern Scan
+
+Scan the in-scope files using regex patterns. The goal is zero false negatives — a few false positives are acceptable and will be filtered in Phase 2.
+
+Read `references/patterns/SECRET-PATTERNS.md` for the full Tier 1 and Tier 2 pattern library, the false positive suppression list, severity classifications, and per-finding record format.
+
+**Core Tier 1 patterns** (the most common — memorize these, consult the reference for the full set):
+
+```
+AKIA[0-9A-Z]{16}                           # AWS Access Key ID
+ghp_[A-Za-z0-9_]{36}                       # GitHub PAT (classic)
+sk_live_[0-9a-zA-Z]{24,}                   # Stripe secret key (live)
+AIza[0-9A-Za-z\-_]{35}                     # Google API key
+xoxb-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24}  # Slack bot token
+-----BEGIN (RSA|DSA|EC|OPENSSH|PGP) PRIVATE KEY-----  # Private keys
+```
+
+Run Tier 1 patterns in parallel since they're independent. For Tier 2, check surrounding context before confirming.
+
+## Phase 2: Validate Findings
+
+For each Tier 2 match, read the surrounding context (5 lines before and after) and determine:
+
+1. **Is the value a real secret or a placeholder?** — Check against the ignore list in `references/patterns/SECRET-PATTERNS.md`.
+2. **Is it already using an env var?** — If the code does `key = os.environ.get("API_KEY", "sk_live_abc...")`, the hardcoded value is a fallback default. Still a finding — fallback defaults with real secrets are dangerous.
+3. **Is it in a file that should be gitignored?** — If the secret is in `.env` and `.env` is in `.gitignore`, it's fine. If `.env` is NOT in `.gitignore`, that's a separate finding.
+
+After validation, produce a findings list sorted by severity (CRITICAL → HIGH → MEDIUM → LOW). See `references/patterns/SECRET-PATTERNS.md` for the severity table.
+
+If zero findings after validation: emit `secrets_clear` and proceed. The commit/push is safe.
+
+If any CRITICAL or HIGH findings: **STOP. The commit/push is BLOCKED.** Say this explicitly to the user before doing anything else:
+
+```
+ftm-git: BLOCKED — <N> secret(s) found. Commit/push halted. Attempting auto-remediation...
+```
+
+Then proceed to Phase 3. The commit/push does NOT happen until Phase 3 completes and a re-scan comes back clean.
+
+## Phase 3: Auto-Remediate
+
+Read `references/protocols/REMEDIATION.md` for the full step-by-step remediation protocol, language-specific env var patterns, report formats (clean/remediated/blocked), and the Phase 5 git history deep scan procedure.
+
+**Summary of steps:**
+1. Ensure `.env` and `.gitignore` infrastructure exists
+2. Extract each secret to `.env` with a SCREAMING_SNAKE_CASE var name
+3. Add placeholder to `.env.example`
+4. Refactor source files to reference the env var (match language pattern)
+5. Unstage `.env`, re-stage refactored source files
+6. Verify: re-run Phase 1 on refactored files — do not proceed until clean
+
+## Phase 4: Report
+
+After remediation or clean scan, produce the summary. Read `references/protocols/REMEDIATION.md` for the exact report formats.
+
+## Integration Points
+
+### With ftm-executor
+ftm-executor should invoke ftm-git before every commit operation in its task execution loop. If ftm-git emits `secrets_found`, the executor must pause and remediate before proceeding.
+
+### With ftm-mind
+When ftm-mind routes a commit or push request, it should run ftm-git as a prerequisite gate. The commit/push only proceeds after `secrets_clear` or `secrets_remediated`.
+
+### With git-workflow agent
+The git-workflow agent should check with ftm-git before executing any commit or push command. If you're about to run `git commit` or `git push`, ftm-git goes first.
+
+## Post-Commit Experience Recording
+
+FTM includes a post-commit hook that guarantees every commit produces an experience entry in the blackboard.
+
+### How It Works
+
+1. After every `git commit`, the hook checks if an experience was recorded in the last 2 minutes
+2. If yes (the LLM already recorded a detailed experience) → skip, no duplicate
+3. If no → create a minimal experience from commit metadata (hash, message, files, branch)
+4. Update the experience index
+
+### Installation
+
+The hook is at `ftm-git/hooks/post-commit-experience.sh`. To install:
+
+```bash
+cp ~/.claude/skills/ftm-git/hooks/post-commit-experience.sh .git/hooks/post-commit
+chmod +x .git/hooks/post-commit
+```
+
+Or add to your project's husky config if using husky.
+
+### Minimal vs Rich Experiences
+
+- **Minimal** (from hook): commit metadata only, confidence 0.5, tags: `auto-recorded`
+- **Rich** (from LLM): full task context, lessons learned, higher confidence, domain-specific tags
+
+The hook ensures no commit goes unrecorded, while the LLM produces richer entries during active sessions.
+
+## Blackboard Write
+
+After completing, update the blackboard:
+
+1. Update `~/.claude/ftm-state/blackboard/context.json`:
+   - Set current_task status to "complete"
+   - Append scan summary to recent_decisions (cap at 10)
+   - Update session_metadata.skills_invoked and last_updated
+2. Write an experience file to `experiences/YYYY-MM-DD_secret-scan-<slug>.json` with:
+   - Number of files scanned
+   - Findings by severity
+   - Remediation actions taken
+   - Which patterns matched (to improve future scans)
+3. Update `experiences/index.json` with the new entry
+4. Emit `secrets_clear` or `secrets_remediated` or `secrets_blocked`

package/ftm-git/evals/evals.json

@@ -0,0 +1,26 @@
+{
+  "skill_name": "ftm-git",
+  "evals": [
+    {
+      "id": 1,
+      "name": "python-stripe-aws",
+      "prompt": "I just finished the payments module. commit this and push it up",
+      "expected_output": "Should detect sk_live_ Stripe key, AKIA AWS access key, and AWS secret. Should extract all three to .env, refactor payments.py to use os.environ/os.getenv, add .env to .gitignore, and block the commit until remediated.",
+      "files": ["test-fixtures/payments.py"]
+    },
+    {
+      "id": 2,
+      "name": "js-config-unignored-env",
+      "prompt": "hey can you scan this repo for any secrets before I share it with the new contractor",
+      "expected_output": "Should find Google API key, Slack bot token, Slack webhook, and SendGrid key in config.js. Should also flag .env not being in .gitignore. Should extract secrets to .env, refactor config.js to use process.env, ensure .gitignore covers .env files.",
+      "files": ["test-fixtures/config.js", "test-fixtures/.env"]
+    },
+    {
+      "id": 3,
+      "name": "yaml-google-key-in-ci",
+      "prompt": "push to main",
+      "expected_output": "Should detect Google API key hardcoded in deploy.yml env block, the RSA private key, and the Slack webhook URL. Should flag that CI files need to use GitHub Actions secrets (${{ secrets.VAR }}) instead of hardcoded values. Should block the push.",
+      "files": ["test-fixtures/deploy.yml"]
+    }
+  ]
+}

package/ftm-git/evals/promptfoo.yaml

@@ -0,0 +1,75 @@
+description: "ftm-git secret detection and remediation"
+
+prompts:
+  - "{{input}}"
+
+providers:
+  - id: "exec:claude --print"
+    label: "claude-code"
+
+tests:
+  # Eval 1: python-stripe-aws
+  - description: "detects Stripe live key and AWS credentials, extracts to .env, blocks commit"
+    vars:
+      input: "I just finished the payments module. commit this and push it up"
+    assert:
+      - type: regex
+        value: "sk_live_|stripe|Stripe"
+        description: "Detects the Stripe live key"
+      - type: regex
+        value: "AKIA|AWS|aws"
+        description: "Detects the AWS access key"
+      - type: regex
+        value: "\\.env"
+        description: "References .env file for secret extraction"
+      - type: regex
+        value: "\\.gitignore"
+        description: "References .gitignore to prevent committing secrets"
+      - type: regex
+        value: "block|blocked|cannot commit|will not commit|stop|halt|remediat"
+        description: "Blocks the commit until secrets are remediated"
+
+  # Eval 2: js-config-unignored-env
+  - description: "detects multiple secrets in config.js, flags missing .gitignore entry, extracts to .env"
+    vars:
+      input: "hey can you scan this repo for any secrets before I share it with the new contractor"
+    assert:
+      - type: regex
+        value: "Google|GOOGLE|AIza"
+        description: "Detects the Google API key"
+      - type: regex
+        value: "Slack|slack|xoxb"
+        description: "Detects the Slack token"
+      - type: regex
+        value: "SendGrid|sendgrid|SG\\."
+        description: "Detects the SendGrid key"
+      - type: regex
+        value: "\\.env"
+        description: "References .env file for secret extraction"
+      - type: regex
+        value: "\\.gitignore"
+        description: "Flags .gitignore coverage issue"
+      - type: regex
+        value: "process\\.env"
+        description: "Recommends using process.env in refactored code"
+
+  # Eval 3: yaml-google-key-in-ci
+  - description: "detects hardcoded secrets in CI yaml, recommends GitHub Actions secrets, blocks push"
+    vars:
+      input: "push to main"
+    assert:
+      - type: regex
+        value: "Google|GOOGLE|AIza|deploy\\.yml|CI|ci"
+        description: "Detects the Google API key in the CI file"
+      - type: regex
+        value: "RSA|private key|BEGIN RSA|-----BEGIN"
+        description: "Detects the RSA private key"
+      - type: regex
+        value: "Slack|slack|webhook"
+        description: "Detects the Slack webhook URL"
+      - type: regex
+        value: "secrets\\.|\\$\\{\\{|GitHub Actions|github actions|Actions secret"
+        description: "Recommends using GitHub Actions secrets instead of hardcoded values"
+      - type: regex
+        value: "block|blocked|cannot push|will not push|stop|halt|remediat"
+        description: "Blocks the push until secrets are remediated"

package/ftm-git/hooks/post-commit-experience.sh

@@ -0,0 +1,92 @@
+#!/usr/bin/env bash
+
+# FTM Post-Commit Experience Recorder
+# Ensures every commit produces at least a minimal experience entry.
+# Only creates an entry if one hasn't been recorded recently (2+ min gap).
+
+set -euo pipefail
+
+STATE_DIR="$HOME/.claude/ftm-state/blackboard"
+EXPERIENCES_DIR="$STATE_DIR/experiences"
+INDEX_FILE="$EXPERIENCES_DIR/index.json"
+
+# Ensure directories exist
+mkdir -p "$EXPERIENCES_DIR"
+
+# Check if an experience was recorded in the last 2 minutes
+RECENT_THRESHOLD=$(($(date +%s) - 120))
+LATEST_EXPERIENCE=""
+
+if [ -d "$EXPERIENCES_DIR" ]; then
+  LATEST_EXPERIENCE=$(find "$EXPERIENCES_DIR" -name "*.json" -not -name "index.json" -newer /dev/null -maxdepth 1 2>/dev/null | sort -r | head -1)
+fi
+
+if [ -n "$LATEST_EXPERIENCE" ]; then
+  # Check if the latest experience file was modified within the last 2 minutes
+  if [ "$(uname)" = "Darwin" ]; then
+    FILE_TIME=$(stat -f %m "$LATEST_EXPERIENCE" 2>/dev/null || echo 0)
+  else
+    FILE_TIME=$(stat -c %Y "$LATEST_EXPERIENCE" 2>/dev/null || echo 0)
+  fi
+
+  if [ "$FILE_TIME" -gt "$RECENT_THRESHOLD" ]; then
+    # Experience was recently recorded by the LLM — skip
+    exit 0
+  fi
+fi
+
+# Extract commit metadata
+COMMIT_HASH=$(git rev-parse --short HEAD)
+COMMIT_MSG=$(git log -1 --pretty=%s)
+COMMIT_DATE=$(date +%Y-%m-%d)
+COMMIT_TIME=$(date -u +%Y-%m-%dT%H:%M:%SZ)
+FILES_CHANGED=$(git diff-tree --no-commit-id --name-only -r HEAD | tr '\n' ', ' | sed 's/,$//')
+BRANCH=$(git rev-parse --abbrev-ref HEAD)
+
+# Generate a slug from commit message
+SLUG=$(echo "$COMMIT_MSG" | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9]/-/g' | sed 's/--*/-/g' | cut -c1-50)
+FILENAME="${COMMIT_DATE}_${SLUG}.json"
+
+# Don't create duplicate if file already exists
+if [ -f "$EXPERIENCES_DIR/$FILENAME" ]; then
+  exit 0
+fi
+
+# Create minimal experience entry
+cat > "$EXPERIENCES_DIR/$FILENAME" << EXPEOF
+{
+  "task_type": "commit",
+  "description": "$COMMIT_MSG",
+  "source": "git-hook",
+  "timestamp": "$COMMIT_TIME",
+  "commit_hash": "$COMMIT_HASH",
+  "branch": "$BRANCH",
+  "files_changed": "$FILES_CHANGED",
+  "complexity_estimated": "micro",
+  "complexity_actual": "micro",
+  "outcome": "success",
+  "confidence": 0.5,
+  "tags": ["auto-recorded", "git-commit"],
+  "lessons": []
+}
+EXPEOF
+
+# Update index.json
+# Read existing index, add new entry, write back
+if [ -f "$INDEX_FILE" ]; then
+  # Use node for reliable JSON manipulation (available in FTM environments)
+  node -e "
+    const fs = require('fs');
+    const idx = JSON.parse(fs.readFileSync('$INDEX_FILE', 'utf-8'));
+    idx.entries.push({
+      file: '$FILENAME',
+      task_type: 'commit',
+      tags: ['auto-recorded', 'git-commit'],
+      timestamp: '$COMMIT_TIME',
+      confidence: 0.5
+    });
+    idx.metadata.total_count = idx.entries.length;
+    idx.metadata.last_updated = '$COMMIT_TIME';
+    fs.writeFileSync('$INDEX_FILE', JSON.stringify(idx, null, 2));
+  " 2>/dev/null || true
+fi