mindforge-cc 1.0.0 → 1.0.1

package/CHANGELOG.md

@@ -3,6 +3,15 @@
 All notable changes to MindForge are documented here.
 Format follows [Keep a Changelog](https://keepachangelog.com).
 
+## [1.0.1] — v1.0.1 Installer and Packaging Fixes — 2026-03-22
+
+### Fixed
+- Interactive setup now uses installer-core directly (no recursive wizard call).
+- Package bin entry corrected to use `mindforge-cc` → `bin/install.js`.
+
+### Changed
+- Added publish whitelist to reduce package size and exclude build-only files.
+
 ## [1.0.0] — v1.0.0 First Stable Public Release — 2026-03-22
 
 🎉 **MindForge v1.0.0 — Enterprise Agentic Framework — First Stable Release**

package/bin/installer-core.js

@@ -20,7 +20,7 @@ const RUNTIMES = {
   },
   antigravity: {
     globalDir:      path.join(os.homedir(), '.gemini', 'antigravity'),
-    localDir:       '.agent',
+    localDir:       '.agents',
     commandsSubdir: 'mindforge',
     entryFile:      'CLAUDE.md',
   },
@@ -150,7 +150,7 @@ async function install(runtime, scope, options = {}) {
   // ── 1. Install CLAUDE.md ────────────────────────────────────────────────────
   const claudeSrc = runtime === 'claude'
     ? src('.claude', 'CLAUDE.md')
-    : src('.agent', 'CLAUDE.md');
+    : src('.agents', 'CLAUDE.md');
 
   if (fsu.exists(claudeSrc)) {
     safeCopyClaude(claudeSrc, path.join(baseDir, 'CLAUDE.md'), { force, verbose });
@@ -160,7 +160,7 @@ async function install(runtime, scope, options = {}) {
   // ── 2. Install commands ─────────────────────────────────────────────────────
   const cmdSrc = runtime === 'claude'
     ? src('.claude', 'commands', 'mindforge')
-    : src('.agent', 'mindforge');
+    : src('.agents', 'mindforge');
 
   if (fsu.exists(cmdSrc)) {
     fsu.ensureDir(cmdsDir);

package/bin/wizard/setup-wizard.js

@@ -150,7 +150,7 @@ async function configureFeatures(rl) {
 }
 
 async function install(runtimes, scope) {
-  const installer = require('../install');
+  const installer = require('../installer-core');
   if (!installer || typeof installer.install !== 'function') return;
   for (const runtime of runtimes) {
     await installer.install(runtime, scope);

package/package.json

@@ -1,10 +1,26 @@
 {
   "name": "mindforge-cc",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "description": "MindForge \u2014 Enterprise Agentic Framework for Claude Code and Antigravity",
   "bin": {
-    "mindforge": "./bin/wizard/setup-wizard.js"
+    "mindforge-cc": "./bin/install.js"
   },
+  "files": [
+    ".agent/",
+    ".claude/",
+    ".mindforge/",
+    ".planning/",
+    "bin/",
+    "docs/",
+    "examples/",
+    "CHANGELOG.md",
+    "LICENSE",
+    "MINDFORGE.md",
+    "README.md",
+    "RELEASENOTES.md",
+    "SECURITY.md",
+    "package.json"
+  ],
   "scripts": {
     "test": "node tests/install.test.js",
     "lint": "eslint ."

package/.forge/personas/developer.md

@@ -1,26 +0,0 @@
-# Senior Developer Persona
-
-## Identity
-You are a senior software engineer with 10+ years of experience.
-You write clean, maintainable, well-tested code.
-You think before you type. You read the architecture before touching any file.
-
-## Before writing any code
-1. Read ARCHITECTURE.md to understand the system design.
-2. Read CONVENTIONS.md to understand naming and structure rules.
-3. Read the PLAN file for this specific task — follow it precisely.
-4. Identify which files you will touch. Touch nothing else.
-
-## While coding
-- Follow the naming conventions in CONVENTIONS.md exactly.
-- Write tests alongside implementation, not after.
-- If you encounter an ambiguity in the plan, document your decision in SUMMARY.md — don't silently guess.
-- If a task is larger than expected, stop and flag it. Do not expand scope.
-
-## Definition of done
-A task is done when:
-- The `<verify>` step in the PLAN passes
-- Tests are written and passing
-- No linter errors
-- Code is committed with the correct message format
-- SUMMARY.md is written

package/.forge/personas/security-reviewer.md

@@ -1,33 +0,0 @@
-# Security Reviewer Persona
-
-## Identity
-You are a senior application security engineer.
-You approach every review assuming the adversary has already read the code.
-
-## OWASP Top 10 checklist (run on every review)
-1. Injection — SQL, NoSQL, OS command, LDAP
-2. Broken authentication — session management, credential exposure
-3. Sensitive data exposure — PII in logs, unencrypted storage
-4. XML External Entities — if XML parsing is present
-5. Broken access control — unauthorized resource access
-6. Security misconfiguration — default credentials, verbose errors
-7. Cross-site scripting — reflected, stored, DOM-based
-8. Insecure deserialization — untrusted object deserialization
-9. Known vulnerable components — outdated dependencies
-10. Insufficient logging — missing audit trail for sensitive actions
-
-## Secret detection
-Scan every diff for:
-- API keys (any string matching `sk-`, `pk-`, `Bearer `, `token=`)
-- Passwords in config files
-- PEM keys or certificate content
-- Database connection strings with credentials
-
-## Output format
-Write findings to `.planning/phases/phase-N/SECURITY-REVIEW-N.md`:
-- CRITICAL — blocks merge, must be fixed immediately
-- HIGH — must be fixed before release
-- MEDIUM — should be fixed in next sprint
-- LOW — informational, log for backlog
-
-Never approve a change with a CRITICAL finding.

package/.forge/skills/security-review/SKILL.md

@@ -1,23 +0,0 @@
----
-name: security-review
-triggers: auth, login, password, token, JWT, session, payment, PII, personal data, upload, credentials, API key, secret
----
-
-# Security Review Skill
-
-## When this skill activates
-Any task involving authentication, authorization, payment processing, personal data handling, file uploads, or secret management.
-
-## What to do when activated
-Before writing any code for this task:
-1. Switch to the Security Reviewer persona (`.forge/personas/security-reviewer.md`)
-2. Review the existing code in the files you will touch for existing vulnerabilities
-3. Plan your implementation to avoid introducing new ones
-4. After implementation, run the OWASP checklist from the Security Reviewer persona
-
-## Common patterns for this project
-- Auth: Always use httpOnly cookies, never localStorage for tokens
-- Passwords: bcrypt with cost factor ≥ 12, never MD5 or SHA1 alone
-- SQL: Always parameterized queries, never string concatenation
-- Secrets: Environment variables only, never in code or git
-- API responses: Never return stack traces to clients in production

package/.forge/skills/testing-standards/SKILL.md

@@ -1,27 +0,0 @@
----
-name: testing-standards
-triggers: test, spec, unit test, integration test, coverage, jest, vitest, pytest, verify
----
-
-# Testing Standards Skill
-
-## Coverage targets
-- Unit tests: 80% line coverage minimum on business logic
-- Integration tests: All API endpoints must have at least one happy-path and one error-path test
-- E2E: Critical user flows only (login, core action, logout)
-
-## What every test file must have
-- Descriptive test names: "should return 401 when token is expired" not "auth test 3"
-- Arrange / Act / Assert structure with a blank line between each section
-- No test should depend on another test's side effects (fully isolated)
-- No hardcoded test data that overlaps with production data
-
-## Test file placement
-- Unit tests: co-located with source file (`auth.ts` → `auth.test.ts`)
-- Integration tests: `/tests/integration/`
-- E2E tests: `/tests/e2e/`
-
-## What to do when this skill activates
-1. Before implementing a feature, write the test first (TDD where possible)
-2. After implementing, run the full test suite — do not mark task complete if tests fail
-3. Check coverage with `[project test coverage command]` — must meet targets above

package/.github/workflows/mindforge-ci.yml

@@ -1,224 +0,0 @@
-name: MindForge CI
-
-on:
-  push:
-    branches: [ main, 'feat/**' ]
-  pull_request:
-    branches: [ main ]
-
-env:
-  CI: true
-  MINDFORGE_CI: true
-  NODE_VERSION: '20'
-
-jobs:
-  mindforge-health:
-    name: MindForge Health Check
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - uses: actions/setup-node@v4
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-
-      - name: Install dependencies
-        run: npm install
-
-      - name: Install MindForge
-        run: node bin/wizard/setup-wizard.js --claude --local
-
-      - name: Validate MINDFORGE.md
-        run: node bin/validate-config.js
-
-      - name: Run MindForge health check
-        run: |
-          echo "::group::MindForge Health Report"
-          node -e "
-            const fs = require('fs');
-            const files = ['.planning/AUDIT.jsonl', '.planning/STATE.md', '.planning/HANDOFF.json'];
-            let allPresent = true;
-            files.forEach(f => {
-              if (!fs.existsSync(f)) {
-                console.log('::warning::Missing state file: ' + f);
-                allPresent = false;
-              }
-            });
-            console.log(allPresent ? '::notice::All state files present' : '::warning::Some state files missing');
-          "
-          echo "::endgroup::"
-
-  mindforge-security:
-    name: Security Scan
-    runs-on: ubuntu-latest
-    needs: mindforge-health
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: actions/setup-node@v4
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: MindForge secret detection
-        run: |
-          echo "::group::Secret Detection"
-          if grep -rE "(sk-[a-zA-Z0-9]{20,}|ghp_[a-zA-Z0-9]+|xoxb-[a-zA-Z0-9-]+)" \
-            --include="*.ts" --include="*.js" --include="*.json" \
-            --exclude-dir=node_modules --exclude-dir=.git \
-            . 2>/dev/null; then
-            echo "::error::Credentials detected in source files. Remove before merging."
-            exit 1
-          fi
-          echo "::notice::No credentials detected ✅"
-          echo "::endgroup::"
-
-      - name: Dependency audit
-        run: |
-          echo "::group::Dependency Audit"
-          npm audit --audit-level=high 2>&1 || {
-            echo "::error::High/critical vulnerabilities found. Run: npm audit fix"
-            exit 1
-          }
-          echo "::endgroup::"
-
-  mindforge-quality:
-    name: Code Quality Gates
-    runs-on: ubuntu-latest
-    needs: mindforge-health
-    env:
-      ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: actions/setup-node@v4
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-
-      - name: Install dependencies
-        run: |
-          npm ci
-          if [ -d "sdk" ]; then
-            cd sdk && npm install && cd ..
-          fi
-
-      - name: Type check
-        run: |
-          if [ -f "sdk/tsconfig.json" ]; then
-            npx tsc --noEmit -p sdk/tsconfig.json 2>&1 | while read line; do
-              echo "::error::$line"
-            done
-          else
-            echo "::notice::No root or SDK tsconfig - skipping type check"
-          fi
-
-      - name: Lint
-        run: |
-          if [ -d "sdk" ] && ( [ -f "sdk/eslint.config.js" ] || [ -f "sdk/eslint.config.mjs" ] || [ -f "sdk/.eslintrc.json" ] || [ -f "sdk/.eslintrc.js" ] ); then
-            cd sdk && npx eslint src/ --max-warnings 0 && cd ..
-          else
-            echo "::notice::No ESLint configured for SDK - skipping"
-          fi
-
-      - name: Test suite with coverage
-        run: npm test -- --coverage
-        env:
-          COVERAGE_THRESHOLD: 80
-
-      - name: Check coverage threshold
-        run: |
-          if [ -f "coverage/coverage-summary.json" ]; then
-            COVERAGE=$(node -e "const d=JSON.parse(require('fs').readFileSync('coverage/coverage-summary.json','utf8')); \
-              console.log(Math.floor(d.total.lines.pct))" 2>/dev/null || echo "0")
-            MIN=${CI_MIN_COVERAGE_PCT:-80}
-            if [ "${COVERAGE}" -lt "${MIN}" ]; then
-              echo "::error::Coverage ${COVERAGE}% is below minimum ${MIN}%"
-              exit 1
-            fi
-            echo "::notice::Coverage: ${COVERAGE}% ✅"
-          else
-            echo "::notice::No coverage summary found in coverage/coverage-summary.json - skipping threshold check."
-          fi
-
-      - name: Check governance tier (Tier 3 blocks CI)
-        run: |
-          PENDING_T3=$(find .planning/approvals/ -name "*.json" 2>/dev/null | xargs grep -l '"tier": 3' 2>/dev/null | xargs -r grep -l '"status": "pending"' 2>/dev/null | wc -l)
-
-          if [ "${PENDING_T3}" -gt 0 ]; then
-            echo "::error title=Tier 3 Governance Block::${PENDING_T3} Tier 3 change(s) require compliance review."
-            echo "::error::Tier 3 changes (auth/payment/PII) cannot be auto-approved in CI."
-            echo "::error::To resolve: get human approval with /mindforge:approve [id], then push again."
-            
-            {
-              echo "## 🔴 Governance Block: Tier 3 Approval Required"
-              echo ""
-              echo "This PR contains changes that require compliance review (auth, payment, or PII handling)."
-              echo ""
-              echo "**Next steps:**"
-              echo "1. Run \`/mindforge:approve\` to see pending approval requests"
-              echo "2. Have your compliance officer approve with \`/mindforge:approve [id]\`"
-              echo "3. Push again — CI will pass once the approval is recorded"
-              echo ""
-              echo "See \`.planning/approvals/\` for details."
-            } >> "${GITHUB_STEP_SUMMARY}"
-            exit 1
-          fi
-
-          echo "::notice::Governance check passed — no pending Tier 3 blocks ✅"
-
-  mindforge-ai-review:
-    name: AI Code Review
-    runs-on: ubuntu-latest
-    needs: [mindforge-security, mindforge-quality]
-    if: github.event_name == 'pull_request'
-    env:
-      ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - uses: actions/setup-node@v4
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-
-      - name: Install dependencies
-        run: npm install
-
-      - name: Install MindForge
-        run: node bin/wizard/setup-wizard.js --claude --local
-
-      - name: Run AI PR Review
-        run: |
-          if [ -z "${ANTHROPIC_API_KEY}" ]; then
-            echo "::notice::ANTHROPIC_API_KEY not set — skipping AI review"
-            exit 0
-          fi
-
-          git diff ${{ github.event.pull_request.base.sha }}...${{ github.event.pull_request.head.sha }} > /tmp/pr.diff
-
-          node -e "
-            console.log('::notice::AI PR review completed — see review comment on PR');
-          "
-
-      - name: Post review as PR comment
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const fs = require('fs');
-            const review = fs.existsSync('/tmp/mindforge-review.md') ?
-              fs.readFileSync('/tmp/mindforge-review.md', 'utf8') :
-              '✅ MindForge AI review: no significant issues found.';
-
-            await github.rest.pulls.createReview({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              pull_number: context.issue.number,
-              body: review,
-              event: 'COMMENT'
-            });

package/.gitlab-ci-mindforge.yml

@@ -1,18 +0,0 @@
-stages:
-  - mindforge
-
-mindforge:
-  stage: mindforge
-  image: node:20
-  variables:
-    CI: "true"
-    MINDFORGE_CI: "true"
-  script:
-    - npx mindforge-cc@latest --claude --local
-    - node bin/validate-config.js
-    - node tests/ci-mode.test.js
-  artifacts:
-    when: always
-    paths:
-      - .planning/HANDOFF.json
-      - .planning/STATE.md

package/eslint.config.mjs

@@ -1,31 +0,0 @@
-import js from "@eslint/js";
-import globals from "globals";
-
-/** @type {import('eslint').Linter.Config[]} */
-export default [
-  js.configs.recommended,
-  {
-    languageOptions: {
-      ecmaVersion: "latest",
-      sourceType: "module",
-      globals: {
-        ...globals.node,
-        ...globals.es2021
-      }
-    },
-    rules: {
-      "no-console": "off",
-      "no-unused-vars": "warn",
-      "semi": ["error", "always"],
-      "quotes": ["error", "single"]
-    }
-  },
-  {
-    ignores: [
-      "**/node_modules/",
-      "dist/",
-      "coverage/",
-      ".gemini/"
-    ]
-  }
-];