gm-kilo 2.0.46 → 2.0.48

package/.github/workflows/publish-npm.yml

@@ -11,27 +11,52 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GH_PAT || github.token }}
 
       - uses: actions/setup-node@v4
         with:
           node-version: '22'
           registry-url: 'https://registry.npmjs.org'
 
+      - name: Configure git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Bump patch version
+        run: |
+          PACKAGE=$(jq -r '.name' package.json)
+          OLD_VERSION=$(jq -r '.version' package.json)
+
+          # Skip bump if last commit was already a version bump
+          LAST_MSG=$(git log -1 --pretty=%s)
+          if echo "$LAST_MSG" | grep -qE '^v[0-9]+\.[0-9]+\.[0-9]+$'; then
+            echo "Last commit was a version bump, skipping"
+            echo "SKIP_BUMP=true" >> $GITHUB_ENV
+          else
+            npm version patch --no-git-tag-version
+            NEW_VERSION=$(jq -r '.version' package.json)
+            git add package.json
+            git commit -m "v$NEW_VERSION"
+            git push
+            echo "Bumped $PACKAGE from $OLD_VERSION to $NEW_VERSION"
+          fi
+
       - name: Publish to npm
         run: |
           PACKAGE=$(jq -r '.name' package.json)
           VERSION=$(jq -r '.version' package.json)
           echo "Package: $PACKAGE@$VERSION"
 
-          # Skip if this exact version is already on npm
           PUBLISHED=$(npm view "$PACKAGE@$VERSION" version 2>/dev/null || echo "")
           if [ "$PUBLISHED" = "$VERSION" ]; then
-            echo "✅ $PACKAGE@$VERSION already published - skipping"
+            echo "$PACKAGE@$VERSION already published - skipping"
             exit 0
           fi
 
           echo "Publishing $PACKAGE@$VERSION..."
           npm publish --access public
-          echo "✅ Published $PACKAGE@$VERSION"
+          echo "Published $PACKAGE@$VERSION"
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

package/.gitignore

@@ -11,3 +11,6 @@ build/
 .vscode/
 .idea/
 *.iml
+.gm-stop-verified
+
+.code-search/

package/agents/gm.md

@@ -225,6 +225,38 @@ Never report work complete while uncommitted changes exist. Never leave unpushed
 
 This policy applies to ALL platforms (Claude Code, Gemini CLI, OpenCode, Kilo CLI, Codex, and all IDE extensions). Platform-specific git enforcement hooks will verify compliance, but the responsibility lies with you to execute the commit and push before completion.
 
+## CHARTER 9: PROCESS MANAGEMENT
+
+Scope: Runtime process execution. Governs how all applications are started, monitored, and cleaned up.
+
+**ALL APPLICATIONS MUST RUN VIA PM2.** Direct invocations (node, bun, python, npx) are forbidden for any process that produces output or has a lifecycle. This applies to servers, workers, agents, and background services.
+
+**PRE-START CHECK (MANDATORY)**: Before starting any process, execute `pm2 jlist`. If the process exists with `online` status: observe it with `pm2 logs <name>`. If `stopped`: restart it. Only start new if not found. Never create duplicate processes.
+
+**Standard configuration** — all PM2 processes must use:
+- `autorestart: false` — no crash recovery, explicit control only
+- `watch: ["src", "config"]` — file-change restarts scoped to source directories
+- `ignore_watch: ["node_modules", ".git", "logs", "*.log"]` — never watch these
+- `watch_delay: 1000` — debounce rapid multi-file changes
+
+**Cross-platform requirements**:
+- Windows: cannot spawn `.cmd` shims — use `interpreter: "cmd", interpreter_args: "/c"` for npm scripts; resolve actual `.js` path for globally installed CLIs
+- WSL watching `/mnt/c/...` paths: set `watch_options: { usePolling: true, interval: 1000 }`
+- Windows 11+: `spawn wmic ENOENT` in daemon logs is cosmetic — app processes work; fix with `npm install -g pm2@latest`
+- Linux watch exhaustion: `echo fs.inotify.max_user_watches=524288 | sudo tee -a /etc/sysctl.conf && sudo sysctl -p`
+
+**Log monitoring**:
+```bash
+pm2 logs <name>              # stream live output
+pm2 logs <name> --lines 100  # last N lines then stream
+pm2 logs <name> --err        # errors only
+pm2 logs <name> --nostream --lines 200  # dump without follow
+```
+
+**Lifecycle cleanup**: When work is complete, always run `pm2 delete <name>`. Never leave orphaned processes. `pm2 stop` on a watched process is not sufficient — use `pm2 delete`.
+
+See `process-management` skill for full reference, ecosystem config templates, and Windows/Linux specifics.
+
 ## CONSTRAINTS
 
 Scope: Global prohibitions and mandates applying across all charters. Precedence cascade: CONSTRAINTS > charter-specific rules > prior habits or examples. When conflict arises, higher-precedence source wins and lower source must be revised.

package/hooks/pre-tool-use-hook.js

@@ -55,6 +55,29 @@ const run = () => {
       return { block: true, reason: 'Plan mode is disabled. Use GM agent planning (PLAN→EXECUTE→EMIT→VERIFY→COMPLETE state machine) via gm:gm subagent instead.' };
     }
 
+    if (tool_name === 'Bash') {
+      const command = (tool_input?.command || '').trim();
+      const allowed = /^(git |npm publish|npm pack|docker |sudo systemctl|systemctl )/.test(command);
+      if (!allowed) {
+        return { block: true, reason: 'Bash is blocked. Use the code_execution tool with Python instead. The hook intercepts code_execution, runs python3, and returns stdout/stderr/exit_code. Example: use code_execution with code "import subprocess; r=subprocess.run([\'node\',\'--version\'],capture_output=True,text=True); print(r.stdout)"' };
+      }
+    }
+
+    if (tool_name === 'code_execution') {
+      const code = tool_input?.code || '';
+      const { spawnSync } = require('child_process');
+      const proc = spawnSync('python3', ['-'], {
+        input: code,
+        encoding: 'utf-8',
+        timeout: 30000
+      });
+      const stdout = proc.stdout || '';
+      const stderr = proc.stderr || '';
+      const exitCode = proc.status !== null ? proc.status : 1;
+      const result = `[CODE EXECUTION RESULT]\nstdout: ${stdout}\nstderr: ${stderr}\nexit_code: ${exitCode}`;
+      return { block: true, reason: result };
+    }
+
     return { allow: true };
   } catch (error) {
     return { allow: true };
@@ -70,7 +93,7 @@ try {
     } else {
       console.log(JSON.stringify({ hookSpecificOutput: { hookEventName: 'PreToolUse', permissionDecision: 'deny', permissionDecisionReason: result.reason } }));
     }
-    process.exit(2);
+    process.exit(0);
   }
 
   if (isGemini) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "gm-kilo",
-  "version": "2.0.46",
+  "version": "2.0.48",
   "description": "State machine agent with hooks, skills, and automated git enforcement",
   "author": "AnEntrypoint",
   "license": "MIT",
@@ -54,4 +54,4 @@
     ".gitignore",
     ".editorconfig"
   ]
-}
+}

package/skills/dev/SKILL.md

@@ -1,48 +1,54 @@
 ---
 name: dev
-description: Execute code and shell commands. Use for all code execution, file operations, running scripts, testing hypotheses, and any task that requires running code. Replaces plugin:gm:dev and mcp-glootie.
-allowed-tools: Bash
+description: Execute code by calling the code_execution tool with Python code. The PreToolUse hook intercepts code_execution calls, runs the Python via python3, and returns stdout/stderr/exit_code as the result. Use for all code execution, file operations, running scripts, and hypothesis testing.
+allowed-tools: Bash,code_execution
 ---
 
 # Code Execution with dev
 
-Execute code directly using the Bash tool. No wrapper, no persistent files, no cleanup needed beyond what the code itself creates.
+Use the `code_execution` tool with Python code. The hook intercepts the call, executes the Python locally, and returns the result as a deny reason formatted as:
 
-## Run code inline
-
-```bash
-# JavaScript / TypeScript
-bun -e "const fs = require('fs'); console.log(fs.readdirSync('.'))"
-bun -e "import { readFileSync } from 'fs'; console.log(readFileSync('package.json', 'utf-8'))"
-
-# Run a file
-bun run script.ts
-node script.js
-
-# Python
-python -c "import json; print(json.dumps({'ok': True}))"
-
-# Shell
-bash -c "ls -la && cat package.json"
 ```
+[CODE EXECUTION RESULT]
+stdout: <output>
+stderr: <errors>
+exit_code: <N>
+```
+
+## Run code inline
 
-## File operations (inline, no temp files)
+```python
+# File operations
+import os, json
+print(json.dumps(os.listdir('.')))
 
-```bash
-# Read
-bun -e "console.log(require('fs').readFileSync('path/to/file', 'utf-8'))"
+# Read a file
+with open('package.json') as f:
+    print(f.read())
 
-# Write
-bun -e "require('fs').writeFileSync('out.json', JSON.stringify({x:1}, null, 2))"
+# Write a file
+with open('out.json', 'w') as f:
+    import json
+    json.dump({'ok': True}, f, indent=2)
 
 # Stat / exists
-bun -e "const fs=require('fs'); console.log(fs.existsSync('file.txt'), fs.statSync?.('.')?.size)"
+import os
+print(os.path.exists('file.txt'), os.path.getsize('.'))
+
+# HTTP requests
+import urllib.request
+resp = urllib.request.urlopen('https://example.com')
+print(resp.read()[:200])
+
+# Run subprocess
+import subprocess
+r = subprocess.run(['node', '--version'], capture_output=True, text=True)
+print(r.stdout)
 ```
 
 ## Rules
 
 - Each run under 15 seconds
 - Pack every related hypothesis into one run — never one idea per run
-- No persistent temp files; if a temp file is needed, delete it in the same command
-- No spawn/exec/fork inside executed code
-- Use `bun` over `node` when available
+- No persistent temp files; if a temp file is needed, delete it in the same code
+- Use `code_execution` tool for all execution; Bash only for git/npm publish/docker

package/skills/process-management/SKILL.md

@@ -0,0 +1,187 @@
+---
+name: process-management
+description: >-
+  PM2 process management for all running applications. Enforces: pre-check for
+  running processes before start, watch enabled, autorestart disabled, lifecycle
+  cleanup when done. Use for all servers, workers, agents, background processes.
+  Triggers: start server, run application, background process, pm2, keep alive,
+  process manager, daemon, monitor logs.
+---
+
+# Process Management — PM2
+
+All applications MUST run through PM2. Direct invocations (node, bun, python) are forbidden for any process that produces output or has a lifecycle.
+
+## Installation (First Time Only)
+
+Check if PM2 is installed:
+
+```bash
+pm2 --version
+```
+
+If command not found, install globally:
+
+```bash
+npm install -g pm2
+```
+
+Verify installation:
+
+```bash
+pm2 --version        # should print version number
+pm2 ping             # should respond "pong"
+```
+
+## Pre-Start Check (MANDATORY)
+
+Before starting any process, check what is already running:
+
+```bash
+pm2 jlist
+```
+
+- `online` → already running, use `pm2 logs <name>` to observe
+- `stopped` → use `pm2 restart <name>`
+- Not in list → proceed to start
+
+Never start a duplicate process. Always check first.
+
+## Start a Process
+
+```bash
+# CLI (quick)
+pm2 start app.js --name myapp --watch --no-autorestart
+
+# With interpreter
+pm2 start script.py --interpreter python3 --name worker --watch --no-autorestart
+
+# From ecosystem config (preferred for reproducibility)
+pm2 start ecosystem.config.cjs
+```
+
+## Ecosystem Config (Standard Template)
+
+`autorestart: false` — process stops on crash, no automatic recovery
+`watch: true` — restarts on file changes in watched directories only
+
+```javascript
+// ecosystem.config.cjs
+module.exports = {
+  apps: [{
+    name: "myapp",
+    script: "src/index.js",
+    watch: ["src", "config"],
+    watch_delay: 1000,
+    autorestart: false,
+    ignore_watch: [
+      "node_modules",
+      ".git",
+      "logs",
+      "*.log",
+      ".pm2",
+      "public",
+      "uploads"
+    ],
+    watch_options: {
+      followSymlinks: false,
+      usePolling: false
+    },
+    log_date_format: "YYYY-MM-DD HH:mm:ss",
+    out_file: "./logs/out.log",
+    error_file: "./logs/error.log"
+  }]
+};
+```
+
+## Log Viewing
+
+```bash
+pm2 logs <name>                      # stream live (Ctrl+C to stop)
+pm2 logs <name> --lines 100          # last 100 lines then stream
+pm2 logs <name> --err                # errors only
+pm2 logs <name> --out                # stdout only
+pm2 logs <name> --nostream --lines 200  # dump without follow
+pm2 logs --json                      # structured JSON output
+pm2 flush                            # clear all log files
+```
+
+Log files: `~/.pm2/logs/<name>-out.log` / `<name>-error.log`
+Windows path: `C:\Users\<user>\.pm2\logs\`
+
+## Lifecycle Management
+
+```bash
+pm2 list                    # view all processes and status
+pm2 jlist                   # JSON output for scripting
+pm2 info <name>             # detailed process info
+pm2 stop <name>             # stop (keeps in list)
+pm2 restart <name>          # restart
+pm2 delete <name>           # stop + remove from list
+pm2 delete all              # remove all processes
+pm2 ping                    # check if PM2 daemon is alive
+```
+
+**When work is complete: always `pm2 delete <name>` to clean up orphaned processes.**
+
+Stopping a watched process: `pm2 stop` while watch is active restarts on next file change.
+To fully halt: `pm2 delete <name>` (removes it entirely).
+
+## Windows vs Linux
+
+### File Watching
+
+| Environment | Config |
+|---|---|
+| Linux native | `usePolling: false` (inotify kernel events) |
+| WSL watching `/mnt/c/...` | `usePolling: true, interval: 1000` |
+| Windows native | `usePolling: false` (ReadDirectoryChangesW) |
+| Network / NFS / Docker volumes | `usePolling: true, interval: 1000` |
+
+Linux inotify exhaustion fix (symptom: watch silently stops working):
+```bash
+echo fs.inotify.max_user_watches=524288 | sudo tee -a /etc/sysctl.conf && sudo sysctl -p
+```
+
+### Windows: npm Scripts and .cmd Wrappers
+
+PM2 cannot spawn `.cmd` shims (npm, npx, etc.) directly — they require `cmd.exe`.
+
+```javascript
+// ecosystem.config.cjs — Windows npm script
+{
+  name: "myapp",
+  script: "npm",
+  args: "start",
+  interpreter: "cmd",
+  interpreter_args: "/c"
+}
+```
+
+For globally installed CLIs, find the real `.js` entry point:
+```bash
+# Linux/macOS
+cat "$(which myapp)" | head -5
+
+# Windows PowerShell
+Get-Command myapp | Select-Object -ExpandProperty Source
+```
+Point `script` at the resolved `.js` file — never at the `.cmd` wrapper.
+
+### Windows 11+ wmic Error
+
+PM2 uses `wmic` for process stats — removed in Windows 11+.
+Symptom: `Error: spawn wmic ENOENT` in `~/.pm2/pm2.log`.
+Fix: `npm install -g pm2@latest`. App processes continue working despite the error.
+
+### Persistence on Reboot
+
+| Platform | Method |
+|---|---|
+| Linux | `pm2 startup && pm2 save` (auto-detects systemd/upstart/openrc) |
+| Windows | [pm2-installer](https://github.com/jessety/pm2-installer) (Windows Service) |
+
+```bash
+pm2 save        # snapshot current process list to ~/.pm2/dump.pm2
+pm2 resurrect   # restore saved list after manual daemon restart
+```