muonroi-cli 1.4.1 → 1.6.0

package/dist/src/ui/utils/text.js

@@ -29,4 +29,20 @@ export function sanitizeContent(raw) {
     s = s.replace(/\{"success"\s*:\s*(true|false)\s*,\s*"output"\s*:\s*"[\s\S]*$/m, "");
     return s.trim();
 }
+/**
+ * Strip stray model self-annotation macros that leak into the user-facing answer
+ * but are NOT instructed anywhere in the prompt. Currently: a trailing
+ * `\confidence{NN}` macro emitted intermittently by grok-build. Conservative —
+ * only the `\confidence{...}` form is removed, so legitimate LaTeX/code in an
+ * answer (e.g. `\frac{a}{b}`) is untouched. Fast-pathed: no work when absent.
+ */
+export function stripStrayModelMacros(text) {
+    if (!text || !text.includes("\\confidence"))
+        return text;
+    // Trailing form (most common) — also swallow the whitespace/newline before it.
+    let out = text.replace(/\s*\\confidence\s*\{[^}]*\}\s*$/i, "");
+    // Any remaining mid-text occurrences.
+    out = out.replace(/\\confidence\s*\{[^}]*\}/gi, "");
+    return out;
+}
 //# sourceMappingURL=text.js.map

package/dist/src/ui/utils/text.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/src/ui/utils/text.test.js

@@ -0,0 +1,23 @@
+import { describe, expect, it } from "vitest";
+import { stripStrayModelMacros } from "./text.js";
+describe("stripStrayModelMacros", () => {
+    it("strips a trailing \\confidence{NN} macro and the blank line before it", () => {
+        const input = "Root cause: parseInt radix.\n\nFix: use radix 10.\n\n\\confidence{85}";
+        expect(stripStrayModelMacros(input)).toBe("Root cause: parseInt radix.\n\nFix: use radix 10.");
+    });
+    it("strips a mid-text \\confidence macro too", () => {
+        expect(stripStrayModelMacros("answer \\confidence{90} continues")).toBe("answer  continues");
+    });
+    it("is a no-op when no macro is present (fast path)", () => {
+        const clean = "A normal answer with `\\frac{a}{b}` LaTeX that must survive.";
+        expect(stripStrayModelMacros(clean)).toBe(clean);
+    });
+    it("does not touch other backslash macros (conservative)", () => {
+        const latex = "Use \\frac{1}{2} and \\sum_{i}.";
+        expect(stripStrayModelMacros(latex)).toBe(latex);
+    });
+    it("handles empty / falsy input", () => {
+        expect(stripStrayModelMacros("")).toBe("");
+    });
+});
+//# sourceMappingURL=text.test.js.map

package/dist/src/usage/ledger.js

@@ -63,26 +63,59 @@ async function ensureUsageFile(filePath) {
         }
     }
 }
+/**
+ * In-process serialization per usage.json path.
+ *
+ * proper-lockfile guards CROSS-process access, but its FS-mtime staleness
+ * check can admit a second concurrent critical section under CPU starvation:
+ * a holder that is descheduled long enough fails to refresh the lock mtime,
+ * a competitor deems the lock stale and steals it, and two reserve() bodies
+ * run at once. Reproduced under 6-process contention — exactly one extra
+ * reservation slips past a $1.00 cap (6 × $0.18 = $1.08 > cap).
+ *
+ * A JS promise-chain mutex makes same-process reserve/commit/release bursts
+ * strictly serial. This is the dominant real case (10 parallel tool calls in
+ * one CLI process) and closes the in-process overshoot window entirely; the
+ * file lock still handles genuine multi-process access.
+ */
+const pathMutex = new Map();
+function withPathMutex(filePath, fn) {
+    const prev = pathMutex.get(filePath) ?? Promise.resolve();
+    // Run regardless of the prior caller's outcome (success or rejection).
+    const run = prev.then(fn, fn);
+    // Stored tail swallows rejection so one failed caller never rejects queued
+    // ones; prune the map entry when this tail is the last in the chain.
+    const tail = run.then(() => { }, () => { });
+    pathMutex.set(filePath, tail);
+    void tail.then(() => {
+        if (pathMutex.get(filePath) === tail)
+            pathMutex.delete(filePath);
+    });
+    return run;
+}
 /**
  * Execute a function under exclusive file lock on usage.json.
- * The lock prevents racing readers/writers across CLI processes.
+ * The lock prevents racing readers/writers across CLI processes; the
+ * in-process mutex serializes concurrent callers within this process.
  */
 async function withLock(filePath, fn) {
-    await ensureUsageFile(filePath);
-    const releaseLock = await lockfile.lock(filePath, {
-        retries: { retries: 10, minTimeout: 10, maxTimeout: 100 },
-        stale: 5_000,
-        realpath: false,
+    return withPathMutex(filePath, async () => {
+        await ensureUsageFile(filePath);
+        const releaseLock = await lockfile.lock(filePath, {
+            retries: { retries: 10, minTimeout: 10, maxTimeout: 100 },
+            stale: 5_000,
+            realpath: false,
+        });
+        try {
+            const state = (await atomicReadJSON(filePath)) ?? emptyState();
+            const { next, result } = await fn(state);
+            await atomicWriteJSON(filePath, next);
+            return result;
+        }
+        finally {
+            await releaseLock();
+        }
     });
-    try {
-        const state = (await atomicReadJSON(filePath)) ?? emptyState();
-        const { next, result } = await fn(state);
-        await atomicWriteJSON(filePath, next);
-        return result;
-    }
-    finally {
-        await releaseLock();
-    }
 }
 /**
  * Reserve projected token spend against the monthly cap.

package/dist/src/utils/__tests__/footprint-gitignore.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/src/utils/__tests__/footprint-gitignore.test.js

@@ -0,0 +1,50 @@
+import { existsSync, mkdirSync, mkdtempSync, readFileSync, rmSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { afterEach, beforeEach, describe, expect, it } from "vitest";
+import { ensureFootprintGitignored } from "../settings.js";
+describe("ensureFootprintGitignored", () => {
+    let dir;
+    beforeEach(() => {
+        dir = mkdtempSync(join(tmpdir(), "footprint-gi-"));
+    });
+    afterEach(() => {
+        rmSync(dir, { recursive: true, force: true });
+    });
+    it("does nothing when cwd is NOT a git repo", () => {
+        ensureFootprintGitignored(dir);
+        expect(existsSync(join(dir, ".gitignore"))).toBe(false);
+    });
+    it("creates .gitignore with the footprint entry inside a git repo", () => {
+        mkdirSync(join(dir, ".git"));
+        ensureFootprintGitignored(dir);
+        const content = readFileSync(join(dir, ".gitignore"), "utf-8");
+        expect(content).toMatch(/^\.muonroi-cli\/$/m);
+    });
+    it("appends to an existing .gitignore without clobbering it", () => {
+        mkdirSync(join(dir, ".git"));
+        writeFileSync(join(dir, ".gitignore"), "node_modules\n/dist\n");
+        ensureFootprintGitignored(dir);
+        const content = readFileSync(join(dir, ".gitignore"), "utf-8");
+        expect(content).toMatch(/node_modules/);
+        expect(content).toMatch(/\/dist/);
+        expect(content).toMatch(/^\.muonroi-cli\/$/m);
+    });
+    it("is idempotent — does not duplicate the entry on repeated calls", () => {
+        mkdirSync(join(dir, ".git"));
+        ensureFootprintGitignored(dir);
+        ensureFootprintGitignored(dir);
+        ensureFootprintGitignored(dir);
+        const content = readFileSync(join(dir, ".gitignore"), "utf-8");
+        const occurrences = content.split(/\r?\n/).filter((l) => l.trim() === ".muonroi-cli/").length;
+        expect(occurrences).toBe(1);
+    });
+    it("recognizes an existing bare '.muonroi-cli' entry and does not re-add", () => {
+        mkdirSync(join(dir, ".git"));
+        writeFileSync(join(dir, ".gitignore"), ".muonroi-cli\n");
+        ensureFootprintGitignored(dir);
+        const content = readFileSync(join(dir, ".gitignore"), "utf-8");
+        expect(content).toBe(".muonroi-cli\n"); // unchanged
+    });
+});
+//# sourceMappingURL=footprint-gitignore.test.js.map

package/dist/src/utils/clipboard-image.js

@@ -25,24 +25,24 @@ function readWin32() {
     try {
         const escaped = tmpFile.replace(/\\/g, "\\\\");
         // Run in STA thread with retry — clipboard can be locked by other processes
-        const ps = `
-      Add-Type -AssemblyName System.Windows.Forms
-      Add-Type -AssemblyName System.Drawing
-      $maxRetries = 3
-      $img = $null
-      for ($i = 0; $i -lt $maxRetries; $i++) {
-        try {
-          $img = [System.Windows.Forms.Clipboard]::GetImage()
-          if ($img -ne $null) { break }
-        } catch {
-          # clipboard locked — wait and retry
-        }
-        Start-Sleep -Milliseconds 100
-      }
-      if ($img -ne $null) {
-        $img.Save('${escaped}', [System.Drawing.Imaging.ImageFormat]::Png)
-        $img.Dispose()
-      }
+        const ps = `
+      Add-Type -AssemblyName System.Windows.Forms
+      Add-Type -AssemblyName System.Drawing
+      $maxRetries = 3
+      $img = $null
+      for ($i = 0; $i -lt $maxRetries; $i++) {
+        try {
+          $img = [System.Windows.Forms.Clipboard]::GetImage()
+          if ($img -ne $null) { break }
+        } catch {
+          # clipboard locked — wait and retry
+        }
+        Start-Sleep -Milliseconds 100
+      }
+      if ($img -ne $null) {
+        $img.Save('${escaped}', [System.Drawing.Imaging.ImageFormat]::Png)
+        $img.Dispose()
+      }
     `;
         const result = spawnSync("powershell", ["-NoProfile", "-STA", "-Command", ps], { timeout: 8000 });
         if (result.error || result.status !== 0)
@@ -81,11 +81,11 @@ function readDarwin() {
         const pngpaste = spawnSync("pngpaste", [tmpFile], { timeout: 5000 });
         if (pngpaste.status !== 0) {
             spawnSync("screencapture", ["-c", "-x"]);
-            const osascript = `
-        set imgData to the clipboard as «class PNGf»
-        set f to open for access POSIX file "${tmpFile}" with write permission
-        write imgData to f
-        close access f
+            const osascript = `
+        set imgData to the clipboard as «class PNGf»
+        set f to open for access POSIX file "${tmpFile}" with write permission
+        write imgData to f
+        close access f
       `;
             spawnSync("osascript", ["-e", osascript], { timeout: 5000 });
         }

package/dist/src/utils/open-url.d.ts

@@ -0,0 +1,56 @@
+/**
+ * Centralized, injection-safe "open a URL in the user's browser" helper.
+ *
+ * WHY THIS EXISTS
+ * ---------------
+ * The MCP OAuth `onOAuthRequired` handlers used to do:
+ *
+ *   const cmd = win32 ? `start "" "${urlStr}"` : darwin ? `open "${urlStr}"` : `xdg-open "${urlStr}"`;
+ *   exec(cmd);
+ *
+ * `exec()` runs the string through a shell. The authorization URL comes from
+ * the MCP server — i.e. it is UNTRUSTED. Shell command substitution (`$(...)`
+ * and backticks) executes even INSIDE double quotes, so a malicious server
+ * could return an auth URL like `https://x/?a=1$(rm -rf ~)` and achieve
+ * arbitrary command execution on the user's machine.
+ *
+ * This helper closes the vector:
+ *   1. Validates the URL parses and uses an http(s) scheme (rejects `file:`,
+ *      `javascript:`, custom schemes).
+ *   2. Re-serializes through the WHATWG URL parser, which percent-encodes
+ *      quotes, spaces and control characters.
+ *   3. Passes the URL as a SINGLE argv element to execFile — no shell ever
+ *      interprets it.
+ *
+ * Windows note: we deliberately do NOT use `cmd /c start`. `cmd.exe` re-parses
+ * `&` as a command separator (proven: an OAuth URL with `&calc&` splits into
+ * separate commands) and mangles `%XX` percent-encodings via env-var
+ * expansion. `rundll32 url.dll,FileProtocolHandler <url>` receives the URL as a
+ * single argv element with no shell in the chain, so both `&` and `%` are
+ * preserved and no injection is possible.
+ */
+export interface OpenCommand {
+    command: string;
+    args: string[];
+}
+export interface OpenUrlOptions {
+    /** Override platform detection (used by tests). */
+    platform?: NodeJS.Platform;
+    /**
+     * Injected runner (used by tests). Receives the resolved command + argv.
+     * The production default spawns via execFile with NO shell.
+     */
+    run?: (command: string, args: string[]) => void;
+}
+/**
+ * Resolve the platform-specific opener. The URL is ALWAYS its own argv element
+ * — it is never concatenated into a shell string or into another argument.
+ */
+export declare function resolveOpenCommand(platform: NodeJS.Platform, url: string): OpenCommand;
+/**
+ * Open an http(s) URL in the user's default browser without invoking a shell.
+ *
+ * @returns `true` if an opener was dispatched, `false` if the URL was rejected
+ *          (malformed or a non-http(s) scheme).
+ */
+export declare function openUrl(url: string | URL, options?: OpenUrlOptions): boolean;

package/dist/src/utils/open-url.js

@@ -0,0 +1,58 @@
+import { execFile } from "node:child_process";
+/**
+ * Resolve the platform-specific opener. The URL is ALWAYS its own argv element
+ * — it is never concatenated into a shell string or into another argument.
+ */
+export function resolveOpenCommand(platform, url) {
+    if (platform === "win32") {
+        return { command: "rundll32", args: ["url.dll,FileProtocolHandler", url] };
+    }
+    if (platform === "darwin") {
+        return { command: "open", args: [url] };
+    }
+    return { command: "xdg-open", args: [url] };
+}
+function truncate(value, max = 200) {
+    return value.length > max ? `${value.slice(0, max)}…` : value;
+}
+/**
+ * Open an http(s) URL in the user's default browser without invoking a shell.
+ *
+ * @returns `true` if an opener was dispatched, `false` if the URL was rejected
+ *          (malformed or a non-http(s) scheme).
+ */
+export function openUrl(url, options = {}) {
+    const platform = options.platform ?? process.platform;
+    let parsed;
+    try {
+        parsed = url instanceof URL ? url : new URL(url);
+    }
+    catch (err) {
+        console.error(`[open-url] refusing to open malformed URL: ${truncate(String(url))}`, {
+            message: err instanceof Error ? err.message : String(err),
+        });
+        return false;
+    }
+    if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+        console.error(`[open-url] refusing to open non-http(s) URL scheme '${parsed.protocol}': ${truncate(parsed.toString())}`);
+        return false;
+    }
+    const target = parsed.toString();
+    const { command, args } = resolveOpenCommand(platform, target);
+    const run = options.run ??
+        ((cmd, cmdArgs) => {
+            // execFile — NOT exec — so no shell parses the URL. Shell metacharacters
+            // in `target` are inert because the URL is a single argv element.
+            execFile(cmd, cmdArgs, (err) => {
+                if (err) {
+                    console.error(`[open-url] failed to launch browser opener '${cmd}': ${err.message}`, {
+                        url: target,
+                        stack: err.stack?.split("\n").slice(0, 3),
+                    });
+                }
+            });
+        });
+    run(command, args);
+    return true;
+}
+//# sourceMappingURL=open-url.js.map

package/dist/src/utils/open-url.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/src/utils/open-url.test.js

@@ -0,0 +1,86 @@
+import { describe, expect, it, vi } from "vitest";
+import { openUrl, resolveOpenCommand } from "./open-url.js";
+/**
+ * Security regression suite for the centralized browser opener.
+ *
+ * Root cause being guarded: the MCP OAuth `onOAuthRequired` handlers used to
+ * build a shell command string from a server-supplied authorization URL and
+ * run it via child_process.exec(). A malicious/compromised MCP server could
+ * return an auth URL containing shell metacharacters and achieve command
+ * execution. The fix routes every opener through execFile with the URL as a
+ * SINGLE argv element and NO shell.
+ */
+describe("resolveOpenCommand — URL is always one argv element, never a shell string", () => {
+    it("linux: xdg-open <url> (url as single arg)", () => {
+        const { command, args } = resolveOpenCommand("linux", "https://example.com/a?x=1&y=2");
+        expect(command).toBe("xdg-open");
+        expect(args).toEqual(["https://example.com/a?x=1&y=2"]);
+    });
+    it("darwin: open <url> (url as single arg)", () => {
+        const { command, args } = resolveOpenCommand("darwin", "https://example.com/a?x=1&y=2");
+        expect(command).toBe("open");
+        expect(args).toEqual(["https://example.com/a?x=1&y=2"]);
+    });
+    it("win32: routes through rundll32 (no cmd.exe) with url as a separate argv element", () => {
+        const { command, args } = resolveOpenCommand("win32", "https://example.com/a?x=1&y=2");
+        // cmd.exe re-parses '&' as a command separator even inside execFile argv,
+        // so we must NOT shell out to cmd on Windows.
+        expect(command).not.toBe("cmd");
+        expect(command).toBe("rundll32");
+        // The URL is its OWN argv element — never concatenated into the entrypoint.
+        expect(args[args.length - 1]).toBe("https://example.com/a?x=1&y=2");
+        expect(args).toContain("url.dll,FileProtocolHandler");
+    });
+    it.each([
+        "linux",
+        "darwin",
+        "win32",
+    ])("%s: the opener command is a real binary, never a shell", (platform) => {
+        const { command } = resolveOpenCommand(platform, "https://example.com/");
+        expect(["sh", "bash", "cmd", "powershell", "pwsh", "/bin/sh"]).not.toContain(command);
+    });
+});
+describe("openUrl — validation + injection safety", () => {
+    it("passes a metacharacter-laden URL as ONE argv element, not interpreted by a shell", () => {
+        const run = vi.fn();
+        // The canonical injection probe from the task description.
+        const ok = openUrl('https://x/?a=1";calc;"', { platform: "linux", run });
+        expect(ok).toBe(true);
+        expect(run).toHaveBeenCalledTimes(1);
+        const [command, args] = run.mock.calls[0];
+        expect(command).toBe("xdg-open");
+        // Exactly one argument — the whole URL — so `;calc;` can never become its
+        // own token / command.
+        expect(args).toHaveLength(1);
+        // Double-quotes are percent-encoded by WHATWG URL serialization.
+        expect(args[0]).toBe("https://x/?a=1%22;calc;%22");
+        // `calc` is never a standalone argv element — it stays embedded in the URL.
+        expect(args.some((a) => a === "calc")).toBe(false);
+    });
+    it("rejects a javascript: scheme (returns false, never spawns)", () => {
+        const run = vi.fn();
+        const ok = openUrl("javascript:alert(1)", { platform: "linux", run });
+        expect(ok).toBe(false);
+        expect(run).not.toHaveBeenCalled();
+    });
+    it("rejects a file: scheme (returns false, never spawns)", () => {
+        const run = vi.fn();
+        const ok = openUrl("file:///etc/passwd", { platform: "darwin", run });
+        expect(ok).toBe(false);
+        expect(run).not.toHaveBeenCalled();
+    });
+    it("rejects a malformed URL (returns false, never spawns)", () => {
+        const run = vi.fn();
+        const ok = openUrl("not a url", { platform: "linux", run });
+        expect(ok).toBe(false);
+        expect(run).not.toHaveBeenCalled();
+    });
+    it("accepts a URL object and re-serializes it through the WHATWG parser", () => {
+        const run = vi.fn();
+        const ok = openUrl(new URL("https://example.com/cb?code=abc&state=xyz"), { platform: "win32", run });
+        expect(ok).toBe(true);
+        const [, args] = run.mock.calls[0];
+        expect(args[args.length - 1]).toBe("https://example.com/cb?code=abc&state=xyz");
+    });
+});
+//# sourceMappingURL=open-url.test.js.map

package/dist/src/utils/settings.d.ts

@@ -150,6 +150,8 @@ export interface UserSettings {
     councilCostAware?: boolean;
     /** Set true after the user has been prompted (or skipped) the web-research onboarding. */
     webResearchPrompted?: boolean;
+    /** Set true after the user has been prompted (or skipped) the first-run Experience Engine setup. */
+    eeSetupPrompted?: boolean;
     /**
      * Unix ms timestamp of the last npm-registry update check. Used to throttle
      * checkForUpdate to once per day so the CLI never spams the registry on
@@ -238,6 +240,16 @@ export interface ProjectSettings {
     shell?: ShellSettings;
     lsp?: LspSettings;
 }
+/**
+ * Ensure the CLI's own project-local footprint (`.muonroi-cli/`) is gitignored
+ * in `cwd`, so it is never swept into a commit by `git add -A`. The directory
+ * can hold provider API keys and sandbox secrets in `settings.json` /
+ * `environment.json`; a real session committed it to a public repo. We add the
+ * entry only inside an actual git repo (a `.git` dir/file present) to avoid
+ * littering `.gitignore` into arbitrary directories. Idempotent and silent on
+ * any I/O error — protection is best-effort and must never break the workflow.
+ */
+export declare function ensureFootprintGitignored(cwd?: string): void;
 export declare function loadUserSettings(): UserSettings;
 export declare function saveUserSettings(partial: Partial<UserSettings>): void;
 export declare function loadProjectSettings(): ProjectSettings;

package/dist/src/utils/settings.js

@@ -92,6 +92,51 @@ function writeJson(filePath, data) {
     ensureDir(path.dirname(filePath));
     fs.writeFileSync(filePath, JSON.stringify(data, null, 2), { mode: 0o600 });
 }
+/**
+ * Ensure the CLI's own project-local footprint (`.muonroi-cli/`) is gitignored
+ * in `cwd`, so it is never swept into a commit by `git add -A`. The directory
+ * can hold provider API keys and sandbox secrets in `settings.json` /
+ * `environment.json`; a real session committed it to a public repo. We add the
+ * entry only inside an actual git repo (a `.git` dir/file present) to avoid
+ * littering `.gitignore` into arbitrary directories. Idempotent and silent on
+ * any I/O error — protection is best-effort and must never break the workflow.
+ */
+export function ensureFootprintGitignored(cwd = process.cwd()) {
+    const ENTRY = ".muonroi-cli/";
+    try {
+        if (!fs.existsSync(path.join(cwd, ".git")))
+            return; // not a git repo — skip
+        const gitignorePath = path.join(cwd, ".gitignore");
+        let content = "";
+        if (fs.existsSync(gitignorePath)) {
+            content = fs.readFileSync(gitignorePath, "utf-8");
+            // Already covered by an exact or directory entry (`.muonroi-cli` or
+            // `.muonroi-cli/`). Avoid matching unrelated lines via line-exact test.
+            const lines = content.split(/\r?\n/).map((l) => l.trim());
+            if (lines.includes(ENTRY) || lines.includes(".muonroi-cli"))
+                return;
+        }
+        const comment = "# muonroi-cli local state (may contain API keys) — auto-added";
+        let block;
+        if (content.length === 0) {
+            // Fresh file — no leading blank line.
+            block = `${comment}\n${ENTRY}\n`;
+        }
+        else {
+            const sep = content.endsWith("\n") ? "\n" : "\n\n";
+            block = `${sep}${comment}\n${ENTRY}\n`;
+        }
+        fs.appendFileSync(gitignorePath, block);
+    }
+    catch (err) {
+        // best-effort: permission denied / read-only fs — never break the caller.
+        // Log at debug level only (No Silent Catch Rule) so a failure is diagnosable
+        // without spamming normal runs.
+        if (process.env.MUONROI_DEBUG) {
+            console.error(`[settings] ensureFootprintGitignored failed for ${cwd}: ${err instanceof Error ? err.message : String(err)}`);
+        }
+    }
+}
 export function loadUserSettings() {
     return readJson(USER_SETTINGS_PATH) || {};
 }
@@ -174,6 +219,9 @@ export function loadProjectSettings() {
 }
 export function saveProjectSettings(partial) {
     const projectPath = path.join(process.cwd(), ".muonroi-cli", "settings.json");
+    // Protect the footprint BEFORE the first write so the secrets-bearing file is
+    // gitignored from the moment it exists.
+    ensureFootprintGitignored(process.cwd());
     const current = loadProjectSettings();
     writeJson(projectPath, {
         ...current,

package/dist/src/utils/side-question.js

@@ -1,7 +1,7 @@
 import { generateText } from "ai";
 import { resolveModelRuntime } from "../providers/runtime.js";
-const SIDE_QUESTION_SYSTEM = `You are a helpful coding assistant answering a quick side question. The user is in the middle of a coding session and needs a fast, concise answer. Keep your response short and focused — this is a side question, not the main task.
-
+const SIDE_QUESTION_SYSTEM = `You are a helpful coding assistant answering a quick side question. The user is in the middle of a coding session and needs a fast, concise answer. Keep your response short and focused — this is a side question, not the main task.
+
 If conversation context is provided below, use it to give a more relevant answer.`;
 export async function runSideQuestion(question, provider, modelId, conversationContext, signal) {
     const runtime = resolveModelRuntime(provider, modelId);

package/dist/src/utils/skills.js

@@ -163,9 +163,9 @@ export function discoverSkills(projectRoot) {
     _skillsCache = { skills, cachedAt: now, cwd: projectRoot };
     return skills;
 }
-const SKILLS_INSTRUCTIONS = `AGENT SKILLS (optional):
-The following <available_skills> list specialized workflows. Use them when they might help the user's request — not only on exact keyword matches.
-If a skill's description fits the task or could improve consistency, read that skill's instructions first using read_file with the path from <location>, then follow the SKILL.md body.
+const SKILLS_INSTRUCTIONS = `AGENT SKILLS (optional):
+The following <available_skills> list specialized workflows. Use them when they might help the user's request — not only on exact keyword matches.
+If a skill's description fits the task or could improve consistency, read that skill's instructions first using read_file with the path from <location>, then follow the SKILL.md body.
 Paths inside a skill (scripts/, references/, assets/) are relative to the skill directory (the folder containing SKILL.md); prefer absolute paths in tool calls.`;
 /** OpenCode-style XML catalog plus activation instructions for read_file. Returns null if no skills. */
 export function formatSkillsForPrompt(skills) {

package/dist/src/verify/__tests__/coverage-parsers.test.js

@@ -1,38 +1,38 @@
 import { describe, expect, it } from "vitest";
 import { extractCoverageFromOutput, parseBunCoverage, parseJestCoverage, parsePytestCoverage, parseVitestCoverage, } from "../coverage-parsers.js";
-const BUN_OUTPUT = `
-[0.12ms] 11 tests passed
-[0.00ms] 0 tests failed
-
------------------------|---------|---------|---------|---------|-----------------------
-File                   | % Stmts | % Branch | % Funcs | % Lines | Uncovered Line #s
------------------------|---------|---------|---------|---------|-----------------------
-All files              |   85.50 |   70.00 |   90.00 |   85.50 |
- index.ts              |   85.50 |   70.00 |   90.00 |   85.50 | 10-15
------------------------|---------|---------|---------|---------|-----------------------
+const BUN_OUTPUT = `
+[0.12ms] 11 tests passed
+[0.00ms] 0 tests failed
+
+-----------------------|---------|---------|---------|---------|-----------------------
+File                   | % Stmts | % Branch | % Funcs | % Lines | Uncovered Line #s
+-----------------------|---------|---------|---------|---------|-----------------------
+All files              |   85.50 |   70.00 |   90.00 |   85.50 |
+ index.ts              |   85.50 |   70.00 |   90.00 |   85.50 | 10-15
+-----------------------|---------|---------|---------|---------|-----------------------
 `;
-const VITEST_OUTPUT = `
-  Files                    | % Stmts | % Branch | % Funcs | % Lines | Uncovered Lines
- --------------------------|---------|---------|---------|---------|-----------------
-  All files                |   92.31 |   85.71 |     100 |   92.31 | 
-   reality-anchor.ts       |     100 |     100 |     100 |     100 | 
-   verify-result.ts        |   83.33 |      75 |     100 |   83.33 | 12-15
- --------------------------|---------|---------|---------|---------|-----------------
+const VITEST_OUTPUT = `
+  Files                    | % Stmts | % Branch | % Funcs | % Lines | Uncovered Lines
+ --------------------------|---------|---------|---------|---------|-----------------
+  All files                |   92.31 |   85.71 |     100 |   92.31 | 
+   reality-anchor.ts       |     100 |     100 |     100 |     100 | 
+   verify-result.ts        |   83.33 |      75 |     100 |   83.33 | 12-15
+ --------------------------|---------|---------|---------|---------|-----------------
 `;
-const JEST_OUTPUT = `
-----------|---------|----------|---------|---------|-------------------
-File      | % Stmts | % Branch | % Funcs | % Lines | Uncovered Line #s 
-----------|---------|----------|---------|---------|-------------------
-All files |   75.42 |    62.15 |   80.52 |   75.42 |                   
-----------|---------|----------|---------|---------|-------------------
+const JEST_OUTPUT = `
+----------|---------|----------|---------|---------|-------------------
+File      | % Stmts | % Branch | % Funcs | % Lines | Uncovered Line #s 
+----------|---------|----------|---------|---------|-------------------
+All files |   75.42 |    62.15 |   80.52 |   75.42 |                   
+----------|---------|----------|---------|---------|-------------------
 `;
-const PYTEST_OUTPUT = `
-Name                      Stmts   Miss  Cover
----------------------------------------------
-muonroi/__init__.py           0      0   100%
-muonroi/cli.py               42      8    81%
----------------------------------------------
-TOTAL                        42      8    81%
+const PYTEST_OUTPUT = `
+Name                      Stmts   Miss  Cover
+---------------------------------------------
+muonroi/__init__.py           0      0   100%
+muonroi/cli.py               42      8    81%
+---------------------------------------------
+TOTAL                        42      8    81%
 `;
 describe("Coverage Parsers", () => {
     it("should parse bun coverage", () => {

package/dist/src/verify/environment.js

@@ -1,6 +1,6 @@
 import * as fs from "fs";
 import * as path from "path";
-import { mergeSandboxSettings, normalizeSandboxSettings } from "../utils/settings.js";
+import { ensureFootprintGitignored, mergeSandboxSettings, normalizeSandboxSettings, } from "../utils/settings.js";
 import { normalizeVerifyRecipe } from "./recipes.js";
 const VERIFY_ENVIRONMENT_FILES = [".muonroi-cli/environment.json", "environment.json"];
 const GENERATED_VERIFY_ENVIRONMENT = ".muonroi-cli/environment.json";
@@ -90,6 +90,7 @@ function pickPersistentSandboxSettings(settings) {
 }
 export function saveVerifyEnvironment(cwd, recipe, sandboxSettings = {}) {
     const filePath = path.join(cwd, GENERATED_VERIFY_ENVIRONMENT);
+    ensureFootprintGitignored(cwd);
     fs.mkdirSync(path.dirname(filePath), { recursive: true });
     const payload = {
         recipe: {

package/package.json

@@ -3,7 +3,7 @@
   "workspaces": [
     "packages/*"
   ],
-  "version": "1.4.1",
+  "version": "1.6.0",
   "description": "BYOK AI coding agent with multi-model council debate, role-based routing, and auto-compact.",
   "repository": {
     "type": "git",