feed-the-machine 1.7.4 → 1.7.6

package/ftm-audit/SKILL.md

@@ -223,7 +223,7 @@ Append a row to the root INTENT.md module map table:
 |---------|----------|---------------|
 | `BROKEN_PATH` — path in .md file doesn't resolve from installed location | HARD FAIL | No — requires human decision on correct path |
 | `BROKEN_CLI` — CLI command path doesn't exist or errors on execution | HARD FAIL | No — requires fixing the path or creating a symlink |
-| `HARDCODED_USER_PATH` — absolute path contains a specific username (e.g., `/Users/kioja.kudumu/`) | WARN | Yes — replace with `~/` or `$HOME/` equivalent |
+| `HARDCODED_USER_PATH` — absolute path contains a specific username (e.g., `/Users/jdoe/`) | WARN | Yes — replace with `~/` or `$HOME/` equivalent |
 | `STALE_PATH_REFERENCE` — path references a directory/file that was moved or renamed in this diff | HARD FAIL | Yes — update to new path |
 
 **Output format:**
@@ -231,7 +231,7 @@ Append a row to the root INTENT.md module map table:
 Layer 1.75 findings:
 - [BROKEN_PATH] ftm-ops/SKILL.md:53 — `~/.claude/skills/ftm/bin/brain.py` does not exist (ftm/ points to router subdirectory, not repo root)
 - [BROKEN_CLI] ftm-mind/references/orient-protocol.md:210 — `python3 ~/.claude/skills/eng-buddy/bin/brain.py` → file not found
-- [HARDCODED_USER_PATH] ftm-mind/references/ops-routing.md:44 — `/Users/kioja.kudumu/.claude/eng-buddy/drafts/` contains hardcoded username
+- [HARDCODED_USER_PATH] ftm-mind/references/ops-routing.md:44 — `/Users/jdoe/.claude/eng-buddy/drafts/` contains hardcoded username
 - [STALE_PATH_REFERENCE] ftm-ops/references/task-management.md:15 — `~/.claude/eng-buddy/active-tasks.md` was moved to `~/.claude/ftm-ops/active-tasks.md`
 ```
 

package/ftm-capture/SKILL.md

@@ -97,7 +97,7 @@ Ask the user focused questions to determine generalizability. DO NOT ask more th
 - "Should I parameterize [specific value] or hardcode it?"
 
 **Environment questions:**
-- "Does this only work in the ragnarok repo, or should it be repo-agnostic?"
+- "Does this only work in the current repo, or should it be repo-agnostic?"
 - "Are there API access requirements I should document?"
 
 ### Step 4: Write the Routine (`~/.ftm/routines/{name}.yml`)
@@ -306,9 +306,10 @@ ftm-ops's playbook engine reads from `~/.claude/ftm-ops/playbooks/`. Captured pl
 ### Environment Awareness
 
 When capturing, always note the environment context:
-- **If in `~/Documents/Code/ragnarok`**: Full API access to Okta, Freshservice, Slack, AWS (via shared_services). Prefer API over browser.
-- **If in other repos**: May not have API access. Default to browser automation or MCP tools.
-- **Always document**: Which APIs are used, what credentials are needed, what repo provides the client libraries.
+- **Check the blackboard** for `api-access` tagged experiences to see if the current repo has confirmed API access
+- **If access is confirmed**: Note which APIs are available and prefer direct API calls over browser automation
+- **If no access experience exists**: Default to browser automation or MCP tools
+- **Always document**: Which APIs are used, what credentials are needed, what repo provides the client libraries
 
 This prevents future sessions from trying to use APIs they don't have access to.
 

package/ftm-mind/references/orient-protocol.md

@@ -57,7 +57,7 @@ Orient must know the available MCPs and their contextual triggers.
 Use the smallest relevant MCP set.
 
 - Jira issue key or Atlassian URL -> `mcp-atlassian-personal` (or the configured personal account name)
-- "internal docs", "runbook", "Klaviyo", "Glean" -> `glean_default`
+- "internal docs", "runbook", "company wiki", "Glean" -> `glean_default`
 - "how do I use X library" -> `context7`
 - "calendar", "meeting", "free time" -> `google-calendar`
 - "Slack", "channel", "thread", "notify" -> `slack`
@@ -197,7 +197,45 @@ When asking, ask one focused question with concrete choices.
    - **Just do the thing.** If the credentials don't work, you'll find out when the API call fails — and that's a better signal than a speculative question.
 4. If no matching experience exists, proceed with asking.
 
-This rule exists because users set up repo-level context once (e.g., "ragnarok has full Okta/Freshservice/Jira API access") and expect Claude to remember it across every session. Asking "do you have admin access?" when the blackboard already says "yes, full access" is the #1 frustration signal.
+This rule exists because users set up repo-level context once (e.g., "my-tools repo has full API access to our admin systems") and expect Claude to remember it across every session. Asking "do you have admin access?" when the blackboard already says "yes, full access" is the #1 frustration signal.
+
+### Access Declaration Detection (MANDATORY)
+
+When a user declares repo-level access — either explicitly or as part of a task — **immediately write a blackboard experience so it persists across sessions.** Do NOT wait until the task is complete. Write it during Orient, before acting.
+
+**Detection triggers** (any of these in the user's message):
+- "I have access to...", "I have credentials for...", "I'm authenticated to..."
+- "this repo has access to...", "we have API keys for..."
+- "just do it, I have the creds", "you have access here", "credentials are configured"
+- "I'm in [repo name] with my credentials"
+- The user tells you to stop asking and just use an API
+- An API call succeeds for the first time in a repo where no access experience exists
+
+**What to write** — create an experience file at `~/.claude/ftm-state/blackboard/experiences/learning-{repo-name}-api-access.json`:
+
+```json
+{
+  "id": "learning-{repo-name}-api-access",
+  "timestamp": "{ISO 8601 now}",
+  "task_type": "environment-knowledge",
+  "tags": ["{repo-name}", "api-access", "environment", "learning"],
+  "outcome": "success",
+  "description": "User confirmed API access in {repo-name} repo. {any specifics they mentioned — which systems, what kind of access}.",
+  "lessons": [
+    "{repo-name} repo has configured access to {systems mentioned}",
+    "Do not ask about credentials or authorization when working in this repo — just act"
+  ],
+  "confidence": 1.0,
+  "code_patterns": [],
+  "api_gotchas": []
+}
+```
+
+Also update `experiences/index.json` with the new entry.
+
+**On first successful API call:** If you make an API call in a repo and it succeeds, but no access experience exists for this repo, write one automatically. The success IS the proof of access. Tag it with the repo name and the system that worked (e.g., `freshservice`, `okta`).
+
+**This is not optional.** Every repo where the user has confirmed access should have exactly one `learning-{repo-name}-api-access.json` experience. This is what makes the Blackboard-First Rule work for new users, not just for users who had their experiences manually seeded.
 
 ### Discovery Interview (medium+ tasks with external systems)
 

package/ftm-state/blackboard/context.json

@@ -1,26 +1,13 @@
 {
   "current_task": {
-    "id": "hackathon-github-pages-site",
-    "description": "Built and published GitHub Pages site for hackathon team — homepage, playbook, flow map, all interlinked",
-    "type": "hackathon-prep",
-    "started_at": "2026-03-23T00:00:00Z",
-    "status": "completed",
-    "next_action": "none — site is live at klaviyokio.github.io/onboard-the-hackathon"
+    "id": null,
+    "description": null,
+    "type": null,
+    "started_at": null,
+    "status": "none",
+    "next_action": null
   },
-  "recent_decisions": [
-    {
-      "decision": "Used GitHub Pages with static HTML instead of a framework",
-      "reason": "Simple, fast deployment for hackathon team reference pages"
-    },
-    {
-      "decision": "Restored full docx content into playbook.html while keeping coffee-shop design",
-      "reason": "HTML version had trimmed role descriptions — docx had the complete detail"
-    },
-    {
-      "decision": "Fixed flow.html by porting missing elements from agent-flow-map.html",
-      "reason": "Node overlap, missing transcript node, chat bubbles, and annotations"
-    }
-  ],
+  "recent_decisions": [],
   "active_constraints": [],
   "user_preferences": {
     "communication_style": "concise, technical",
@@ -28,10 +15,10 @@
     "default_model_profile": null
   },
   "session_metadata": {
-    "started_at": "2026-03-23T00:00:00Z",
-    "last_updated": "2026-03-23T00:00:00Z",
+    "started_at": null,
+    "last_updated": null,
     "conversation_id": null,
-    "messages_count": 20,
+    "messages_count": 0,
     "skills_invoked": []
   }
 }

package/ftm-state/blackboard/experiences/index.json

@@ -1,57 +1,8 @@
 {
-  "entries": [
-    {
-      "id": "nordlayer-members-auto-assign",
-      "file": "nordlayer-members-auto-assign.json",
-      "timestamp": "2026-03-19T11:00:00Z",
-      "task_type": "freshservice-workflow-routing",
-      "outcome": "success",
-      "tags": ["freshservice", "nordlayer", "custom-trigger", "approval-bypass", "lambda"]
-    },
-    {
-      "id": "hindsight-sso-kickoff",
-      "file": "hindsight-sso-kickoff.json",
-      "timestamp": "2026-03-20T08:30:00Z",
-      "task_type": "sso-implementation",
-      "outcome": "in_progress",
-      "tags": ["sso", "saml", "okta", "hindsight", "vendor-unblock", "planning"]
-    },
-    {
-      "id": "learning-ragnarok-api-access",
-      "file": "learning-ragnarok-api-access.json",
-      "timestamp": "2026-03-20T08:40:00Z",
-      "task_type": "environment-knowledge",
-      "outcome": "success",
-      "tags": ["ragnarok", "okta", "api-access", "environment", "learning"]
-    },
-    {
-      "id": "doom-statusline-fix",
-      "file": "doom-statusline-fix.json",
-      "timestamp": "2026-03-22T00:00:00Z",
-      "task_type": "developer-tooling",
-      "outcome": "success",
-      "tags": ["statusline", "doom-hud", "terminal", "claude-code", "ansi"]
-    },
-    {
-      "id": "hackathon-pages-site",
-      "file": "hackathon-pages-site.json",
-      "timestamp": "2026-03-23T00:00:00Z",
-      "task_type": "hackathon-prep",
-      "outcome": "success",
-      "tags": ["github-pages", "hackathon", "static-html", "team-site", "onboarding"]
-    },
-    {
-      "id": "saml2aws-stale-session-fix",
-      "file": "saml2aws-stale-session-fix.json",
-      "timestamp": "2026-03-24T00:00:00Z",
-      "task_type": "troubleshooting",
-      "outcome": "success",
-      "tags": ["saml2aws", "okta", "aws", "browser-provider", "session-cache", "authentication"]
-    }
-  ],
+  "entries": [],
   "metadata": {
-    "total_count": 6,
-    "last_updated": "2026-03-24T00:00:00Z",
+    "total_count": 0,
+    "last_updated": null,
     "max_entries": 200,
     "pruning_strategy": "remove_oldest_low_confidence"
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "feed-the-machine",
-  "version": "1.7.4",
+  "version": "1.7.6",
   "description": "A brain upgrade for Claude Code — 26 skills that teach it how to think before acting, remember across conversations, debug like a war room, run plans on autopilot with agent teams, and get second opinions from GPT & Gemini. Plus 15 hooks that automate the boring stuff.",
   "license": "MIT",
   "author": "kkudumu",

package/ftm-state/blackboard/experiences/doom-statusline-fix.json

@@ -1,26 +0,0 @@
-{
-  "id": "doom-statusline-fix",
-  "task_type": "developer-tooling",
-  "tags": ["statusline", "doom-hud", "terminal", "claude-code", "ansi"],
-  "outcome": "success",
-  "timestamp": "2026-03-22T00:00:00Z",
-  "lessons": [
-    "Non-Warp statusline path loads ANSI face art by default — disable by skipping the ansi_faces.json load",
-    "MOOD label (IDDQD etc) is appended in both the overlay state and the Row 3 printf — both need removal",
-    "statusline-setup agent type exists for this kind of work"
-  ],
-  "files_touched": [
-    "~/.claude/scripts/doom-statusline.sh"
-  ],
-  "stakeholders": [],
-  "decisions_made": [
-    {
-      "decision": "Disabled ANSI face loading for non-Warp/non-Kitty terminals",
-      "reason": "User wants clean powerline segments, not pixel art"
-    },
-    {
-      "decision": "Removed MOOD text from Row 3 output and overlay state",
-      "reason": "Matches desired Warp-style layout"
-    }
-  ]
-}

package/ftm-state/blackboard/experiences/hackathon-pages-site.json

@@ -1,26 +0,0 @@
-{
-  "id": "hackathon-pages-site",
-  "timestamp": "2026-03-23T00:00:00Z",
-  "task_type": "hackathon-prep",
-  "tags": ["github-pages", "hackathon", "static-html", "team-site", "onboarding"],
-  "outcome": "success",
-  "lessons": [
-    "GitHub Pages with build_type workflow needs a .github/workflows/pages.yml to deploy",
-    "When porting design between themes, check for missing nodes/paths/annotations — AI generators often drop elements",
-    "Docx content can be extracted with Python zipfile + xml.etree for comparison against HTML versions"
-  ],
-  "files_touched": [
-    "index.html",
-    "playbook.html",
-    "flow.html",
-    "agent-flow-map.html",
-    "agent-flow.html",
-    ".github/workflows/pages.yml"
-  ],
-  "stakeholders": ["hackathon team"],
-  "decisions_made": [
-    "Static HTML on GitHub Pages — no framework needed for reference pages",
-    "Kept coffee-shop design theme across all pages",
-    "Wired all homepage links to actual pages including Slack and GitHub repo"
-  ]
-}

package/ftm-state/blackboard/experiences/hindsight-sso-kickoff.json

@@ -1,42 +0,0 @@
-{
-  "id": "hindsight-sso-kickoff",
-  "timestamp": "2026-03-20T08:30:00Z",
-  "task_type": "sso-implementation",
-  "tags": ["sso", "saml", "okta", "hindsight", "vendor-unblock", "planning"],
-  "outcome": "in_progress",
-  "description": "Hindsight SSO blocker cleared - Ani provided ACS URL + Entity ID. Fetched vendor docs, confirmed SAML 2.0 setup. Created execution plan. Awaiting user decision on browser automation vs manual Okta setup.",
-  "lessons": [
-    "Hindsight uses Clerk for SAML - ACS URL and Entity ID both under clerk.usehindsight.com domain",
-    "SAML only - no OIDC support for Okta",
-    "Required attributes: mail, firstName, lastName (standard Okta mappings)",
-    "Name ID format: EmailAddress",
-    "Post-config: vendor needs Okta Metadata URL to finalize their side",
-    "No SCIM - user management is manual/Okta groups only",
-    "Approval owner: Mindy Regnell (CI team)",
-    "Multiple permission levels exist but details not yet mapped to Okta groups"
-  ],
-  "files_touched": [
-    "~/.claude/eng-buddy/daily/2026-03-20.md",
-    "~/.claude/eng-buddy/daily/daily-index.md",
-    "~/.claude/ftm-state/blackboard/context.json"
-  ],
-  "stakeholders": {
-    "requester": "Alani Setalsingh",
-    "vendor_poc": "Ani Gottiparthy (Ani@usehindsight.com)",
-    "approval_owner": "Mindy Regnell",
-    "initial_users": ["Mindy.Regnell@klaviyo.com", "mokhsira.kurbonova@klaviyo.com", "anvi.vasa@klaviyo.com"]
-  },
-  "decisions_made": [
-    {
-      "decision": "Confirmed SAML 2.0 app type (not OIDC) based on vendor docs",
-      "reason": "Hindsight/Clerk explicitly does not support OIDC for Okta"
-    },
-    {
-      "decision": "Identified need for Okta groups based on multiple permission levels",
-      "reason": "Ticket states different permission levels exist - need to map before group creation"
-    }
-  ],
-  "jira_key": "ITWORK2-9702",
-  "freshservice_ticket": "321024",
-  "confidence": 0.9
-}

package/ftm-state/blackboard/experiences/learning-ragnarok-api-access.json

@@ -1,23 +0,0 @@
-{
-  "id": "learning-ragnarok-api-access",
-  "timestamp": "2026-03-20T08:40:00Z",
-  "task_type": "environment-knowledge",
-  "tags": ["ragnarok", "okta", "api-access", "environment", "learning"],
-  "outcome": "success",
-  "description": "When working in ~/Documents/Code/ragnarok, we have full environment API access to all integrated systems (Okta, Freshservice, Jira, etc.) via shared_services. Always prefer API calls over browser automation when in this repo.",
-  "lessons": [
-    "~/Documents/Code/ragnarok has shared_services with API clients for Okta, Freshservice, Slack, Jamf, Google, etc.",
-    "Always prefer API over browser automation when in ragnarok repo - faster, more reliable, scriptable",
-    "Okta API access available via shared_services/okta/",
-    "Secrets stored in AWS Secrets Manager, retrieved at runtime"
-  ],
-  "files_touched": [],
-  "stakeholders": {},
-  "decisions_made": [
-    {
-      "decision": "Use Okta API directly instead of browser automation for SSO app creation",
-      "reason": "ragnarok repo has full Okta API access via shared_services - faster and more reliable than playwright"
-    }
-  ],
-  "confidence": 1.0
-}

package/ftm-state/blackboard/experiences/nordlayer-members-auto-assign.json

@@ -1,26 +0,0 @@
-{
-  "id": "nordlayer-members-auto-assign",
-  "timestamp": "2026-03-19T11:00:00Z",
-  "task_type": "freshservice-workflow-routing",
-  "tags": ["freshservice", "nordlayer", "custom-trigger", "approval-bypass", "lambda"],
-  "outcome": "success",
-  "confidence": 0.95,
-  "summary": "Added auto_assign_upon_request routing for Nordlayer Members role in freshservice_workflow_assigner Lambda, bypassing app owner approval while keeping Administrator and Owner roles unchanged.",
-  "lessons": [
-    "The freshservice_workflow_assigner Lambda is the single router for all custom triggers - always modify it rather than creating separate Lambdas for per-app routing",
-    "Custom trigger format is {workflow}:{role} - the Freshservice Automator matches on the workflow prefix to determine which workflow runs",
-    "auto_assign_upon_request is the existing trigger name for auto-approve workflows",
-    "Custom object 15000002166 stores per-app role metadata including approvers - query it to verify role names and approver state",
-    "Nordlayer role names are: Members, Administrator, Owner (title case, not snake_case like Lusha)",
-    "Deploy flow: push to main -> CI/CD auto-packages -> Lambda picks up new code from S3"
-  ],
-  "files_touched": [
-    "lambda/handlers/freshservice_workflow_assigner/app.py"
-  ],
-  "stakeholders": ["kioja.kudumu"],
-  "decisions_made": [
-    "Used tuple-keyed dict (app_name, role) for override matching to avoid cross-app side effects",
-    "Kept change in existing Lambda rather than creating nordlayer-specific handler",
-    "PR #1313 created on feature/nordlayer-members-auto-assign branch"
-  ]
-}

package/ftm-state/blackboard/experiences/saml2aws-stale-session-fix.json

@@ -1,41 +0,0 @@
-{
-  "id": "saml2aws-stale-session-fix",
-  "title": "saml2aws login fails with 'Invalid role string only 0 tokens' due to stale browser session cache",
-  "created": "2026-03-24",
-  "category": "troubleshooting",
-  "tags": ["saml2aws", "okta", "aws", "browser-provider", "session-cache", "authentication"],
-  "summary": "saml2aws login with Browser provider instantly opens and closes browser (~2 seconds) without showing Okta login page, then fails with 'Error parsing AWS roles.: Invalid role string only 0 tokens'. Root cause is stale cached browser session files that replay an expired/invalid Okta session instead of prompting for fresh authentication.",
-  "symptoms": [
-    "Browser opens and closes in ~2 seconds without showing login page",
-    "Error: 'Failed to assume role. Please check whether you are permitted to assume the given role for the AWS service.: Error parsing AWS roles.: Invalid role string only 0 tokens'",
-    "Same error with --force, --disable-sessions, --disable-keychain flags",
-    "Reinstalling saml2aws does not fix the issue"
-  ],
-  "root_cause": "Stale storageState.json and cache_default files in ~/.aws/saml2aws/ cause the Browser provider to replay a cached Okta session that returns an empty SAML response (no AWS role attributes), bypassing the interactive login entirely.",
-  "fix": {
-    "steps": [
-      "Back up stale session files: mv ~/.aws/saml2aws/storageState.json ~/.aws/saml2aws/storageState.json.bak",
-      "Back up cache file: mv ~/.aws/saml2aws/cache_default ~/.aws/saml2aws/cache_default.bak",
-      "Set disable_sessions = true in ~/.saml2aws config",
-      "Run: saml2aws login --verbose --force"
-    ],
-    "key_files": [
-      "~/.aws/saml2aws/storageState.json",
-      "~/.aws/saml2aws/cache_default",
-      "~/.saml2aws"
-    ],
-    "nuclear_option": "rm -rf ~/.aws/saml2aws/storageState.json ~/.aws/saml2aws/cache_default && saml2aws login --force --disable-sessions --disable-keychain"
-  },
-  "lessons_learned": [
-    "Always check for stale session cache files BEFORE reinstalling saml2aws",
-    "The Browser provider stores Playwright session state in ~/.aws/saml2aws/storageState.json — this is the #1 cause of instant-close browser behavior",
-    "Reinstalling saml2aws or switching versions does NOT clear session cache files",
-    "Klaviyo uses saml2aws 2.36.17 from klaviyo-third-party-prod.s3.amazonaws.com, not the brew version",
-    "klaviyocli config saml2aws is the official way to configure at Klaviyo, but manual config works if klaviyocli is not installed"
-  ],
-  "related_docs": [
-    "https://klaviyo.atlassian.net/wiki/spaces/IT/pages/3531800639 (KlaviyoCLI setup for Okta MFA)",
-    "https://klaviyo.atlassian.net/wiki/spaces/BI/pages/3447980089 (AWS Local Setup)",
-    "https://klaviyo.atlassian.net/wiki/spaces/IT/pages/3574661289 (Ragnarok)"
-  ]
-}