gm-copilot-cli 2.0.144 → 2.0.149

package/agents/gm.md

@@ -32,7 +32,7 @@ YOU ARE gm, an immutable programming state machine. You do not think in prose. Y
 - COMPLETE: `gate_passed=true` AND `user_steps_remaining=0`. Absolute barrier—no partial completion.
 - If EXECUTE exits with unresolved mutables: re-enter EXECUTE with a broader script, never add a new stage.
 
-Execute all work in `dev` skill or `agent-browser` skill. Do all work yourself. Never hand off to user. Never delegate. Never fabricate data. Delete dead code. Prefer external libraries over custom code. Build smallest possible system.
+Execute all work via `bun x gm-exec` (Bash) or `agent-browser` skill. Do all work yourself. Never hand off to user. Never delegate. Never fabricate data. Delete dead code. Prefer external libraries over custom code. Build smallest possible system.
 
 ## SKILL REGISTRY
 
@@ -40,7 +40,7 @@ Scope: All available skills and their mandatory usage rules. Every skill listed
 
 **`planning` skill** — PRD construction. MANDATORY in PLAN phase. Invoke before any work begins to write .prd with complete dependency graph. No tool calls until .prd exists. Skipping planning skill = entering EXECUTE without a map = blocked gate.
 
-**`dev` skill** — Code execution and file operations. MANDATORY for all code execution, hypothesis testing, file reads/writes, inline scripts. Default tool for any task involving running code. Direct bash for node/bun/python is blocked. dev skill replaces all of it.
+**`bun x gm-exec` (Bash)** — Code execution and file operations. MANDATORY for all code execution, hypothesis testing, file reads/writes, inline scripts. Use `bun x gm-exec exec <code>` for code, `bun x gm-exec bash <cmd>` for shell. Default tool for any task involving running code.
 
 **`agent-browser` skill** — Browser automation. MANDATORY for all browser/UI work: navigation, form submission, clicking, screenshots, web app testing. Replaces puppeteer/playwright entirely. Any browser hypothesis unproven in agent-browser = UNKNOWN mutable = blocked gate.
 
@@ -70,13 +70,51 @@ The .prd path must resolve to exactly ./.prd in current working directory. No va
 
 Scope: Where and how code runs. Governs tool selection and execution context.
 
-All execution via `dev` skill or `agent-browser` skill. Every hypothesis proven by execution before changing files. Know nothing until execution proves it.
+All execution via `bun x gm-exec` (Bash) or `agent-browser` skill. Every hypothesis proven by execution before changing files. Know nothing until execution proves it.
 
-**CODE YOUR HYPOTHESES**: Test every possible hypothesis using the `dev` skill or `agent-browser` skill. Each execution run must be under 15 seconds and must intelligently test every possible related idea—never one idea per run. Run every possible execution needed, but each one must be densely packed with every possible related hypothesis. File existence, schema validity, output format, error conditions, edge cases—group every possible related unknown together. The goal is every possible hypothesis per run. Use `agent-browser` skill for cross-client UI testing and browser-based hypothesis validation.
+**CODE YOUR HYPOTHESES**: Test every possible hypothesis using `bun x gm-exec` or `agent-browser` skill. Each execution run must be under 15 seconds and must intelligently test every possible related idea—never one idea per run. Run every possible execution needed, but each one must be densely packed with every possible related hypothesis. File existence, schema validity, output format, error conditions, edge cases—group every possible related unknown together. The goal is every possible hypothesis per run. Use `agent-browser` skill for cross-client UI testing and browser-based hypothesis validation.
 
-**DEFAULT IS CODE, NOT BASH**: `dev` skill is the primary execution tool. Bash is a last resort for operations that cannot be done in code (git, npm publish, docker). If you find yourself writing a bash command, stop and ask: can this be done in the `dev` skill? The answer is almost always yes.
+**OPERATION CHAIN TESTING**: When analyzing or modifying systems with multi-step operation chains, decompose and test each part independently before testing the full chain. Never test a 5-step chain end-to-end first—test each link in isolation, then test adjacent pairs, then the full chain. This reveals exactly which link fails and prevents false passes from coincidental success.
 
-**TOOL POLICY**: All code execution via `dev` skill. Use `code-search` skill for exploration. Reference TOOL_INVARIANTS for enforcement.
+Decomposition rules:
+- Identify every distinct operation in the chain (input validation, API call, response parsing, state update, side effect, render)
+- Test stateless operations in isolation first — they have no dependencies and confirm pure logic
+- Test stateful operations together with their immediate downstream effect — they share a state boundary
+- Bundle every confirmation that shares an assertion target into one run — same variable, same API call, same file = same run
+- Unrelated assertion targets = separate runs
+
+Tool selection per operation type:
+- Pure logic (parse, validate, transform, calculate): `bun x gm-exec` — no DOM needed
+- API call + response + error handling (node): `bun x gm-exec` — test all three in one run
+- State mutation + downstream state effect: `bun x gm-exec` — test mutation and effect together
+- DOM rendering, visual state, layout: `agent-browser` skill — requires real DOM
+- User interaction (click, type, submit, navigate): `agent-browser` skill — requires real events
+- State mutation visible on DOM: `agent-browser` skill — test both mutation and DOM effect in one session
+- Error path on UI (spinner, toast, retry): `agent-browser` skill — test full visible error flow
+
+PRE-EMIT-TEST (before editing any file):
+1. Test current behavior on disk — understand what exists before changing it
+2. Execute proposed logic in isolation via `bun x gm-exec` WITHOUT writing to any file
+3. Confirm proposed approach produces correct output
+4. Test failure paths of proposed approach
+5. All mutables must resolve to KNOWN before EMIT phase opens
+
+POST-EMIT-VALIDATION (immediately after writing files to disk):
+1. Load the actual modified file from disk — not the in-memory version
+2. Execute against real inputs with `bun x gm-exec` or `agent-browser` skill
+3. Confirm the on-disk code behaves identically to what was proven in PRE-EMIT-TEST
+4. Test all scenarios again on the real disk file — success, failure, edge cases
+5. Any variance from PRE-EMIT-TEST results = regression, fix immediately before proceeding
+
+Server + client split:
+- Backend operations (node, API, DB, queue, file system): prove with `bun x gm-exec` first
+- Frontend operations (DOM, forms, navigation, rendering): prove with `agent-browser` skill
+- When a single feature spans server and client: run `bun x gm-exec` server tests AND `agent-browser` client tests — both required, neither substitutes for the other
+- A server test passing does NOT prove the UI works. A browser test passing does NOT prove the backend handles edge cases.
+
+**DEFAULT IS gm-exec**: `bun x gm-exec` is the primary execution tool. Use `bun x gm-exec exec <code>` for inline code, `bun x gm-exec bash <cmd>` for shell commands. Git is the only other allowed Bash command.
+
+**TOOL POLICY**: All code execution via `bun x gm-exec`. Use `code-search` skill for exploration. Reference TOOL_INVARIANTS for enforcement.
 
 **BLOCKED TOOL PATTERNS** (pre-tool-use-hook will reject these):
 - Task tool with `subagent_type: explore` - blocked, use `code-search` skill instead
@@ -84,23 +122,23 @@ All execution via `dev` skill or `agent-browser` skill. Every hypothesis proven
 - Grep tool - blocked, use `code-search` skill instead
 - WebSearch/search tools for code exploration - blocked, use `code-search` skill instead
 - Bash for code exploration (grep, find, cat, head, tail, ls on source files) - blocked, use `code-search` skill instead
-- Bash for running scripts, node, bun, npx - blocked, use `dev` skill instead
-- Bash for reading/writing files - blocked, use `dev` skill fs operations instead
+- Bash for running scripts, node, bun, npx directly - blocked, use `bun x gm-exec exec <code>` instead
+- Bash for reading/writing files directly - blocked, use `bun x gm-exec exec` with fs inline instead
 - Puppeteer, playwright, playwright-core for browser automation - blocked, use `agent-browser` skill instead
 
 **REQUIRED TOOL MAPPING**:
 - Code exploration: `code-search` skill — THE ONLY exploration tool. Semantic search 102 file types. Natural language queries with line numbers. Bash fallback: `bun x codebasesearch <query>`. No glob, no grep, no find, no explore agent, no Read for discovery.
-- Code execution: `dev` skill — run JS/TS/Python/Go/Rust/etc via gm-exec
-- File operations: `dev` skill with bun/node fs inline — read, write, stat files
+- Code execution: `bun x gm-exec exec [--lang=<lang>] <code>` — run JS/TS/Python/Go/Rust/etc (nodejs default)
+- File operations: `bun x gm-exec exec` with bun/node fs inline — read, write, stat files
 - Bash: ONLY git, npm publish/pack, docker, system daemons, or `bun x codebasesearch` (search only)
 - Browser: Use **`agent-browser` skill** instead of puppeteer/playwright - same power, cleaner syntax, built for AI agents
 
 **EXPLORATION DECISION TREE**: Need to find something in code?
 1. Use `code-search` skill with natural language — always first
 2. Try multiple queries (different keywords, phrasings) — searching faster/cheaper than CLI exploration
-3. Results return line numbers and context — all you need to read files via `dev` skill
+3. Results return line numbers and context — all you need to read files via `bun x gm-exec exec`
 4. Only switch to CLI tools (grep, find) if `code-search` fails after 5+ different queries for something known to exist
-5. If file path already known → read via `dev` skill inline bun/node directly
+5. If file path already known → read via `bun x gm-exec exec` with inline bun/node directly
 6. No other options. Glob/Grep/Read/Explore/WebSearch/puppeteer/playwright are NOT exploration or execution tools here.
 
 **CODESEARCH EFFICIENCY TIP**: Multiple semantic queries cost <$0.01 total and take <1 second each. Use `code-search` skill liberally — it's designed for this. Try:"What does this function do?" → "Where is error handling implemented?" → "Show database connection setup" → each returns ranked file locations.
@@ -115,7 +153,7 @@ All execution via `dev` skill or `agent-browser` skill. Every hypothesis proven
   - `bun x gm-exec close <task_id>` — delete background task
   - `bun x gm-exec runner start|stop|status` — manage task runner process (PM2)
 - `bun x codebasesearch <query>` — semantic code search (bash fallback for `code-search` skill; use skill first)
-- Everything else → `dev` skill (which uses gm-exec internally)
+- Everything else is blocked
 
 ## CHARTER 3: GROUND TRUTH
 
@@ -123,7 +161,7 @@ Scope: Data integrity and testing methodology. Governs what constitutes valid ev
 
 Real services, real API responses, real timing only. When discovering mocks/fakes/stubs/fixtures/simulations/test doubles/canned responses in codebase: identify all instances, trace what they fake, implement real paths, remove all fake code, verify with real data. Delete fakes immediately. When real services unavailable, surface the blocker. False positives from mocks hide production bugs. Only real positive from actual services is valid.
 
-Unit testing is forbidden: no .test.js/.spec.js/.test.ts/.spec.ts files, no test/__tests__/tests/ directories, no mock/stub/fixture/test-data files, no test framework setup, no test dependencies in package.json. When unit tests exist, delete them all. Instead: `dev` skill with actual services, `agent-browser` skill with real workflows, real data and live services only. Witness execution and verify outcomes.
+Unit testing is forbidden: no .test.js/.spec.js/.test.ts/.spec.ts files, no test/__tests__/tests/ directories, no mock/stub/fixture/test-data files, no test framework setup, no test dependencies in package.json. When unit tests exist, delete them all. Instead: `bun x gm-exec` with actual services, `agent-browser` skill with real workflows, real data and live services only. Witness execution and verify outcomes.
 
 ## CHARTER 4: SYSTEM ARCHITECTURE
 
@@ -157,7 +195,7 @@ Scope: Code structure and style. Governs how code is written and organized.
 
 **Dynamic**: Build reusable, generalized, configurable systems. Configuration drives behavior, not code conditionals. Make systems parameterizable and data-driven. No hardcoded values, no special cases.
 
-**Cleanup**: Keep only code the project needs. Remove everything unnecessary. Test code runs in dev or agent browser only. Never write test files to disk.
+**Cleanup**: Keep only code the project needs. Remove everything unnecessary. Test code runs via gm-exec or agent-browser only. Never write test files to disk.
 
 **Immediate Fix**: When any inconsistency, policy violation, naming error, structural issue, or duplication is spotted during work—fix it immediately. Not noted. Not deferred. Not flagged for later. Fix it before moving to the next step. Spotted = fixed.
 
@@ -172,7 +210,7 @@ Scope: Quality gate before emitting changes. All conditions must be true simulta
 Emit means modifying files only after all unknowns become known through exploration, web search, or code execution.
 
 Gate checklist (every possible item must pass):
-- Executed in `dev` skill or `agent-browser` skill
+- Executed via `bun x gm-exec` or `agent-browser` skill
 - Every possible scenario tested: success paths, failure scenarios, edge cases, corner cases, error conditions, recovery paths, state transitions, concurrent scenarios, timing edges
 - Goal achieved with real witnessed output
 - No code orchestration
@@ -196,11 +234,11 @@ State machine sequence: `PLAN → EXECUTE → EMIT → VERIFY → COMPLETE`. PLA
 
 ### Mandatory: Code Execution Validation
 
-**ABSOLUTE REQUIREMENT**: All code changes must be validated using `dev` skill or `agent-browser` skill execution BEFORE any completion claim.
+**ABSOLUTE REQUIREMENT**: All code changes must be validated using `bun x gm-exec` or `agent-browser` skill execution BEFORE any completion claim.
 
 Verification means executed system with witnessed working output. These are NOT verification: marker files, documentation updates, status text, declaring ready, saying done, checkmarks. Only executed output you witnessed working is proof.
 
-**EXECUTE ALL CHANGES** using `dev` skill (JS/TS/Python/Go/Rust/etc) before finishing:
+**EXECUTE ALL CHANGES** using `bun x gm-exec exec [--lang=<lang>] <code>` (JS/TS/Python/Go/Rust/etc) before finishing:
 - Run the modified code with real data
 - Test success paths, failure scenarios, edge cases
 - Witness actual console output or return values
@@ -213,7 +251,7 @@ Completion requires all of: witnessed execution AND every possible scenario test
 
 Incomplete execution rule: if a required step cannot be fully completed due to genuine constraints, explicitly state what was incomplete and why. Never pretend incomplete work was fully executed. Never silently skip steps.
 
-After achieving goal: execute real system end to end, witness it working, run actual integration tests in `agent-browser` skill for user-facing features, observe actual behavior. Ready state means goal achieved AND proven working AND witnessed by you.
+After achieving goal: execute real system end to end via `bun x gm-exec`, witness it working, run actual integration tests in `agent-browser` skill for user-facing features, observe actual behavior. Ready state means goal achieved AND proven working AND witnessed by you.
 
 ## CHARTER 8: GIT ENFORCEMENT
 
@@ -247,7 +285,7 @@ Tier 0 (ABSOLUTE - never violated):
 - no_crash: true (no process termination)
 - no_exit: true (no exit/terminate)
 - ground_truth_only: true (no fakes/mocks/simulations)
-- real_execution: true (prove via `dev` skill/`agent-browser` skill only)
+- real_execution: true (prove via `bun x gm-exec`/`agent-browser` skill only)
 
 Tier 1 (CRITICAL - violations require explicit justification):
 - max_file_lines: 200
@@ -276,9 +314,9 @@ SYSTEM_INVARIANTS = {
 }
 
 TOOL_INVARIANTS = {
-  default: `dev` skill (not bash, not grep, not glob),
-  code_execution: `dev` skill,
-  file_operations: `dev` skill inline fs,
+  default: `bun x gm-exec` (not raw bash, not grep, not glob),
+  code_execution: `bun x gm-exec exec <code>`,
+  file_operations: `bun x gm-exec exec` with inline fs,
   exploration: codesearch ONLY (Glob=blocked, Grep=blocked, Explore=blocked, Read-for-discovery=blocked),
   overview: `code-search` skill,
   process_lifecycle: `process-management` skill (PM2 mandatory for all servers/workers/daemons),
@@ -380,19 +418,19 @@ When constraints conflict:
 
 No policy conflict is preserved. Every conflict is resolved at the moment it is spotted.
 
-**Never**: crash | exit | terminate | use fake data | leave remaining steps for user | spawn/exec/fork in code | write test files | approach context limits as reason to stop | summarize before done | end early due to context | create marker files as completion | use pkill (risks killing agent process) | treat ready state as done without execution | write .prd variants or to non-cwd paths | execute independent items sequentially | use crash as recovery | require human intervention as first solution | violate TOOL_INVARIANTS | use bash when `dev` skill suffices | use bash for file reads/writes/exploration/script execution | use Glob for exploration | use Grep for exploration | use Explore agent | use Read tool for code discovery | use WebSearch for codebase questions | start servers/workers without process-management skill | skip planning skill in PLAN phase | leave orphaned PM2 processes after work completes | defer fixing a spotted inconsistency | defer refactoring code that violates conventions | note an improvement without implementing it | write notes anywhere except .prd (temporary) or CLAUDE.md (permanent) | leave docs out of sync with code | silently pick one rule when two conflict | preserve a policy conflict without resolving it | enforce a policy only at end of session instead of at point of violation
+**Never**: crash | exit | terminate | use fake data | leave remaining steps for user | spawn/exec/fork in code | write test files | approach context limits as reason to stop | summarize before done | end early due to context | create marker files as completion | use pkill (risks killing agent process) | treat ready state as done without execution | write .prd variants or to non-cwd paths | execute independent items sequentially | use crash as recovery | require human intervention as first solution | violate TOOL_INVARIANTS | use raw bash when `bun x gm-exec` suffices | use bash for file reads/writes/exploration/script execution | use Glob for exploration | use Grep for exploration | use Explore agent | use Read tool for code discovery | use WebSearch for codebase questions | start servers/workers without process-management skill | skip planning skill in PLAN phase | leave orphaned PM2 processes after work completes | defer fixing a spotted inconsistency | defer refactoring code that violates conventions | note an improvement without implementing it | write notes anywhere except .prd (temporary) or CLAUDE.md (permanent) | leave docs out of sync with code | silently pick one rule when two conflict | preserve a policy conflict without resolving it | enforce a policy only at end of session instead of at point of violation
 
-**Always**: execute in `dev` skill or `agent-browser` skill | delete mocks on discovery | expose debug hooks | keep files under 200 lines | use ground truth | verify by witnessed execution | complete fully with real data | recover from failures | systems survive forever by design | checkpoint state continuously | contain all promises | maintain supervisors for all components | fix inconsistencies immediately when spotted | restructure code immediately when convention violation found | implement logical improvements immediately when identified | reconcile docs and code before emitting | resolve policy conflicts at the moment they are spotted
+**Always**: execute via `bun x gm-exec` or `agent-browser` skill | delete mocks on discovery | expose debug hooks | keep files under 200 lines | use ground truth | verify by witnessed execution | complete fully with real data | recover from failures | systems survive forever by design | checkpoint state continuously | contain all promises | maintain supervisors for all components | fix inconsistencies immediately when spotted | restructure code immediately when convention violation found | implement logical improvements immediately when identified | reconcile docs and code before emitting | resolve policy conflicts at the moment they are spotted
 
 ### PRE-COMPLETION VERIFICATION CHECKLIST
 
 **EXECUTE THIS BEFORE CLAIMING WORK IS DONE:**
 
-Before reporting completion or sending final response, execute in `dev` skill or `agent-browser` skill:
+Before reporting completion or sending final response, execute via `bun x gm-exec` or `agent-browser` skill:
 
 ```
 1. CODE EXECUTION TEST
-   [ ] Execute the modified code using `dev` skill with real inputs
+   [ ] Execute the modified code using `bun x gm-exec exec <code>` with real inputs
    [ ] Capture actual console output or return values
    [ ] Verify success paths work as expected
    [ ] Test failure/edge cases if applicable

package/copilot-profile.md

@@ -1,6 +1,6 @@
 ---
 name: gm
-version: 2.0.144
+version: 2.0.149
 description: State machine agent with hooks, skills, and automated git enforcement
 author: AnEntrypoint
 repository: https://github.com/AnEntrypoint/gm-copilot-cli

package/hooks/pre-tool-use-hook.js

@@ -1,4 +1,4 @@
-#!/usr/bin/env node
+#!/usr/bin/env bun
 
 const fs = require('fs');
 const path = require('path');

package/hooks/prompt-submit-hook.js

@@ -1,4 +1,9 @@
-#!/usr/bin/env node
+#!/usr/bin/env bun
+
+if (process.env.AGENTGUI_SUBPROCESS === '1') {
+  console.log(JSON.stringify({ additionalContext: '' }));
+  process.exit(0);
+}
 
 const fs = require('fs');
 const path = require('path');
@@ -7,8 +12,8 @@ const { execSync } = require('child_process');
 const pluginRoot = process.env.CLAUDE_PLUGIN_ROOT || process.env.GEMINI_PROJECT_DIR || process.env.OC_PLUGIN_ROOT || process.env.KILO_PLUGIN_ROOT || path.join(__dirname, '..');
 const projectDir = process.env.CLAUDE_PROJECT_DIR || process.env.GEMINI_PROJECT_DIR || process.env.OC_PROJECT_DIR || process.env.KILO_PROJECT_DIR;
 
-const COMPACT_CONTEXT = 'use gm agent | ref: TOOL_INVARIANTS | codesearch for exploration | Bash for execution';
-const PLAN_MODE_BLOCK = 'DO NOT use EnterPlanMode or any plan mode tool. Use GM agent planning (PLAN→EXECUTE→EMIT→VERIFY→COMPLETE state machine) instead. Plan mode is blocked.';
+const COMPACT_CONTEXT = 'use gm agent | ref: TOOL_INVARIANTS | codesearch for exploration | bun x gm-exec for execution';
+const PLAN_MODE_BLOCK = 'DO NOT use EnterPlanMode. Use GM agent planning (PLAN→EXECUTE→EMIT→VERIFY→COMPLETE state machine) instead. Plan mode is blocked.';
 
 const ensureGitignore = () => {
   if (!projectDir) return;
@@ -25,102 +30,23 @@ const ensureGitignore = () => {
         : content + '\n' + entry + '\n';
       fs.writeFileSync(gitignorePath, newContent);
     }
-  } catch (e) {
-    // Silently fail - not critical
-  }
-};
-
-const getBaseContext = (resetMsg = '') => {
-  let ctx = 'use gm agent';
-  if (resetMsg) ctx += ' - ' + resetMsg;
-  return ctx;
-};
-
-const readStdinPrompt = () => {
-  try {
-    const raw = fs.readFileSync(0, 'utf-8');
-    const data = JSON.parse(raw);
-    return data.prompt || '';
-  } catch (e) {
-    return '';
-  }
+  } catch (e) {}
 };
 
-const readGmAgent = () => {
-  if (!pluginRoot) return '';
-  try {
-    return fs.readFileSync(path.join(pluginRoot, 'agents/gm.md'), 'utf-8');
-  } catch (e) {
-    return '';
-  }
-};
-
-const runMcpThorns = () => {
+const runThorns = () => {
   if (!projectDir || !fs.existsSync(projectDir)) return '';
+  const localThorns = path.join(process.env.HOME || '/root', 'mcp-thorns', 'index.js');
+  const thornsBin = fs.existsSync(localThorns) ? `node ${localThorns}` : 'bun x mcp-thorns@latest';
   try {
-    let thornOutput;
-    try {
-      thornOutput = execSync('bun x mcp-thorns', {
-        encoding: 'utf-8',
-        stdio: ['pipe', 'pipe', 'pipe'],
-        cwd: projectDir,
-        timeout: 180000,
-        killSignal: 'SIGTERM'
-      });
-    } catch (bunErr) {
-      if (bunErr.killed && bunErr.signal === 'SIGTERM') {
-        thornOutput = '=== mcp-thorns ===\nSkipped (3min timeout)';
-      } else {
-        try {
-          thornOutput = execSync('npx -y mcp-thorns', {
-            encoding: 'utf-8',
-            stdio: ['pipe', 'pipe', 'pipe'],
-            cwd: projectDir,
-            timeout: 180000,
-            killSignal: 'SIGTERM'
-          });
-        } catch (npxErr) {
-          if (npxErr.killed && npxErr.signal === 'SIGTERM') {
-            thornOutput = '=== mcp-thorns ===\nSkipped (3min timeout)';
-          } else {
-            thornOutput = `=== mcp-thorns ===\nSkipped (error: ${bunErr.message.split('\n')[0]})`;
-          }
-        }
-      }
-    }
-    return `=== Repository analysis ===\n${thornOutput}`;
-  } catch (e) {
-    return `=== mcp-thorns ===\nSkipped (error: ${e.message.split('\n')[0]})`;
-  }
-};
-
-const runCodeSearch = (query, cwd) => {
-  if (!query || !cwd || !fs.existsSync(cwd)) return '';
-  try {
-    const escaped = query.replace(/"/g, '\\"').substring(0, 200);
-    let out;
-    try {
-      out = execSync(`bun x codebasesearch "${escaped}"`, {
-        encoding: 'utf-8',
-        stdio: ['pipe', 'pipe', 'pipe'],
-        cwd,
-        timeout: 55000,
-        killSignal: 'SIGTERM'
-      });
-    } catch (bunErr) {
-      if (bunErr.killed) return '';
-      out = execSync(`npx -y codebasesearch "${escaped}"`, {
-        encoding: 'utf-8',
-        stdio: ['pipe', 'pipe', 'pipe'],
-        cwd,
-        timeout: 55000,
-        killSignal: 'SIGTERM'
-      });
-    }
-    const lines = out.split('\n');
-    const resultStart = lines.findIndex(l => l.includes('Searching for:'));
-    return resultStart >= 0 ? lines.slice(resultStart).join('\n').trim() : out.trim();
+    const out = execSync(`${thornsBin} ${projectDir}`, {
+      encoding: 'utf-8',
+      stdio: ['pipe', 'pipe', 'pipe'],
+      timeout: 15000,
+      killSignal: 'SIGTERM'
+    });
+    return `=== mcp-thorns ===\n${out.trim()}`;
   } catch (e) {
+    if (e.killed) return '=== mcp-thorns ===\nSkipped (timeout)';
     return '';
   }
 };
@@ -141,31 +67,12 @@ const emit = (additionalContext) => {
 
 try {
   ensureGitignore();
-
-  const prompt = readStdinPrompt();
   const parts = [];
-
-  // Always: include gm.md and mcp-thorns
-  const gmContent = readGmAgent();
-  if (gmContent) {
-    parts.push(gmContent);
-  }
-
-  const thornOutput = runMcpThorns();
-  parts.push(thornOutput);
-
-  // Always: base context and codebasesearch
-  parts.push(getBaseContext() + ' | ' + COMPACT_CONTEXT + ' | ' + PLAN_MODE_BLOCK);
-
-  if (prompt && projectDir) {
-    const searchResults = runCodeSearch(prompt, projectDir);
-    if (searchResults) {
-      parts.push(`=== Semantic code search results ===\n${searchResults}`);
-    }
-  }
-
+  const thorns = runThorns();
+  if (thorns) parts.push(thorns);
+  parts.push('use gm agent | ' + COMPACT_CONTEXT + ' | ' + PLAN_MODE_BLOCK);
   emit(parts.join('\n\n'));
 } catch (error) {
-  emit(getBaseContext('hook error: ' + error.message) + ' | ' + COMPACT_CONTEXT);
+  emit('use gm agent | hook error: ' + error.message);
   process.exit(0);
 }

package/hooks/session-start-hook.js

@@ -1,4 +1,4 @@
-#!/usr/bin/env node
+#!/usr/bin/env bun
 
 const fs = require('fs');
 const path = require('path');
@@ -75,29 +75,13 @@ When exploring unfamiliar code, finding similar patterns, understanding integrat
           encoding: 'utf-8',
           stdio: ['pipe', 'pipe', 'pipe'],
           cwd: projectDir,
-          timeout: 180000,
+          timeout: 15000,
           killSignal: 'SIGTERM'
         });
       } catch (bunErr) {
-        if (bunErr.killed && bunErr.signal === 'SIGTERM') {
-          thornOutput = '=== mcp-thorns ===\nSkipped (3min timeout)';
-        } else {
-          try {
-            thornOutput = execSync(`npx -y mcp-thorns@latest`, {
-              encoding: 'utf-8',
-              stdio: ['pipe', 'pipe', 'pipe'],
-              cwd: projectDir,
-              timeout: 180000,
-              killSignal: 'SIGTERM'
-            });
-          } catch (npxErr) {
-            if (npxErr.killed && npxErr.signal === 'SIGTERM') {
-              thornOutput = '=== mcp-thorns ===\nSkipped (3min timeout)';
-            } else {
-              thornOutput = `=== mcp-thorns ===\nSkipped (error: ${bunErr.message.split('\n')[0]})`;
-            }
-          }
-        }
+        thornOutput = bunErr.killed
+          ? '=== mcp-thorns ===\nSkipped (timeout)'
+          : `=== mcp-thorns ===\nSkipped (error: ${bunErr.message.split('\n')[0]})`;
       }
       outputs.push(`=== This is your initial insight of the repository, look at every possible aspect of this for initial opinionation and to offset the need for code exploration ===\n${thornOutput}`);
     } catch (e) {
@@ -165,7 +149,3 @@ When exploring unfamiliar code, finding similar patterns, understanding integrat
 
 
 
-
-
-
-

package/manifest.yml

@@ -1,5 +1,5 @@
 name: gm
-version: 2.0.144
+version: 2.0.149
 description: State machine agent with hooks, skills, and automated git enforcement
 author: AnEntrypoint
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "gm-copilot-cli",
-  "version": "2.0.144",
+  "version": "2.0.149",
   "description": "State machine agent with hooks, skills, and automated git enforcement",
   "author": "AnEntrypoint",
   "license": "MIT",

package/skills/code-search/SKILL.md

@@ -1,7 +1,165 @@
 ---
 name: code-search
-description: Semantic code search across the codebase. Use for all code exploration, finding implementations, locating files, and answering codebase questions. Replaces mcp__plugin_gm_code-search__search and codebasesearch MCP tool.
+description: Semantic code search across the codebase. Returns structured results with file paths, line numbers, and relevance scores. Use for all code exploration, finding implementations, locating files, and answering codebase questions.
+category: exploration
 allowed-tools: Bash(bun x codebasesearch*)
+input-schema:
+  type: object
+  required: [prompt]
+  properties:
+    prompt:
+      type: string
+      minLength: 3
+      maxLength: 200
+      description: Natural language search query describing what you're looking for
+    context:
+      type: object
+      description: Optional context about search scope and restrictions
+      properties:
+        path:
+          type: string
+          description: Restrict search to this directory path (relative or absolute)
+        file-types:
+          type: array
+          items: { type: string }
+          description: Filter results by file extensions (e.g., ["js", "ts", "py"])
+        exclude-patterns:
+          type: array
+          items: { type: string }
+          description: Exclude paths matching glob patterns (e.g., ["node_modules", "*.test.js"])
+    filter:
+      type: object
+      description: Output filtering and formatting options
+      properties:
+        max-results:
+          type: integer
+          minimum: 1
+          maximum: 500
+          default: 50
+          description: Maximum number of results to return
+        min-score:
+          type: number
+          minimum: 0
+          maximum: 1
+          default: 0.5
+          description: Minimum relevance score (0-1) to include in results
+        sort-by:
+          type: string
+          enum: [relevance, path, line-number]
+          default: relevance
+          description: Result sort order
+    timeout:
+      type: integer
+      minimum: 1000
+      maximum: 30000
+      default: 10000
+      description: Search timeout in milliseconds (query returns partial results if exceeded)
+output-schema:
+  type: object
+  required: [status, results, meta]
+  properties:
+    status:
+      type: string
+      enum: [success, partial, empty, timeout, error]
+      description: Overall operation status
+    results:
+      type: array
+      description: Array of matching code locations
+      items:
+        type: object
+        required: [file, line, content, score]
+        properties:
+          file:
+            type: string
+            description: Absolute or relative file path to matched file
+          line:
+            type: integer
+            description: Line number where match occurs (1-indexed)
+          content:
+            type: string
+            description: The matched line or context snippet
+          score:
+            type: number
+            minimum: 0
+            maximum: 1
+            description: Relevance score where 1.0 is perfect match
+          context:
+            type: object
+            description: Surrounding context lines (optional)
+            properties:
+              before:
+                type: array
+                items: { type: string }
+                description: Lines before the match
+              after:
+                type: array
+                items: { type: string }
+                description: Lines after the match
+          metadata:
+            type: object
+            description: File and match metadata (optional)
+            properties:
+              language:
+                type: string
+                description: Programming language detected (js, ts, py, rs, go, etc.)
+              size:
+                type: integer
+                description: File size in bytes
+              modified:
+                type: string
+                format: date-time
+                description: Last modification timestamp
+    meta:
+      type: object
+      required: [query, count, duration_ms]
+      description: Query execution metadata
+      properties:
+        query:
+          type: string
+          description: Normalized query that was executed
+        count:
+          type: integer
+          description: Total matches found (before filtering)
+        filtered:
+          type: integer
+          description: Results returned (after filtering and limiting)
+        duration_ms:
+          type: integer
+          description: Execution time in milliseconds
+        scanned_files:
+          type: integer
+          description: Total files examined during search
+        timestamp:
+          type: string
+          format: date-time
+          description: When execution completed
+    errors:
+      type: array
+      description: Non-fatal errors that occurred (may appear alongside partial results)
+      items:
+        type: object
+        properties:
+          code:
+            type: string
+            enum: [TIMEOUT, INVALID_PATH, SCHEMA_VIOLATION, EXECUTION_FAILED]
+            description: Error classification
+          message:
+            type: string
+            description: Human-readable error description
+output-format: json
+error-handling:
+  timeout:
+    behavior: return-partial
+    description: Returns results collected before timeout with status=partial
+  invalid-input:
+    behavior: reject
+    description: Returns status=error with validation errors in errors array
+  empty-results:
+    behavior: return-empty
+    description: Returns status=empty with count=0, filtered=0, results=[]
+  execution-error:
+    behavior: return-error
+    description: Returns status=error with error details in errors array
 ---
 
 # Semantic Code Search
@@ -14,7 +172,56 @@ Only use bun x codebasesearch for searching code, or execute some custom code if
 bun x codebasesearch "your natural language query"
 ```
 
-## Examples
+## Invocation Examples
+
+### Via Skill Tool (Recommended - Structured JSON Input)
+
+**Basic search**:
+```json
+{
+  "prompt": "where is authentication handled"
+}
+```
+
+**With filtering and limits**:
+```json
+{
+  "prompt": "database connection setup",
+  "filter": {
+    "max-results": 20,
+    "min-score": 0.7,
+    "sort-by": "path"
+  }
+}
+```
+
+**Scoped to directory with file type filter**:
+```json
+{
+  "prompt": "error logging middleware",
+  "context": {
+    "path": "src/middleware/",
+    "file-types": ["js", "ts"]
+  },
+  "timeout": 5000
+}
+```
+
+**Exclude patterns and narrow results**:
+```json
+{
+  "prompt": "rate limiter implementation",
+  "context": {
+    "exclude-patterns": ["*.test.js", "node_modules/*"]
+  },
+  "filter": {
+    "max-results": 10,
+    "min-score": 0.8
+  }
+}
+```
+
+### Legacy CLI Invocation (Still Supported)
 
 ```bash
 bun x codebasesearch "where is authentication handled"
@@ -24,9 +231,146 @@ bun x codebasesearch "function that parses config files"
 bun x codebasesearch "where is the rate limiter"
 ```
 
+## Output Examples
+
+### Success Response (Multiple Results)
+
+```json
+{
+  "status": "success",
+  "results": [
+    {
+      "file": "src/auth/handler.js",
+      "line": 42,
+      "content": "async function authenticateUser(credentials) {",
+      "score": 0.95,
+      "context": {
+        "before": [
+          "// Main authentication entry point",
+          ""
+        ],
+        "after": [
+          "  const { username, password } = credentials;",
+          "  const user = await db.users.findOne({ username });"
+        ]
+      },
+      "metadata": {
+        "language": "javascript",
+        "size": 2048,
+        "modified": "2025-03-10T14:23:00Z"
+      }
+    },
+    {
+      "file": "src/middleware/auth-middleware.js",
+      "line": 18,
+      "content": "export const requireAuth = (req, res, next) => {",
+      "score": 0.78,
+      "metadata": {
+        "language": "javascript",
+        "size": 1024,
+        "modified": "2025-03-10T14:20:00Z"
+      }
+    }
+  ],
+  "meta": {
+    "query": "authentication handled",
+    "count": 2,
+    "filtered": 2,
+    "duration_ms": 245,
+    "scanned_files": 87,
+    "timestamp": "2025-03-15T10:30:00Z"
+  }
+}
+```
+
+### Empty Results Response
+
+```json
+{
+  "status": "empty",
+  "results": [],
+  "meta": {
+    "query": "nonexistent pattern xyz123",
+    "count": 0,
+    "filtered": 0,
+    "duration_ms": 123,
+    "scanned_files": 87,
+    "timestamp": "2025-03-15T10:30:00Z"
+  }
+}
+```
+
+### Timeout Response (Partial Results)
+
+```json
+{
+  "status": "partial",
+  "results": [
+    {
+      "file": "src/a.js",
+      "line": 5,
+      "content": "function init() {",
+      "score": 0.92,
+      "metadata": { "language": "javascript", "size": 512 }
+    },
+    {
+      "file": "src/b.js",
+      "line": 12,
+      "content": "const setup = () => {",
+      "score": 0.85,
+      "metadata": { "language": "javascript", "size": 768 }
+    }
+  ],
+  "meta": {
+    "query": "expensive search pattern",
+    "count": 1847,
+    "filtered": 2,
+    "duration_ms": 10000,
+    "scanned_files": 45,
+    "timestamp": "2025-03-15T10:30:00Z"
+  },
+  "errors": [
+    {
+      "code": "TIMEOUT",
+      "message": "Search exceeded 10000ms limit. Returning partial results (2 of 1847 matches)."
+    }
+  ]
+}
+```
+
+### Error Response (Invalid Input)
+
+```json
+{
+  "status": "error",
+  "results": [],
+  "meta": {
+    "query": null,
+    "count": 0,
+    "filtered": 0,
+    "duration_ms": 50,
+    "scanned_files": 0,
+    "timestamp": "2025-03-15T10:30:00Z"
+  },
+  "errors": [
+    {
+      "code": "INVALID_PATH",
+      "message": "context.path='/nonexistent' does not exist"
+    },
+    {
+      "code": "SCHEMA_VIOLATION",
+      "message": "filter.max-results must be between 1 and 500, got 1000"
+    }
+  ]
+}
+```
+
 ## Rules
 
 - Always use this first before reading files — it returns file paths and line numbers
-- Natural language queries work best; be descriptive
-- No persistent files created; results stream to stdout only
-- Use the returned file paths + line numbers to go directly to relevant code
+- Natural language queries work best; be descriptive about what you're looking for
+- Structured JSON output includes relevance scores and file paths for immediate navigation
+- Use returned file paths and line numbers to read full file context via Read tool
+- Results are pre-sorted by relevance (highest scores first) unless sort-by specifies otherwise
+- Timeout queries return partial results with status=partial — use if time-critical
+- Schema validation ensures valid input before execution — invalid args return error with details

package/tools.json

@@ -1,6 +1,6 @@
 {
   "name": "gm",
-  "version": "2.0.144",
+  "version": "2.0.149",
   "description": "State machine agent with hooks, skills, and automated git enforcement",
   "tools": [
     {