gm-kilo 2.0.50 → 2.0.52

package/.github/workflows/publish-npm.yml

@@ -11,52 +11,27 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-        with:
-          token: ${{ secrets.GH_PAT || github.token }}
 
       - uses: actions/setup-node@v4
         with:
           node-version: '22'
           registry-url: 'https://registry.npmjs.org'
 
-      - name: Configure git
-        run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
-
-      - name: Bump patch version
-        run: |
-          PACKAGE=$(jq -r '.name' package.json)
-          OLD_VERSION=$(jq -r '.version' package.json)
-
-          # Skip bump if last commit was already a version bump
-          LAST_MSG=$(git log -1 --pretty=%s)
-          if echo "$LAST_MSG" | grep -qE '^v[0-9]+\.[0-9]+\.[0-9]+$'; then
-            echo "Last commit was a version bump, skipping"
-            echo "SKIP_BUMP=true" >> $GITHUB_ENV
-          else
-            npm version patch --no-git-tag-version
-            NEW_VERSION=$(jq -r '.version' package.json)
-            git add package.json
-            git commit -m "v$NEW_VERSION"
-            git push
-            echo "Bumped $PACKAGE from $OLD_VERSION to $NEW_VERSION"
-          fi
-
       - name: Publish to npm
         run: |
           PACKAGE=$(jq -r '.name' package.json)
           VERSION=$(jq -r '.version' package.json)
           echo "Package: $PACKAGE@$VERSION"
 
+          # Skip if this exact version is already on npm
           PUBLISHED=$(npm view "$PACKAGE@$VERSION" version 2>/dev/null || echo "")
           if [ "$PUBLISHED" = "$VERSION" ]; then
-            echo "$PACKAGE@$VERSION already published - skipping"
+            echo "✅ $PACKAGE@$VERSION already published - skipping"
             exit 0
           fi
 
           echo "Publishing $PACKAGE@$VERSION..."
           npm publish --access public
-          echo "Published $PACKAGE@$VERSION"
+          echo "✅ Published $PACKAGE@$VERSION"
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

package/.gitignore

@@ -11,6 +11,3 @@ build/
 .vscode/
 .idea/
 *.iml
-.gm-stop-verified
-
-.code-search/

package/.mcp.json

@@ -1,9 +1,3 @@
 {
-  "$schema": "https://schemas.modelcontextprotocol.io/0.1.0/mcp.json",
-  "mcpServers": {
-    "code_execution": {
-      "command": "npx",
-      "args": ["-y", "mcp-gm"]
-    }
-  }
+  "$schema": "https://schemas.modelcontextprotocol.io/0.1.0/mcp.json"
 }

package/agents/gm.md

@@ -54,11 +54,11 @@ The .prd path must resolve to exactly ./.prd in current working directory. No va
 
 Scope: Where and how code runs. Governs tool selection and execution context.
 
-All execution via `code_execution` tool (Python) or `agent-browser` skill. Every hypothesis proven by execution before changing files. Know nothing until execution proves it.
+All execution via `dev` skill or `agent-browser` skill. Every hypothesis proven by execution before changing files. Know nothing until execution proves it.
 
-**CODE YOUR HYPOTHESES**: Test every possible hypothesis using the `code_execution` tool with Python or `agent-browser` skill. Each run must be under 15 seconds and must densely pack every possible related hypothesis. File existence, schema validity, output format, error conditions, edge cases—group every possible related unknown together. The goal is every possible hypothesis per run. Use `agent-browser` skill for cross-client UI testing and browser-based hypothesis validation.
+**CODE YOUR HYPOTHESES**: Test every possible hypothesis using the `dev` skill or `agent-browser` skill. Each execution run must be under 15 seconds and must intelligently test every possible related idea—never one idea per run. Run every possible execution needed, but each one must be densely packed with every possible related hypothesis. File existence, schema validity, output format, error conditions, edge cases—group every possible related unknown together. The goal is every possible hypothesis per run. Use `agent-browser` skill for cross-client UI testing and browser-based hypothesis validation.
 
-**DEFAULT IS code_execution WITH PYTHON**: Call the `code_execution` tool with Python code. The PreToolUse hook intercepts it, runs python3, and returns the output. Bash is blocked except for git, npm publish, and docker. If you find yourself writing a bash command, stop and ask: can this be done in Python? The answer is almost always yes. Use `subprocess.run()` for shell operations that truly can't be done otherwise.
+**DEFAULT IS CODE, NOT BASH**: `dev` skill is the primary execution tool. Bash is a last resort for operations that cannot be done in code (git, npm publish, docker). If you find yourself writing a bash command, stop and ask: can this be done in the `dev` skill? The answer is almost always yes.
 
 **TOOL POLICY**: All code execution via `dev` skill. Use `code-search` skill for exploration. Reference TOOL_INVARIANTS for enforcement.
 
@@ -74,8 +74,8 @@ All execution via `code_execution` tool (Python) or `agent-browser` skill. Every
 
 **REQUIRED TOOL MAPPING**:
 - Code exploration: `code-search` skill — THE ONLY exploration tool. Semantic search 102 file types. Natural language queries with line numbers. No glob, no grep, no find, no explore agent, no Read for discovery.
-- Code execution: call the `code_execution` tool directly with Python code — the PreToolUse hook intercepts it, runs python3, and returns `[CODE EXECUTION RESULT]\nstdout: ...\nstderr: ...\nexit_code: N` as the result. Use Python's `subprocess` module for shell operations, `pathlib`/`os` for files, `requests` for HTTP.
-- File operations: `code_execution` tool with Python `pathlib`/`os`/`open()` — read, write, stat files
+- Code execution: `dev` skill — run JS/TS/Python/Go/Rust/etc via Bash
+- File operations: `dev` skill with bun/node fs inline — read, write, stat files
 - Bash: ONLY git, npm publish/pack, docker, system daemons
 - Browser: Use **`agent-browser` skill** instead of puppeteer/playwright - same power, cleaner syntax, built for AI agents
 

package/hooks/pre-tool-use-hook.js

@@ -57,9 +57,9 @@ const run = () => {
 
     if (tool_name === 'Bash') {
       const command = (tool_input?.command || '').trim();
-      const allowed = /^(git |npm publish|npm pack|docker |sudo systemctl|systemctl )/.test(command);
+      const allowed = /^(git |gh |npm publish|npm pack|docker |sudo systemctl|systemctl )/.test(command);
       if (!allowed) {
-        return { block: true, reason: 'Bash is blocked. Use the code_execution MCP tool instead. It supports Python, JS/TS, Go, Rust, C/C++ and bash via the language parameter. Example: code_execution({ code: "print(1+1)", language: "python", workingDirectory: process.cwd() })' };
+        return { block: true, reason: 'Bash is blocked. Use the code_execution MCP tool instead. It supports Python, JS/TS, Go, Rust, C/C++ and bash via the language parameter.' };
       }
     }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "gm-kilo",
-  "version": "2.0.50",
+  "version": "2.0.52",
   "description": "State machine agent with hooks, skills, and automated git enforcement",
   "author": "AnEntrypoint",
   "license": "MIT",
@@ -54,4 +54,4 @@
     ".gitignore",
     ".editorconfig"
   ]
-}
+}

package/scripts/postinstall.js

@@ -127,31 +127,11 @@ function install() {
   // Copy files
   safeCopyDirectory(path.join(sourceDir, 'agents'), path.join(claudeDir, 'agents'));
   safeCopyDirectory(path.join(sourceDir, 'hooks'), path.join(claudeDir, 'hooks'));
-  safeCopyDirectory(path.join(sourceDir, 'skills'), path.join(claudeDir, 'skills'));
   safeCopyFile(path.join(sourceDir, '.mcp.json'), path.join(claudeDir, '.mcp.json'));
-
-  // Write settings.json with autoUpdates and hooks wired up
-  const settingsPath = path.join(claudeDir, 'settings.json');
-  let settings = {};
-  if (fs.existsSync(settingsPath)) {
-    try { settings = JSON.parse(fs.readFileSync(settingsPath, 'utf-8')); } catch (e) {}
-  }
-  settings.autoUpdates = true;
-  settings.hooks = settings.hooks || {};
-  const hookCmd = `node ${path.join(claudeDir, 'hooks', 'pre-tool-use-hook.js')}`;
-  settings.hooks.PreToolUse = settings.hooks.PreToolUse || [{ matcher: '*', hooks: [{ type: 'command', command: hookCmd }] }];
-  const sessionHookCmd = `node ${path.join(claudeDir, 'hooks', 'session-start-hook.js')}`;
-  settings.hooks.SessionStart = settings.hooks.SessionStart || [{ hooks: [{ type: 'command', command: sessionHookCmd }] }];
-  const stopHookCmd = `node ${path.join(claudeDir, 'hooks', 'stop-hook.js')}`;
-  const stopGitCmd = `node ${path.join(claudeDir, 'hooks', 'stop-hook-git.js')}`;
-  settings.hooks.Stop = settings.hooks.Stop || [{ hooks: [{ type: 'command', command: stopHookCmd }, { type: 'command', command: stopGitCmd }] }];
-  const promptHookCmd = `node ${path.join(claudeDir, 'hooks', 'prompt-submit-hook.js')}`;
-  settings.hooks.UserPromptSubmit = settings.hooks.UserPromptSubmit || [{ hooks: [{ type: 'command', command: promptHookCmd }] }];
-  fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2), 'utf-8');
-
+  
   // Update .gitignore
   updateGitignore(projectRoot);
-
+  
   // Silent success
 }
 

package/skills/dev/SKILL.md

@@ -1,54 +1,48 @@
 ---
 name: dev
-description: Execute code by calling the code_execution tool with Python code. The PreToolUse hook intercepts code_execution calls, runs the Python via python3, and returns stdout/stderr/exit_code as the result. Use for all code execution, file operations, running scripts, and hypothesis testing.
-allowed-tools: Bash,code_execution
+description: Execute code and shell commands. Use for all code execution, file operations, running scripts, testing hypotheses, and any task that requires running code. Replaces plugin:gm:dev and mcp-glootie.
+allowed-tools: Bash
 ---
 
 # Code Execution with dev
 
-Use the `code_execution` tool with Python code. The hook intercepts the call, executes the Python locally, and returns the result as a deny reason formatted as:
-
-```
-[CODE EXECUTION RESULT]
-stdout: <output>
-stderr: <errors>
-exit_code: <N>
-```
+Execute code directly using the Bash tool. No wrapper, no persistent files, no cleanup needed beyond what the code itself creates.
 
 ## Run code inline
 
-```python
-# File operations
-import os, json
-print(json.dumps(os.listdir('.')))
+```bash
+# JavaScript / TypeScript
+bun -e "const fs = require('fs'); console.log(fs.readdirSync('.'))"
+bun -e "import { readFileSync } from 'fs'; console.log(readFileSync('package.json', 'utf-8'))"
+
+# Run a file
+bun run script.ts
+node script.js
+
+# Python
+python -c "import json; print(json.dumps({'ok': True}))"
+
+# Shell
+bash -c "ls -la && cat package.json"
+```
+
+## File operations (inline, no temp files)
 
-# Read a file
-with open('package.json') as f:
-    print(f.read())
+```bash
+# Read
+bun -e "console.log(require('fs').readFileSync('path/to/file', 'utf-8'))"
 
-# Write a file
-with open('out.json', 'w') as f:
-    import json
-    json.dump({'ok': True}, f, indent=2)
+# Write
+bun -e "require('fs').writeFileSync('out.json', JSON.stringify({x:1}, null, 2))"
 
 # Stat / exists
-import os
-print(os.path.exists('file.txt'), os.path.getsize('.'))
-
-# HTTP requests
-import urllib.request
-resp = urllib.request.urlopen('https://example.com')
-print(resp.read()[:200])
-
-# Run subprocess
-import subprocess
-r = subprocess.run(['node', '--version'], capture_output=True, text=True)
-print(r.stdout)
+bun -e "const fs=require('fs'); console.log(fs.existsSync('file.txt'), fs.statSync?.('.')?.size)"
 ```
 
 ## Rules
 
 - Each run under 15 seconds
 - Pack every related hypothesis into one run — never one idea per run
-- No persistent temp files; if a temp file is needed, delete it in the same code
-- Use `code_execution` tool for all execution; Bash only for git/npm publish/docker
+- No persistent temp files; if a temp file is needed, delete it in the same command
+- No spawn/exec/fork inside executed code
+- Use `bun` over `node` when available