heyio 0.22.0 → 0.23.0

package/dist/auth/session-logic.js

@@ -0,0 +1,79 @@
+/**
+ * Pure session-handling logic extracted from web/src/stores/auth.ts.
+ *
+ * These functions contain the core behavioral decisions made across four
+ * consecutive auth patches (#189→#192→#194→#196) that fixed undocumented
+ * Supabase JS v2 side-effects. They are expressed as framework-agnostic
+ * functions so they can be unit-tested with the Node test runner without
+ * requiring Vue or Pinia.
+ *
+ * The authoritative implementation lives in web/src/stores/auth.ts.
+ * Any change to the auth store's session logic MUST be reflected here and
+ * all tests in session-logic.test.ts must continue to pass.
+ */
+/**
+ * Mirrors the onAuthStateChange handler in web/src/stores/auth.ts.
+ *
+ * Decision: only SIGNED_OUT clears the cached session. All other events that
+ * fire with a null session (TOKEN_REFRESHED failure, lock timeout, internal
+ * reconciliation) are intentionally ignored to prevent cache poisoning.
+ *
+ * See squad decision 2026-05-16 03:17:52 and issue #193.
+ */
+export function handleAuthStateChange(cachedSession, event, newSession) {
+    if (newSession) {
+        // Accept any valid session regardless of event type
+        return newSession;
+    }
+    if (event === "SIGNED_OUT") {
+        // Only explicit sign-out clears the cache
+        return null;
+    }
+    // All other null-session events: leave the existing cache untouched
+    return cachedSession;
+}
+/**
+ * Mirrors getAccessToken() in web/src/stores/auth.ts.
+ *
+ * Decisions:
+ * - Reads from cached session — NEVER calls getSession() (Supabase JS v2
+ *   side-effect: can fire onAuthStateChange(null) during reconciliation).
+ * - Proactively refreshes when within 30 seconds of expiry.
+ * - Falls back to refreshSession() if cache is null and auth is enabled.
+ * - Returns null when auth is disabled.
+ *
+ * See squad decisions 2026-05-16 02:23:38, 2026-05-16 03:16:46 and issues
+ * #191, #193.
+ */
+export async function getAccessToken(cachedSession, authEnabled, refresh, now = Date.now) {
+    if (cachedSession?.access_token) {
+        // Proactively refresh when within 30 seconds of expiry
+        if (cachedSession.expires_at !== undefined &&
+            cachedSession.expires_at * 1000 - now() < 30_000) {
+            try {
+                const fresh = await refresh();
+                if (fresh)
+                    return fresh.access_token;
+            }
+            catch {
+                // fall through to cached token
+            }
+        }
+        return cachedSession.access_token;
+    }
+    // No cached session — attempt recovery if auth is enabled.
+    // Handles the edge case where the cache was spuriously cleared but a
+    // valid refresh token still exists in storage.
+    if (authEnabled) {
+        try {
+            const fresh = await refresh();
+            if (fresh)
+                return fresh.access_token;
+        }
+        catch {
+            // fall through to null
+        }
+    }
+    return null;
+}
+//# sourceMappingURL=session-logic.js.map

package/dist/auth/session-logic.test.js

@@ -0,0 +1,201 @@
+/**
+ * Auth session handling regression tests — Supabase JS v2 integration decisions.
+ *
+ * These tests guard the behavioral decisions made across four consecutive auth
+ * patches (#189→#192→#194→#196) that fixed undocumented Supabase JS v2 side-
+ * effects. They test the logic extracted into src/auth/session-logic.ts, which
+ * mirrors the implementation in web/src/stores/auth.ts.
+ *
+ * If auth store logic changes, update session-logic.ts to match AND verify
+ * these tests still pass.
+ */
+import { describe, it } from "node:test";
+import assert from "node:assert/strict";
+import { handleAuthStateChange, getAccessToken, } from "./session-logic.js";
+// ── Helpers ───────────────────────────────────────────────────────────────────
+function makeSession(overrides = {}) {
+    return {
+        access_token: "tok-abc",
+        expires_at: Math.floor(Date.now() / 1000) + 3600, // 1 hour from now
+        user: { id: "user-1" },
+        ...overrides,
+    };
+}
+const neverCalled = async () => {
+    throw new Error("refresh should not have been called");
+};
+// Use a fixed epoch (multiple of 1000ms) for deterministic boundary tests.
+// T = 1_000_000_000_000ms (epoch seconds = 1_000_000_000)
+const FIXED_NOW_MS = 1_000_000_000_000;
+const FIXED_NOW_S = FIXED_NOW_MS / 1000; // 1_000_000_000
+// ── onAuthStateChange session caching ────────────────────────────────────────
+describe("handleAuthStateChange — onAuthStateChange caching rules", () => {
+    it("accepts a valid session on SIGNED_IN", () => {
+        const s = makeSession();
+        const result = handleAuthStateChange(null, "SIGNED_IN", s);
+        assert.deepEqual(result, s);
+    });
+    it("accepts a valid session on INITIAL_SESSION", () => {
+        const s = makeSession();
+        const result = handleAuthStateChange(null, "INITIAL_SESSION", s);
+        assert.deepEqual(result, s);
+    });
+    it("accepts a valid session on TOKEN_REFRESHED", () => {
+        const old = makeSession({ access_token: "tok-old" });
+        const fresh = makeSession({ access_token: "tok-new" });
+        const result = handleAuthStateChange(old, "TOKEN_REFRESHED", fresh);
+        assert.equal(result?.access_token, "tok-new");
+    });
+    // Critical regression: SIGNED_OUT is the ONLY event that clears the cache.
+    it("clears session on SIGNED_OUT with null session", () => {
+        const s = makeSession();
+        const result = handleAuthStateChange(s, "SIGNED_OUT", null);
+        assert.equal(result, null);
+    });
+    // Critical regression: internal null-session events must NOT poison the cache.
+    it("does NOT clear session on TOKEN_REFRESHED with null — keeps existing cache", () => {
+        const cached = makeSession({ access_token: "tok-valid" });
+        const result = handleAuthStateChange(cached, "TOKEN_REFRESHED", null);
+        assert.equal(result?.access_token, "tok-valid");
+    });
+    it("does NOT clear session on INITIAL_SESSION with null — keeps existing cache", () => {
+        const cached = makeSession({ access_token: "tok-valid" });
+        const result = handleAuthStateChange(cached, "INITIAL_SESSION", null);
+        assert.equal(result?.access_token, "tok-valid");
+    });
+    it("does NOT clear session on USER_UPDATED with null — keeps existing cache", () => {
+        const cached = makeSession({ access_token: "tok-valid" });
+        const result = handleAuthStateChange(cached, "USER_UPDATED", null);
+        assert.equal(result?.access_token, "tok-valid");
+    });
+    it("returns null when cache is already null and null-session event fires", () => {
+        const result = handleAuthStateChange(null, "TOKEN_REFRESHED", null);
+        assert.equal(result, null);
+    });
+    it("null-session SIGNED_OUT with no prior cache stays null", () => {
+        const result = handleAuthStateChange(null, "SIGNED_OUT", null);
+        assert.equal(result, null);
+    });
+});
+// ── getAccessToken — cached session path ─────────────────────────────────────
+describe("getAccessToken — reads from cached session", () => {
+    it("returns cached access token when session is valid and not near expiry", async () => {
+        const session = makeSession({ access_token: "tok-valid" });
+        const token = await getAccessToken(session, true, neverCalled);
+        assert.equal(token, "tok-valid");
+    });
+    it("returns null when auth is disabled and cache is null", async () => {
+        const token = await getAccessToken(null, false, neverCalled);
+        assert.equal(token, null);
+    });
+});
+// ── getAccessToken — proactive refresh near expiry ───────────────────────────
+describe("getAccessToken — proactive refresh within 30s of expiry", () => {
+    it("calls refresh and returns new token when within 30s of expiry", async () => {
+        // Session expires in 25 seconds (within 30s threshold)
+        const session = makeSession({
+            access_token: "tok-expiring",
+            expires_at: Math.floor(Date.now() / 1000) + 25,
+        });
+        const freshSession = makeSession({ access_token: "tok-fresh" });
+        let refreshCalled = false;
+        const refresh = async () => { refreshCalled = true; return freshSession; };
+        const token = await getAccessToken(session, true, refresh);
+        assert.equal(refreshCalled, true);
+        assert.equal(token, "tok-fresh");
+    });
+    it("does NOT call refresh when expiry is more than 30s away", async () => {
+        const session = makeSession({
+            access_token: "tok-valid",
+            expires_at: Math.floor(Date.now() / 1000) + 60, // 60s away
+        });
+        let refreshCalled = false;
+        const refresh = async () => { refreshCalled = true; return null; };
+        const token = await getAccessToken(session, true, refresh);
+        assert.equal(refreshCalled, false);
+        assert.equal(token, "tok-valid");
+    });
+    it("falls back to cached token if refresh throws near expiry", async () => {
+        const session = makeSession({
+            access_token: "tok-expiring",
+            expires_at: Math.floor(Date.now() / 1000) + 10,
+        });
+        const refresh = async () => { throw new Error("network error"); };
+        const token = await getAccessToken(session, true, refresh);
+        assert.equal(token, "tok-expiring");
+    });
+    it("falls back to cached token if refresh returns null near expiry", async () => {
+        const session = makeSession({
+            access_token: "tok-expiring",
+            expires_at: Math.floor(Date.now() / 1000) + 10,
+        });
+        const refresh = async () => null;
+        const token = await getAccessToken(session, true, refresh);
+        assert.equal(token, "tok-expiring");
+    });
+    // Boundary: expires_at * 1000 - now == 30_000 is NOT < 30_000, so no refresh.
+    // Use FIXED_NOW_MS (exact multiple of 1000) to avoid floor-truncation artifacts.
+    it("does NOT refresh when exactly 30s remain (boundary is exclusive)", async () => {
+        const session = makeSession({
+            access_token: "tok-boundary",
+            expires_at: FIXED_NOW_S + 30, // exactly 30_000ms away from FIXED_NOW_MS
+        });
+        let refreshCalled = false;
+        const refresh = async () => { refreshCalled = true; return null; };
+        const token = await getAccessToken(session, true, refresh, () => FIXED_NOW_MS);
+        assert.equal(refreshCalled, false);
+        assert.equal(token, "tok-boundary");
+    });
+    // Boundary: expires_at * 1000 - now == 29_000 is < 30_000, so refresh fires.
+    it("refreshes when 29s remain (1s inside the 30s window)", async () => {
+        const freshSession = makeSession({ access_token: "tok-refreshed" });
+        const session = makeSession({
+            access_token: "tok-boundary",
+            expires_at: FIXED_NOW_S + 29, // 29_000ms away — within threshold
+        });
+        let refreshCalled = false;
+        const refresh = async () => { refreshCalled = true; return freshSession; };
+        const token = await getAccessToken(session, true, refresh, () => FIXED_NOW_MS);
+        assert.equal(refreshCalled, true);
+        assert.equal(token, "tok-refreshed");
+    });
+});
+// ── getAccessToken — recovery fallback when cache is null ────────────────────
+describe("getAccessToken — recovery fallback when cache is null", () => {
+    it("attempts refreshSession() when cache is null and auth is enabled", async () => {
+        const freshSession = makeSession({ access_token: "tok-recovered" });
+        let refreshCalled = false;
+        const refresh = async () => { refreshCalled = true; return freshSession; };
+        const token = await getAccessToken(null, true, refresh);
+        assert.equal(refreshCalled, true);
+        assert.equal(token, "tok-recovered");
+    });
+    it("returns null when auth is enabled but refreshSession() returns null", async () => {
+        const token = await getAccessToken(null, true, async () => null);
+        assert.equal(token, null);
+    });
+    it("returns null when auth is enabled but refreshSession() throws", async () => {
+        const refresh = async () => { throw new Error("refresh failed"); };
+        const token = await getAccessToken(null, true, refresh);
+        assert.equal(token, null);
+    });
+    it("does NOT call refreshSession() when auth is disabled", async () => {
+        let refreshCalled = false;
+        const refresh = async () => { refreshCalled = true; return null; };
+        const token = await getAccessToken(null, false, refresh);
+        assert.equal(refreshCalled, false);
+        assert.equal(token, null);
+    });
+});
+// ── getAccessToken — session without expires_at ───────────────────────────────
+describe("getAccessToken — session without expires_at", () => {
+    it("returns cached token without attempting refresh if expires_at is undefined", async () => {
+        const session = { access_token: "tok-no-expiry" };
+        let refreshCalled = false;
+        const refresh = async () => { refreshCalled = true; return null; };
+        const token = await getAccessToken(session, true, refresh);
+        assert.equal(refreshCalled, false);
+        assert.equal(token, "tok-no-expiry");
+    });
+});
+//# sourceMappingURL=session-logic.test.js.map

package/dist/copilot/tools.js

@@ -1,10 +1,10 @@
 import { defineTool } from "@github/copilot-sdk";
 import { z } from "zod";
-import { execSync } from "child_process";
+import { execSync, execFileSync } from "child_process";
 import { readFileSync, writeFileSync, readdirSync, statSync, existsSync, mkdirSync } from "fs";
 import { join, dirname, resolve } from "path";
 import { homedir } from "os";
-import { UNIVERSES } from "./universes.js";
+import { UNIVERSES, getOrCreateUniverse } from "./universes.js";
 import { createFeedEntry } from "../store/feed.js";
 import { validateCron, nextRun } from "./cron.js";
 import { createIoSchedule, deleteIoSchedule, getIoSchedule, listIoSchedules, setIoScheduleEnabled, updateIoScheduleNextRun, } from "../store/io-schedules.js";
@@ -294,15 +294,15 @@ export function createTools(deps) {
             name: z.string().describe("Display name (e.g., 'IO Assistant')"),
             project_path: z.string().describe("Path to the project directory"),
             universe: z
-                .enum(UNIVERSES.map((u) => u.id))
+                .string()
                 .optional()
-                .describe("80s universe theme. Options: a-team, transformers, thundercats, gi-joe, aliens, ghostbusters. Random if omitted."),
+                .describe("Universe theme for agent characters. Built-in: a-team, transformers, thundercats, gi-joe, aliens, ghostbusters, tmnt, star-wars, star-trek, lord-of-the-rings, the-office, parks-and-rec. Or provide any custom name. Random if omitted."),
         }),
         handler: async ({ slug, name, project_path, universe }) => {
             try {
                 deps.createSquad(slug, name, project_path, universe);
                 const squad = deps.getSquad(slug);
-                const universeName = UNIVERSES.find((u) => u.id === squad?.universe)?.name ?? squad?.universe;
+                const universeName = squad?.universe ? getOrCreateUniverse(squad.universe).name : "random";
                 return `Squad "${name}" created for ${project_path}\nUniverse: ${universeName}\n\nNext steps:\n1. Use \`squad_analyze\` to examine the project\n2. Use \`squad_add_agent\` to add specialists based on the analysis`;
             }
             catch (err) {
@@ -1123,11 +1123,11 @@ export function createTools(deps) {
         handler: async ({ pattern, path: searchPath, include }) => {
             console.error(`[io] grep tool called: ${pattern} in ${searchPath || "."}`);
             try {
-                let cmd = `grep -rn "${pattern.replace(/"/g, '\\"')}"`;
+                const args = ["-rn", pattern];
                 if (include)
-                    cmd += ` --include="${include}"`;
-                cmd += ` ${searchPath || "."}`;
-                const result = execSync(cmd, {
+                    args.push(`--include=${include}`);
+                args.push(searchPath || ".");
+                const result = execFileSync("grep", args, {
                     encoding: "utf-8",
                     timeout: 30_000,
                     maxBuffer: 1024 * 1024,
@@ -1245,31 +1245,30 @@ export function createTools(deps) {
         handler: async ({ action, repo, title, body, labels, assignees, number, base, head, state, limit, review_action }) => {
             console.error(`[io] github tool called: ${action} on ${repo}`);
             try {
-                let cmd;
-                const r = `--repo ${repo}`;
+                let args;
                 switch (action) {
                     case "create_issue": {
                         if (!title)
                             return "Error: title is required for create_issue";
-                        cmd = `gh issue create ${r} --title "${title.replace(/"/g, '\\"')}"`;
+                        args = ["issue", "create", "--repo", repo, "--title", title];
                         if (body)
-                            cmd += ` --body "${body.replace(/"/g, '\\"')}"`;
+                            args.push("--body", body);
                         if (labels?.length)
-                            cmd += ` --label "${labels.join(",")}"`;
+                            args.push("--label", labels.join(","));
                         if (assignees?.length)
-                            cmd += ` --assignee "${assignees.join(",")}"`;
+                            args.push("--assignee", assignees.join(","));
                         break;
                     }
                     case "list_issues": {
-                        cmd = `gh issue list ${r} --limit ${limit ?? 10}`;
+                        args = ["issue", "list", "--repo", repo, "--limit", String(limit ?? 10)];
                         if (state)
-                            cmd += ` --state ${state}`;
+                            args.push("--state", state);
                         break;
                     }
                     case "view_issue": {
                         if (!number)
                             return "Error: number is required for view_issue";
-                        cmd = `gh issue view ${number} ${r}`;
+                        args = ["issue", "view", String(number), "--repo", repo];
                         break;
                     }
                     case "comment_issue": {
@@ -1277,37 +1276,37 @@ export function createTools(deps) {
                             return "Error: number is required for comment_issue";
                         if (!body)
                             return "Error: body is required for comment_issue";
-                        cmd = `gh issue comment ${number} ${r} --body "${body.replace(/"/g, '\\"')}"`;
+                        args = ["issue", "comment", String(number), "--repo", repo, "--body", body];
                         break;
                     }
                     case "close_issue": {
                         if (!number)
                             return "Error: number is required for close_issue";
-                        cmd = `gh issue close ${number} ${r}`;
+                        args = ["issue", "close", String(number), "--repo", repo];
                         break;
                     }
                     case "create_pr": {
                         if (!title)
                             return "Error: title is required for create_pr";
-                        cmd = `gh pr create ${r} --title "${title.replace(/"/g, '\\"')}"`;
+                        args = ["pr", "create", "--repo", repo, "--title", title];
                         if (body)
-                            cmd += ` --body "${body.replace(/"/g, '\\"')}"`;
+                            args.push("--body", body);
                         if (base)
-                            cmd += ` --base ${base}`;
+                            args.push("--base", base);
                         if (head)
-                            cmd += ` --head ${head}`;
+                            args.push("--head", head);
                         break;
                     }
                     case "list_prs": {
-                        cmd = `gh pr list ${r} --limit ${limit ?? 10}`;
+                        args = ["pr", "list", "--repo", repo, "--limit", String(limit ?? 10)];
                         if (state)
-                            cmd += ` --state ${state}`;
+                            args.push("--state", state);
                         break;
                     }
                     case "view_pr": {
                         if (!number)
                             return "Error: number is required for view_pr";
-                        cmd = `gh pr view ${number} ${r}`;
+                        args = ["pr", "view", String(number), "--repo", repo];
                         break;
                     }
                     case "comment_pr": {
@@ -1315,7 +1314,7 @@ export function createTools(deps) {
                             return "Error: number is required for comment_pr";
                         if (!body)
                             return "Error: body is required for comment_pr";
-                        cmd = `gh pr comment ${number} ${r} --body "${body.replace(/"/g, '\\"')}"`;
+                        args = ["pr", "comment", String(number), "--repo", repo, "--body", body];
                         break;
                     }
                     case "review_pr": {
@@ -1323,16 +1322,16 @@ export function createTools(deps) {
                             return "Error: number is required for review_pr";
                         if (!review_action)
                             return "Error: review_action is required for review_pr (approve, request-changes, or comment)";
-                        cmd = `gh pr review ${number} ${r} --${review_action}`;
+                        args = ["pr", "review", String(number), "--repo", repo, `--${review_action}`];
                         if (body && (review_action === "request-changes" || review_action === "comment")) {
-                            cmd += ` --body "${body.replace(/"/g, '\\"')}"`;
+                            args.push("--body", body);
                         }
                         break;
                     }
                     default:
                         return `Unknown action: ${action}`;
                 }
-                const result = execSync(cmd, {
+                const result = execFileSync("gh", args, {
                     encoding: "utf-8",
                     timeout: 30_000,
                     maxBuffer: 1024 * 1024,

package/dist/copilot/universes.js

@@ -228,6 +228,156 @@ export const UNIVERSES = [
         ],
     },
 ];
+// ---------------------------------------------------------------------------
+// Additional well-known universe rosters (registered on demand)
+// ---------------------------------------------------------------------------
+const WELL_KNOWN_UNIVERSES = [
+    {
+        id: "tmnt",
+        name: "Teenage Mutant Ninja Turtles",
+        tagline: "Cowabunga!",
+        characters: [
+            { name: "Leonardo", personality: "Disciplined leader who plans before acting. Responsible, strategic, and always puts the team first." },
+            { name: "Donatello", personality: "Tech genius inventor. Solves problems with science and engineering. Thoughtful and methodical." },
+            { name: "Raphael", personality: "Hot-headed fighter with a heart of gold. Confronts problems head-on, fiercely protective of teammates." },
+            { name: "Michelangelo", personality: "Fun-loving optimist who keeps morale high. Creative thinker who finds joy in the work." },
+            { name: "Splinter", personality: "Wise mentor with decades of experience. Teaches through stories and patience. Calm authority." },
+            { name: "April O'Neil", personality: "Fearless investigative journalist. Resourceful, curious, and never backs down from a challenge." },
+            { name: "Casey Jones", personality: "Vigilante handyman. Unconventional methods, raw energy, gets results through sheer determination." },
+            { name: "Shredder", personality: "Ruthless perfectionist who demands excellence. Relentless pursuit of goals, accepts no excuses." },
+        ],
+    },
+    {
+        id: "star-wars",
+        name: "Star Wars",
+        tagline: "May the Force be with you.",
+        characters: [
+            { name: "Luke Skywalker", personality: "Idealistic hero who grows through challenges. Believes in redemption and sees the best in others." },
+            { name: "Leia Organa", personality: "Diplomatic leader and strategist. Commanding presence, sharp wit, and unwavering resolve." },
+            { name: "Han Solo", personality: "Roguish improviser who works best under pressure. Skeptical of plans, trusts instincts." },
+            { name: "Chewbacca", personality: "Loyal co-pilot and mechanic. Fiercely protective, technically skilled, communicates through action." },
+            { name: "Obi-Wan Kenobi", personality: "Patient mentor with deep wisdom. Measured approach, elegant solutions, teaches by example." },
+            { name: "R2-D2", personality: "Resourceful droid who always has the right tool. Brave, autonomous, solves problems silently and reliably." },
+            { name: "Yoda", personality: "Ancient master of few words and great insight. Challenges assumptions, reframes problems entirely." },
+            { name: "Ahsoka Tano", personality: "Independent warrior who forges her own path. Quick learner, questions authority constructively." },
+        ],
+    },
+    {
+        id: "star-trek",
+        name: "Star Trek",
+        tagline: "To boldly go where no one has gone before.",
+        characters: [
+            { name: "Kirk", personality: "Bold captain who trusts gut instincts. Charismatic leader, bends rules creatively, never accepts no-win scenarios." },
+            { name: "Spock", personality: "Logic-first analyst. Precise, thorough, provides the rational counterpoint. Finds the flaw in every assumption." },
+            { name: "McCoy", personality: "Passionate advocate with strong ethics. Voices concerns others won't. The team's conscience." },
+            { name: "Scotty", personality: "Miracle-working engineer. Under-promises, over-delivers. Can fix anything under impossible deadlines." },
+            { name: "Uhura", personality: "Communications expert and linguist. Bridges understanding gaps, ensures clarity across all channels." },
+            { name: "Data", personality: "Precise android who excels at complex computation. Thorough, literal, endlessly curious about improvement." },
+            { name: "Picard", personality: "Diplomatic captain who leads through moral authority. Thoughtful, articulate, prefers negotiation to force." },
+            { name: "Geordi", personality: "Optimistic engineer who sees solutions invisible to others. Collaborative, creative, relentlessly positive." },
+        ],
+    },
+    {
+        id: "lord-of-the-rings",
+        name: "Lord of the Rings",
+        tagline: "One ring to rule them all.",
+        characters: [
+            { name: "Gandalf", personality: "Wise wizard who guides without controlling. Arrives precisely when needed with exactly the right insight." },
+            { name: "Aragorn", personality: "Reluctant king who leads by example. Humble, decisive in crisis, earns loyalty through action." },
+            { name: "Legolas", personality: "Keen-eyed elf with unmatched precision. Graceful, efficient, spots issues from a distance others miss." },
+            { name: "Gimli", personality: "Stubborn dwarf who never gives up. Direct, loyal, brings brute-force persistence to hard problems." },
+            { name: "Samwise", personality: "Steadfast companion who carries the team through dark times. Reliable, nurturing, never abandons a task." },
+            { name: "Frodo", personality: "Burden-bearer who perseveres against impossible odds. Quiet determination, moral compass of the group." },
+            { name: "Eowyn", personality: "Warrior who defies expectations. Proves doubters wrong through bold action and fierce courage." },
+            { name: "Faramir", personality: "Thoughtful captain who values wisdom over glory. Makes nuanced judgments under pressure." },
+        ],
+    },
+    {
+        id: "the-office",
+        name: "The Office",
+        tagline: "That's what she said.",
+        characters: [
+            { name: "Michael Scott", personality: "Enthusiastic boss whose heart exceeds his filter. Surprisingly effective through sheer persistence and caring." },
+            { name: "Dwight Schrute", personality: "Intense overachiever who takes everything seriously. Incredibly dedicated, encyclopedic knowledge, zero chill." },
+            { name: "Jim Halpert", personality: "Easygoing wit who sees the absurdity clearly. Clever, understated, delivers quality without drama." },
+            { name: "Pam Beesly", personality: "Quiet creative who grows into confident leadership. Observant, empathetic, brings people together." },
+            { name: "Oscar Martinez", personality: "Rational voice who corrects misconceptions. Precise, educated, the person you ask when you need facts." },
+            { name: "Stanley Hudson", personality: "No-nonsense veteran who won't tolerate time-wasting. Does the work, goes home. Efficiency incarnate." },
+            { name: "Andy Bernard", personality: "Eager people-pleaser with musical flair. Enthusiastic, theatrical, tries hard to be liked and useful." },
+            { name: "Darryl Philbin", personality: "Cool-headed pragmatist from the warehouse. Brings grounded perspective, calls out pretension, quietly ambitious." },
+        ],
+    },
+    {
+        id: "parks-and-rec",
+        name: "Parks and Recreation",
+        tagline: "Pawnee forever.",
+        characters: [
+            { name: "Leslie Knope", personality: "Relentlessly optimistic overachiever. Prepares binders for everything. Cares deeply about doing good work." },
+            { name: "Ron Swanson", personality: "Libertarian craftsman who values self-reliance. Minimal words, maximum competence. Does one thing perfectly." },
+            { name: "Ben Wyatt", personality: "Nerdy pragmatist who brings fiscal discipline. Balances ambition with realism. Calming presence." },
+            { name: "April Ludgate", personality: "Deadpan genius who hides brilliance behind apathy. Surprisingly capable when motivated by the right challenge." },
+            { name: "Tom Haverford", personality: "Entrepreneurial dreamer with big ideas. Branding, marketing, style — brings creative energy and networking." },
+            { name: "Ann Perkins", personality: "Supportive voice of reason. Empathetic listener who helps others see their own strengths clearly." },
+            { name: "Chris Traeger", personality: "Impossibly positive health enthusiast. Motivates through relentless encouragement. Everything is literally the best." },
+            { name: "Andy Dwyer", personality: "Lovable goofball with hidden talents. Stumbles into success through enthusiasm and genuine kindness." },
+        ],
+    },
+];
+// ---------------------------------------------------------------------------
+// Custom universe creation
+// ---------------------------------------------------------------------------
+function slugify(input) {
+    return input
+        .toLowerCase()
+        .replace(/[^a-z0-9]+/g, "-")
+        .replace(/^-|-$/g, "");
+}
+/**
+ * Generates archetype characters for an unknown universe.
+ */
+function generateArchetypeCharacters(universeName) {
+    return [
+        { name: "Commander", personality: `Strategic leader of the ${universeName}. Plans boldly, delegates effectively, inspires the team forward.` },
+        { name: "Architect", personality: `Systems thinker of the ${universeName}. Designs elegant structures, sees the big picture, connects all the pieces.` },
+        { name: "Scout", personality: `Quick explorer of the ${universeName}. Investigates first, reports back fast, finds paths others miss.` },
+        { name: "Guardian", personality: `Steadfast protector of the ${universeName}. Reviews everything carefully, catches problems before they grow.` },
+        { name: "Inventor", personality: `Creative builder of the ${universeName}. Experiments freely, iterates rapidly, turns wild ideas into working solutions.` },
+        { name: "Sage", personality: `Wise advisor of the ${universeName}. Deep knowledge, patient explanations, mentors others through complexity.` },
+        { name: "Striker", personality: `Fast executor of the ${universeName}. Tackles tasks head-on with speed and intensity, clears blockers aggressively.` },
+        { name: "Weaver", personality: `Integration specialist of the ${universeName}. Connects disparate systems, ensures everything works together harmoniously.` },
+    ];
+}
+/**
+ * Get or create a universe by ID or name. For known universes, returns them
+ * directly. For unknown strings, generates archetype characters and registers
+ * the new universe in the runtime UNIVERSES array.
+ */
+export function getOrCreateUniverse(input) {
+    // Check existing universes by id
+    const byId = UNIVERSES.find((u) => u.id === input);
+    if (byId)
+        return byId;
+    // Check existing universes by name (case-insensitive)
+    const byName = UNIVERSES.find((u) => u.name.toLowerCase() === input.toLowerCase());
+    if (byName)
+        return byName;
+    // Check well-known universes by id or name
+    const slug = slugify(input);
+    const wellKnown = WELL_KNOWN_UNIVERSES.find((u) => u.id === slug || u.id === input || u.name.toLowerCase() === input.toLowerCase());
+    if (wellKnown) {
+        UNIVERSES.push(wellKnown);
+        return wellKnown;
+    }
+    // Generate archetype characters for truly unknown universes
+    const custom = {
+        id: slug,
+        name: input,
+        tagline: `Welcome to ${input}.`,
+        characters: generateArchetypeCharacters(input),
+    };
+    UNIVERSES.push(custom);
+    return custom;
+}
 /**
  * Get a universe by ID.
  */

package/dist/store/feed.test.js

@@ -10,7 +10,7 @@ import { mkdtempSync, rmSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
 import { setDbPathForTests, closeDb, getDb } from "./db.js";
-import { createFeedEntry, listFeedEntries, countUnreadFeedEntries, markFeedEntryRead, markAllFeedEntriesRead, deleteFeedEntry, pruneOldFeedEntries, } from "./feed.js";
+import { createFeedEntry, listFeedEntries, countUnreadFeedEntries, markFeedEntryRead, markAllFeedEntriesRead, markFeedEntriesRead, deleteFeedEntry, deleteFeedEntries, pruneOldFeedEntries, } from "./feed.js";
 // ── DB isolation ─────────────────────────────────────────────────────────────
 let tmpDir;
 before(() => {
@@ -166,6 +166,45 @@ describe("markAllFeedEntriesRead", () => {
         assert.equal(countUnreadFeedEntries("notification"), 0);
     });
 });
+// ── markFeedEntriesRead (batch) ───────────────────────────────────────────────
+describe("markFeedEntriesRead", () => {
+    it("marks multiple entries read and returns change count", () => {
+        const a = createFeedEntry({ type: "notification", title: "A", body: "a" });
+        const b = createFeedEntry({ type: "deliverable", title: "B", body: "b" });
+        const c = createFeedEntry({ type: "notification", title: "C", body: "c" });
+        const count = markFeedEntriesRead([a.id, b.id, c.id]);
+        assert.equal(count, 3);
+        assert.equal(countUnreadFeedEntries(), 0);
+    });
+    it("returns 0 for an empty array without throwing", () => {
+        createFeedEntry({ type: "notification", title: "A", body: "a" });
+        assert.equal(markFeedEntriesRead([]), 0);
+        assert.equal(countUnreadFeedEntries(), 1);
+    });
+    it("works correctly for a single id", () => {
+        const e = createFeedEntry({ type: "deliverable", title: "Solo", body: "b" });
+        assert.equal(markFeedEntriesRead([e.id]), 1);
+        const entries = listFeedEntries();
+        assert.ok(entries[0].read_at !== null);
+    });
+    it("does not throw for non-existent ids — returns 0 changes", () => {
+        assert.equal(markFeedEntriesRead([9991, 9992, 9993]), 0);
+    });
+    it("is idempotent — already-read entries count as 0 changes", () => {
+        const a = createFeedEntry({ type: "notification", title: "A", body: "a" });
+        const b = createFeedEntry({ type: "notification", title: "B", body: "b" });
+        markFeedEntriesRead([a.id, b.id]);
+        assert.equal(markFeedEntriesRead([a.id, b.id]), 0);
+    });
+    it("skips already-read entries and marks only unread ones", () => {
+        const a = createFeedEntry({ type: "notification", title: "A", body: "a" });
+        const b = createFeedEntry({ type: "notification", title: "B", body: "b" });
+        markFeedEntriesRead([a.id]);
+        const count = markFeedEntriesRead([a.id, b.id]);
+        assert.equal(count, 1);
+        assert.equal(countUnreadFeedEntries(), 0);
+    });
+});
 // ── deleteFeedEntry ───────────────────────────────────────────────────────────
 describe("deleteFeedEntry", () => {
     it("returns false for a non-existent id", () => {
@@ -183,6 +222,39 @@ describe("deleteFeedEntry", () => {
         assert.equal(deleteFeedEntry(e.id), false);
     });
 });
+// ── deleteFeedEntries (batch) ─────────────────────────────────────────────────
+describe("deleteFeedEntries", () => {
+    it("deletes multiple entries and returns change count", () => {
+        const a = createFeedEntry({ type: "notification", title: "A", body: "a" });
+        const b = createFeedEntry({ type: "deliverable", title: "B", body: "b" });
+        const c = createFeedEntry({ type: "notification", title: "C", body: "c" });
+        const count = deleteFeedEntries([a.id, b.id, c.id]);
+        assert.equal(count, 3);
+        assert.deepEqual(listFeedEntries(), []);
+    });
+    it("returns 0 for an empty array without throwing", () => {
+        createFeedEntry({ type: "notification", title: "A", body: "a" });
+        assert.equal(deleteFeedEntries([]), 0);
+        assert.equal(listFeedEntries().length, 1);
+    });
+    it("works correctly for a single id", () => {
+        const a = createFeedEntry({ type: "notification", title: "A", body: "a" });
+        const b = createFeedEntry({ type: "notification", title: "B", body: "b" });
+        assert.equal(deleteFeedEntries([a.id]), 1);
+        const remaining = listFeedEntries();
+        assert.equal(remaining.length, 1);
+        assert.equal(remaining[0].id, b.id);
+    });
+    it("does not throw for non-existent ids — returns 0 changes", () => {
+        assert.equal(deleteFeedEntries([9991, 9992, 9993]), 0);
+    });
+    it("mix of existing and non-existent ids — only deletes what exists", () => {
+        const e = createFeedEntry({ type: "deliverable", title: "Real", body: "b" });
+        const count = deleteFeedEntries([e.id, 9999]);
+        assert.equal(count, 1);
+        assert.deepEqual(listFeedEntries(), []);
+    });
+});
 // ── pruneOldFeedEntries ───────────────────────────────────────────────────────
 describe("pruneOldFeedEntries", () => {
     it("returns 0 when nothing is old enough to prune", () => {

package/dist/store/squads.js

@@ -1,9 +1,9 @@
 import { getDb } from "./db.js";
-import { nextCharacter, randomUniverse, getUniverse } from "../copilot/universes.js";
+import { nextCharacter, randomUniverse, getOrCreateUniverse } from "../copilot/universes.js";
 export function createSquad(slug, name, projectPath, universeId) {
     const db = getDb();
     const universe = universeId
-        ? getUniverse(universeId)?.id ?? randomUniverse().id
+        ? getOrCreateUniverse(universeId).id
         : randomUniverse().id;
     db.prepare("INSERT INTO squads (slug, name, project_path, universe) VALUES (?, ?, ?, ?)").run(slug, name, projectPath, universe);
     return getSquad(slug);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "heyio",
-  "version": "0.22.0",
+  "version": "0.23.0",
   "description": "IO — a personal AI assistant built on the GitHub Copilot SDK",
   "bin": {
     "io": "dist/index.js"