nubos-pilot 1.1.3 → 1.2.1

package/CHANGELOG.md

@@ -0,0 +1,23 @@
+# Changelog
+
+All notable changes to nubos-pilot are documented in this file. Format
+follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/); versioning
+follows [SemVer](https://semver.org/spec/v2.0.0.html).
+
+## [1.1.4] — 2026-05-25
+
+Public release.
+
+- Plan, execute, and verify code changes through a researcher + critic
+  agent loop.
+- Wave-based milestone execution; one atomic git commit per task.
+- Multi-runtime install for 14 host CLIs (Claude Code, Codex, Gemini,
+  OpenCode, Cursor, and more) via `npx nubos-pilot`.
+- Local vector memory for cross-task learnings.
+- Inter-agent messages, handoffs, and project archive with crash-safe
+  resume.
+- Hardened filesystem operations: symlink-rejecting locks, restricted
+  permissions on audit logs, path containment for file-input flags,
+  frontmatter sanitisation, and a memory-model allow-list.
+
+Full documentation at <https://pilot.nubos.cloud>.

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Nubos AI
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -146,6 +146,35 @@ npm test                         # all unit tests via node:test
 node bin/check-workflows.cjs     # workflow linter
 ```
 
+See [`CONTRIBUTING.md`](./CONTRIBUTING.md) for setup, code conventions, ADR
+map and commit format.
+
+## Architecture Decisions
+
+ADRs live in the VitePress at
+[`pilot.nubos.cloud/v1/adr/`](https://pilot.nubos.cloud/v1/adr/). The
+load-bearing ones for users and contributors:
+
+| ADR | What it pins |
+|---|---|
+| 0004 | `workflow.commit_artifacts` controls whether `.nubos-pilot/` is committed |
+| 0010 | Nubosloop — researcher → executor → critic-schwarm is mandatory in `/np:execute-phase` |
+| 0012 | Completeness doctrine (12 rules in `templates/COMPLETENESS.md`) |
+| 0013 | Learnings-store schema evolution |
+| 0017 | Strict output-schema enforcement |
+| 0019 | Plan-side trust layer (`lib/plan-lint.cjs`) |
+
+## Security
+
+See [`SECURITY.md`](./SECURITY.md) for the vulnerability disclosure policy
+and threat model.
+
+## Support
+
+- Bugs / features: [GitHub issues](https://github.com/Nubos-AI/nubos-pilot/issues)
+- Security: `security@nubos.ai` (see [`SECURITY.md`](./SECURITY.md))
+- Docs: <https://pilot.nubos.cloud>
+
 ## License
 
-MIT
+MIT — see [`LICENSE`](./LICENSE).

package/SECURITY.md

@@ -0,0 +1,60 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a security issue in nubos-pilot, **do not open a public issue**.
+Email **security@nubos.ai** with:
+
+- A description of the issue and its impact.
+- Steps to reproduce (PoC if possible).
+- The affected version (`npx nubos-pilot --version` or check `package.json`).
+- Your preferred contact channel for follow-up.
+
+We will acknowledge receipt within **3 business days** and provide a
+resolution plan within **14 business days**. Fixes are released as patch
+versions and announced in `CHANGELOG.md`.
+
+## Supported Versions
+
+| Version | Supported |
+|---------|-----------|
+| 0.2.x   | ✅ active |
+| < 0.2   | ❌ end of life |
+
+Only the latest minor on the current major receives security patches until
+1.0 is reached.
+
+## Threat Model
+
+nubos-pilot is a **local CLI** distributed via npm to developer workstations
+and CI. It is **not** a hosted service. The threat surface and assumptions:
+
+| What nubos-pilot reads | What it writes | What it executes |
+|---|---|---|
+| `.nubos-pilot/`, project source for context | `.nubos-pilot/` state, `~/.codex/`, `~/.claude/` config (install only) | `git`, `claude`/`codex` headless via `child_process.spawn` |
+
+**Trust boundaries:**
+
+- **Project source code** — untrusted in the sense that agent-authored
+  files (`PLAN.md`, `RESEARCH.md` etc.) may contain hostile YAML. nubos-pilot
+  rejects prototype-pollution keys, refuses symlink-escape via `safe-path`,
+  caps message bodies, and whitelists ML model identifiers.
+- **`.nubos-pilot/messages/`** — multi-agent inbox; entries are written
+  atomically with `O_CREAT|O_EXCL|O_NOFOLLOW` (POSIX) so a pre-planted
+  symlink cannot redirect writes.
+- **Subprocess spawn** — `claude`/`codex` are invoked via `spawnSync` (no
+  shell). The binary path is overridable via `NUBOS_PILOT_CLAUDE_BIN` /
+  `NUBOS_PILOT_CODEX_BIN`; treat operators who can set those env vars as
+  trusted.
+- **`workflow.commit_artifacts`** flag controls whether `.nubos-pilot/`
+  artifacts are committed to git. Default is `true`; downstream projects
+  that consider artifacts sensitive should set it to `false`.
+
+## What is Out of Scope
+
+- Vulnerabilities in `@huggingface/transformers`, `usearch`, or the
+  `yaml` package — report those upstream.
+- Operator-controlled config (`config.json`) that the operator themselves
+  wrote — config is trusted input from the project owner.
+- DoS from running nubos-pilot in obviously bad conditions
+  (no disk space, no Node 22+, broken `git`).

package/agents/np-executor.md

@@ -49,6 +49,25 @@ The orchestrator provides these in your prompt context. Read every path it hands
 | Task summary (write on completion) | You fill this after the commit lands — describes changes, verification, follow-ups. | `.nubos-pilot/milestones/M<NNN>/slices/S<NNN>/tasks/T<NNNN>/T<NNNN>-SUMMARY.md` |
 | Checkpoint file (managed) | Write-through state transitions via `np-tools.cjs checkpoint transition`. Do NOT read/write directly. | `.nubos-pilot/checkpoints/<task-full-id>.json` |
 
+## Write against the success_criteria
+
+When the orchestrator includes a `<success_criteria>` block in your prompt, those criteria are the
+milestone's **acceptance target** — what "done right" means. Use them as your north star while you
+implement, not just the `verify` command. `verify` proves the code runs; the criteria prove it does
+the *right* thing. Aim for both green.
+
+- **Intent, not a build spec (ADR-0019).** Criteria say *what* must be true, never *how* to build it
+  (no schema/filename/style is implied). Don't treat a criterion as a licence to add structure the
+  task plan didn't ask for.
+- **Stay in scope.** A criterion is **never** a reason to edit a path outside `files_modified`. If
+  satisfying it would require touching another file, that is a planner-scope bug — emit the
+  `## SCOPE EXPANSION REQUEST` block (step 4a) and hand back; do not expand scope.
+- **Self-check before commit.** Before `commit-task`, re-read your diff against each criterion your
+  task contributes to (cross-reference the slice `S<NNN>-UAT.md`). If your in-scope change leaves a
+  criterion it should satisfy unmet, fix it within `files_modified` before committing — don't ship a
+  known gap for the critic to bounce back.
+- Criteria outside your task's scope are context, not your responsibility — do not chase them.
+
 ## Codebase Docs Protocol (runtime-agnostic)
 
 nubos-pilot maintains a skill-style code documentation layer at
@@ -131,6 +150,7 @@ into the `task(…)` commit. If `workflow.commit_docs=true`, the
 <scope_guardrail>
 **Do:**
 - Edit only files enumerated in `files_modified`.
+- Treat any `<success_criteria>` in your prompt as the acceptance target; self-check your diff against it before commit (see "Write against the success_criteria").
 - Commit via `node np-tools.cjs commit-task <task-id>`.
 - Write checkpoint state transitions via the wrapper.
 - Stay within the task's declared scope even if you spot tangential issues — log them, do not fix them.

package/agents/np-security-reviewer.md

@@ -1,15 +1,19 @@
 ---
 name: np-security-reviewer
-description: Read-only post-execution security audit for a milestone. Spawned by /np:validate-phase (or on demand) once all tasks of a milestone are committed. Scans every files_modified path against OWASP-aligned categories, emits M<NNN>-SECURITY.md draft with Pass/Risk/Defer per finding. Detection-only — never edits source.
+description: Read-only security auditor with two input modes. Modus A (milestone): spawned by /np:validate-phase once a milestone's tasks are committed — scans every files_modified path against OWASP-aligned categories and emits an M<NNN>-SECURITY.md draft with Pass/Risk/Defer per finding. Modus B (session/diff): spawned headlessly by the ADR-0020 in-session security hooks against a single turn-diff or commit — returns a JSON findings envelope as its final message. Detection-only in both modes — never edits source.
 tier: sonnet
 tools: Read, Bash, Grep, Glob
 color: red
 ---
 
 <role>
-You are the nubos-pilot security reviewer. Post-execution twin of `np-verifier` for the security surface. Spawned once a milestone's task commits are in place. You emit a `M<NNN>-SECURITY.md` draft with one block per finding, classified as `Pass` (no risk), `Risk` (concrete vulnerability), or `Defer` (needs user decision / out-of-scope).
+You are the nubos-pilot security reviewer. Post-execution twin of `np-verifier` for the security surface. You run in one of two modes, decided by the prompt.
 
-You DO NOT propose patches. You DO NOT edit source. You report.
+**Modus A — milestone audit (default).** Spawned once a milestone's task commits are in place. You emit a `M<NNN>-SECURITY.md` draft with one block per finding, classified as `Pass` (no risk), `Risk` (concrete vulnerability), or `Defer` (needs user decision / out-of-scope).
+
+**Modus B — session/diff (ADR-0020).** If the prompt contains a `<security_scan mode="…">` block, you operate in in-session mode: you review ONLY the supplied turn-diff (and, in `mode="commit"`, the surrounding code you reach via `Read`/`Grep`) and return a single JSON findings envelope as your **final message** — you do NOT write `M<NNN>-SECURITY.md`, do NOT use a milestone number, and do NOT read milestone files. See "## Session/Diff Mode (Modus B)" below for the exact contract.
+
+You DO NOT propose patches. You DO NOT edit source. You report — in both modes.
 
 **CRITICAL: Mandatory Initial Read**
 If the prompt contains a `<files_to_read>` block, you MUST use the `Read` tool to load every file listed there before performing any other actions. This is your primary context.
@@ -104,6 +108,48 @@ Milestone Status resolution:
 - Else any `Defer` → `deferred`.
 - Else → `clean`.
 
+## Session/Diff Mode (Modus B) — ADR-0020
+
+Triggered when the prompt contains a `<security_scan mode="stop|commit">` block. This is the in-session
+review spawned by the security hooks. It is independent by construction: you receive only the diff and a
+fresh context — you never graded the code you are reviewing.
+
+**Inputs (all inside the `<security_scan>` block):**
+- The list of changed files and the diff under review.
+- `mode="stop"` — review only what the turn changed; start from the diff, do not hunt outside it.
+- `mode="commit"` — a deeper pass: use `Read`/`Grep`/`Glob` to inspect surrounding code (callers,
+  sanitizers, related files) before deciding a finding is real, to keep false positives low.
+- An optional project guidance block. It is **additive** — it adds checks on top of the built-in OWASP
+  categories and never disables them. `RULES.md`/`CONTEXT.md` (if referenced) still authorize/neutralize
+  a finding the same way as Modus A.
+
+**Behaviour:**
+- Apply the same OWASP-aligned categories as Modus A.
+- Report ONLY concrete `Risk` findings. Omit `Pass`/no-risk entries entirely.
+- Do NOT write any file. Do NOT edit source. Do NOT spawn agents. Do NOT use a milestone number.
+
+**Output contract — your FINAL message MUST be exactly one JSON object, no prose, no code fence:**
+
+```json
+{
+  "status": "clean | risks-found",
+  "findings": [
+    {
+      "category": "Injection | Auth & Session | Access Control | Crypto | SSRF / Open Redirect | Deserialization | File / Path | Secrets | Logging | Dependencies",
+      "severity": "high | medium | low",
+      "file": "relative/path.ext",
+      "line": 42,
+      "title": "short finding title",
+      "evidence": "the matched line / why it is exploitable",
+      "mitigation_hint": "the real fix (a pointer, not a patch)"
+    }
+  ]
+}
+```
+
+If you find nothing, return `{"status":"clean","findings":[]}`. The orchestrator surfaces and fixes these
+findings as a follow-up in the same conversation — it never blocks the write or commit.
+
 ## Handoff Protocol
 
 Before reviewing, check handoffs addressed to `np-security-reviewer`:

package/bin/install.js

@@ -5,7 +5,7 @@ const fs = require('node:fs');
 const path = require('node:path');
 const os = require('node:os');
 
-const { atomicWriteFileSync, withFileLock, NubosPilotError } = require('../lib/core.cjs');
+const { atomicWriteFileSync, withFileLock, installSignalCleanup, NubosPilotError } = require('../lib/core.cjs');
 const { askUser: defaultAskUser } = require('../lib/askuser.cjs');
 const manifestMod = require('../lib/install/manifest.cjs');
 const stagingMod = require('../lib/install/staging.cjs');
@@ -159,6 +159,10 @@ function _renderShim(target, mode) {
     return '#!/usr/bin/env node\n'
       + "'use strict';\n"
       + 'const fs = require(\'node:fs\');\n'
+      + 'if (Number(process.versions.node.split(\'.\')[0]) < 22) {\n'
+      + '  process.stderr.write("nubos-pilot: requires Node >= 22 (running " + process.versions.node + ")\\n");\n'
+      + '  process.exit(1);\n'
+      + '}\n'
       + 'const TARGET = ' + JSON.stringify(target) + ';\n'
       + 'if (!fs.existsSync(TARGET)) {\n'
       + '  process.stderr.write("nubos-pilot: tool binary fehlt unter " + TARGET + "\\nFix: npx nubos-pilot@latest update\\n");\n'
@@ -170,12 +174,18 @@ function _renderShim(target, mode) {
     + "'use strict';\n"
     + 'const fs = require(\'node:fs\');\n'
     + 'const { spawn } = require(\'node:child_process\');\n'
+    + 'if (Number(process.versions.node.split(\'.\')[0]) < 22) {\n'
+    + '  process.stderr.write("nubos-pilot: requires Node >= 22 (running " + process.versions.node + ")\\n");\n'
+    + '  process.exit(1);\n'
+    + '}\n'
     + 'const TARGET = ' + JSON.stringify(target) + ';\n'
     + 'if (!fs.existsSync(TARGET)) {\n'
     + '  process.stderr.write("nubos-pilot: tool binary fehlt unter " + TARGET + "\\nFix: npx nubos-pilot@latest update\\n");\n'
     + '  process.exit(1);\n'
     + '}\n'
     + 'const child = spawn(process.execPath, [TARGET, ...process.argv.slice(2)], { stdio: \'inherit\' });\n'
+    + 'child.on(\'error\', (err) => { process.stderr.write("nubos-pilot shim: " + (err && err.message ? err.message : String(err)) + "\\n"); process.exit(1); });\n'
+    + 'for (const s of [\'SIGINT\', \'SIGTERM\', \'SIGHUP\']) { process.on(s, () => { try { child.kill(s); } catch {} }); }\n'
     + 'child.on(\'exit\', (code, sig) => { if (sig) process.kill(process.pid, sig); else process.exit(code == null ? 1 : code); });\n';
 }
 
@@ -197,24 +207,38 @@ function _stateDirFor(projectRoot) {
   return path.join(projectRoot, STATE_SUBPATH);
 }
 
-function _readExistingScope(projectRoot) {
+function _readInstallConfig(projectRoot) {
   const cfgPath = path.join(_stateDirFor(projectRoot), 'config.json');
   if (!fs.existsSync(cfgPath)) return null;
+  const { _CONFIG_PARSE_CODES, readConfig } = require('../lib/config.cjs');
+  const { NubosPilotError } = require('../lib/core.cjs');
   try {
-    const cfg = JSON.parse(fs.readFileSync(cfgPath, 'utf-8'));
-    return cfg && cfg.scope ? cfg.scope : null;
-  } catch { return null; }
+    return readConfig(projectRoot);
+  } catch (err) {
+    if (err && err.code === 'not-in-project') return null;
+    if (err && _CONFIG_PARSE_CODES.has(err.code)) {
+      throw new NubosPilotError(
+        'install-config-unusable',
+        'install refused — .nubos-pilot/config.json is unusable (' + err.code
+          + '). Repair or delete the file and re-run.',
+        { cause: err.code },
+      );
+    }
+    throw err;
+  }
+}
+
+function _readExistingScope(projectRoot) {
+  const cfg = _readInstallConfig(projectRoot);
+  return cfg && cfg.scope ? cfg.scope : null;
 }
 
 function _readExistingRuntimes(projectRoot) {
-  const cfgPath = path.join(_stateDirFor(projectRoot), 'config.json');
-  if (!fs.existsSync(cfgPath)) return null;
-  try {
-    const cfg = JSON.parse(fs.readFileSync(cfgPath, 'utf-8'));
-    if (Array.isArray(cfg.runtimes) && cfg.runtimes.length) return cfg.runtimes.slice();
-    if (cfg.runtime) return [cfg.runtime];
-    return null;
-  } catch { return null; }
+  const cfg = _readInstallConfig(projectRoot);
+  if (!cfg) return null;
+  if (Array.isArray(cfg.runtimes) && cfg.runtimes.length) return cfg.runtimes.slice();
+  if (cfg.runtime) return [cfg.runtime];
+  return null;
 }
 
 function detectMode(projectRoot, scope) {
@@ -277,10 +301,19 @@ async function _runInitQuestions(detectedRuntime, askUser, flags) {
   const model_profile = (await askUser({ type: 'select', question: 'Model-Profile?',
     options: ['frontier', 'quality', 'balanced', 'budget', 'inherit'], default: 'frontier' })).value;
   const response_language = (await askUser({ type: 'input', question: 'Response language (ISO-639 code)?', default: 'en' })).value;
+  // Wizard / --yes default is intentionally `false` (safer-by-default per
+  // FIX-B2) even though the implicit code default lives at `true` in
+  // DEFAULT_WORKFLOW (ADR-0004). The two are NOT in drift: explicit answer
+  // overrides default; absent key falls back to ADR-0004 true. This is
+  // covered by tests/install/install-flags.test.cjs:85.
+  const commit_artifacts = (await askUser({ type: 'confirm',
+    question: 'Auto-commit nubos-pilot planning artefacts (.nubos-pilot/ — milestones, roadmap, learnings) into your git repo?',
+    default: false })).value;
   return configDefaults.buildInstallConfig({
     runtime, runtimes, scope,
     model_profile,
     response_language,
+    commit_artifacts,
   });
 }
 
@@ -476,8 +509,19 @@ async function _runInstallLocked(ctx) {
   }
 
   stagingMod.finalizeSwap(payloadBase);
+  const resolvedPayloadDir = path.resolve(payloadDir);
   for (const rel of diff.stale) {
-    try { fs.unlinkSync(path.join(payloadDir, rel)); } catch {}
+    manifestMod.assertSafeManifestKey(rel, 'install-stale-cleanup');
+    const abs = path.join(payloadDir, rel);
+    const resolvedAbs = path.resolve(abs);
+    if (!(resolvedAbs === resolvedPayloadDir || resolvedAbs.startsWith(resolvedPayloadDir + path.sep))) {
+      throw new NubosPilotError(
+        'manifest-unlink-outside-base',
+        'Refusing unlink that escapes payloadDir',
+        { rel, base: path.basename(payloadDir) },
+      );
+    }
+    try { fs.unlinkSync(abs); } catch {}
   }
 
   if (opencodeManifest) {
@@ -503,9 +547,20 @@ async function _runInstallLocked(ctx) {
     const opencodeBase = resolvedScope === 'global' ? os.homedir() : projectRoot;
     for (const rel of diff.stale) {
       if (rel.startsWith(opencodeManifestPrefix)) {
+        manifestMod.assertSafeManifestKey(rel, 'install-opencode-stale');
         const relFs = rel.startsWith('~/')
           ? path.join(os.homedir(), rel.slice(2))
           : path.join(opencodeBase, rel);
+        const expectedBase = rel.startsWith('~/') ? os.homedir() : opencodeBase;
+        const resolvedRelFs = path.resolve(relFs);
+        const resolvedExpected = path.resolve(expectedBase);
+        if (!(resolvedRelFs === resolvedExpected || resolvedRelFs.startsWith(resolvedExpected + path.sep))) {
+          throw new NubosPilotError(
+            'manifest-unlink-outside-base',
+            'Refusing opencode unlink that escapes its base',
+            { rel, base: path.basename(expectedBase) },
+          );
+        }
         try { fs.unlinkSync(relFs); } catch {}
       }
     }
@@ -555,10 +610,15 @@ async function _runInstallLocked(ctx) {
     try {
       const claudeHooks = require('../lib/install/claude-hooks.cjs');
       const res = claudeHooks.installClaudeHooks({
-        projectRoot, scope: resolvedScope, which: 'both', force: false,
+        projectRoot, scope: resolvedScope, which: 'all', force: false,
       });
+      const secAction = res.results.security
+        ? Object.values(res.results.security).every((r) => r.action === 'installed') ? 'installed'
+          : Object.values(res.results.security).every((r) => r.action === 'updated') ? 'updated' : 'mixed'
+        : 'skipped';
       console.error(dim + '  [claude-hooks] statusline: ' + res.results.statusline.action
-        + ', ctx-monitor: ' + res.results.ctxMonitor.action + reset);
+        + ', ctx-monitor: ' + res.results.ctxMonitor.action
+        + ', security: ' + secAction + reset);
       if (res.results.statusline.action === 'skipped-existing') {
         console.error(yellow + '  [claude-hooks] foreign statusLine preserved — re-run `install-hooks --force` to overwrite' + reset);
       }
@@ -594,14 +654,11 @@ function _runUninstallLocked(projectRoot) {
     return { uninstalled: false };
   }
 
+  // Reuse the SAME validator as readManifest so a legitimate key like
+  // `..bar` (no traversal segment) isn't false-rejected here while passing
+  // validation upstream. Single source of truth lives in manifest.cjs.
   for (const rel of Object.keys(manifest.files)) {
-    if (rel.includes('..') || path.isAbsolute(rel)) {
-      throw new NubosPilotError(
-        'manifest-path-traversal',
-        'Manifest contains suspicious path',
-        { rel },
-      );
-    }
+    manifestMod.assertSafeManifestKey(rel, 'uninstall');
   }
 
   const payloadBase = scope === 'global' ? os.homedir() : projectRoot;
@@ -612,6 +669,20 @@ function _runUninstallLocked(projectRoot) {
     const abs = rel.startsWith('~/')
       ? path.join(os.homedir(), rel.slice(2))
       : isAsset ? path.join(payloadBase, rel) : path.join(payloadDir, rel);
+    // Defense-in-depth: even with the validator above, ensure the resolved
+    // path lives inside its expected base. A symlink or future-validator
+    // regression cannot escape this prefix check.
+    const expectedBase = rel.startsWith('~/') ? os.homedir()
+      : isAsset ? payloadBase : payloadDir;
+    const resolvedAbs = path.resolve(abs);
+    const resolvedBase = path.resolve(expectedBase);
+    if (!(resolvedAbs === resolvedBase || resolvedAbs.startsWith(resolvedBase + path.sep))) {
+      throw new NubosPilotError(
+        'manifest-unlink-outside-base',
+        'Refusing unlink that escapes its payload base',
+        { rel, base: path.basename(expectedBase) },
+      );
+    }
     try {
       fs.unlinkSync(abs);
       removed++;
@@ -639,12 +710,11 @@ function _runUninstallLocked(projectRoot) {
 
   try { fs.rmdirSync(payloadDir); } catch {}
 
-  const cfgPath = path.join(_stateDirFor(projectRoot), 'config.json');
   let installedRuntimes = [];
-  try {
-    const cfg = JSON.parse(fs.readFileSync(cfgPath, 'utf-8'));
+  const cfg = _readInstallConfig(projectRoot);
+  if (cfg) {
     installedRuntimes = cfg.runtimes || (cfg.runtime ? [cfg.runtime] : []);
-  } catch {}
+  }
 
   const legacyFiles = ['CLAUDE.md', 'AGENTS.md', 'GEMINI.md'];
   const extraFiles = [];
@@ -793,21 +863,21 @@ async function runUninstallHooks(opts) {
 }
 
 if (require.main === module) {
-  main().catch((err) => {
-    if (err && err.code) {
-      process.stderr.write(
-        JSON.stringify({
-          error: {
-            code: err.code,
-            message: err.message,
-            details: err.details || null,
-          },
-        }) + '\n',
-      );
-    } else {
-      process.stderr.write(((err && err.stack) || String(err)) + '\n');
-    }
+  if (Number(process.versions.node.split('.')[0]) < 22) {
+    process.stderr.write('nubos-pilot: requires Node >= 22 (running ' + process.versions.node + ')\n');
     process.exit(1);
+  }
+  installSignalCleanup();
+  main().catch((err) => {
+    const payload = (err && err.code)
+      ? JSON.stringify({ error: { code: err.code, message: err.message, details: err.details || null } }) + '\n'
+      : ((err && err.stack) || String(err)) + '\n';
+    // Drain stderr before exit. process.exit() can otherwise tear down the
+    // pipe mid-flush on busy CI, truncating the envelope. Set exitCode and
+    // let Node drain naturally; force-exit only as a last-resort fallback.
+    try { process.stderr.write(payload); } catch {}
+    process.exitCode = 1;
+    setTimeout(() => process.exit(1), 1000).unref();
   });
 }
 

package/bin/np-tools/_args.cjs

@@ -2,9 +2,15 @@
 
 const { NubosPilotError } = require('../../lib/core.cjs');
 
-function getFlag(rest, name) {
+function getFlag(rest, name, opts) {
   const idx = rest.indexOf(name);
-  return idx !== -1 ? rest[idx + 1] : undefined;
+  if (idx === -1) return undefined;
+  const next = rest[idx + 1];
+  const allowDash = opts && opts.allowDashValues === true;
+  if (!allowDash && typeof next === 'string' && next.startsWith('--')) {
+    return undefined;
+  }
+  return next;
 }
 
 function getJsonFlag(rest, name, missingCode, hint) {

package/bin/np-tools/_commands.cjs

@@ -96,6 +96,7 @@ const COMMANDS = [
   { name: 'loop-audit-tool-use',     category: 'Execution', description: 'Record/read the tool-use audit per spawn (Completeness Rule 9 mechanical check)', description_de: 'Tool-use Audit pro Spawn schreiben/lesen (Completeness Rule 9 mechanische Prüfung)' },
   { name: 'loop-stuck',              category: 'Execution', description: 'Mark a task as stuck (writes loop-state + flips checkpoint status to stuck)', description_de: 'Markiert Task als stuck (schreibt Loop-State + setzt Checkpoint-Status auf stuck)' },
   { name: 'spawn-headless',          category: 'Execution', description: 'Spawn an agent as a headless `claude -p` subprocess (ADR-0010 §L6); writes stdout to --output-path and returns exit code', description_de: 'Spawnt einen Agent als headless `claude -p` Subprozess (ADR-0010 §L6); schreibt stdout nach --output-path und liefert Exit-Code' },
+  { name: 'security',                category: 'Review',    description: 'In-session security review hook backend (ADR-0020). Verbs: session-start | baseline | scan | review | commit | run-review. Reads the Claude Code hook payload via --stdin; non-blocking, report-once, independent reviewer spawn.', description_de: 'Backend für die In-Session-Security-Review-Hooks (ADR-0020). Verben: session-start | baseline | scan | review | commit | run-review. Liest die Claude-Code-Hook-Payload via --stdin; non-blocking, report-once, unabhängiger Reviewer-Spawn.' },
   { name: 'loop-metrics',            category: 'Utility',   description: 'Aggregate Nubosloop telemetry across all checkpoints (commits, stuck, route distribution)', description_de: 'Aggregiert Nubosloop-Telemetrie über alle Checkpoints (Commits, Stuck, Routing)' },
   { name: 'learning-log',            category: 'Execution', description: 'Persist a learning to the local store (or MCP adapter when configured)', description_de: 'Persistiert ein Learning im lokalen Store (oder MCP-Adapter falls konfiguriert)' },
   { name: 'learning-match',          category: 'Utility',   description: 'Query the learnings store for cached patterns matching a free-text query', description_de: 'Fragt den Learnings-Store nach Cached-Patterns ab' },

package/bin/np-tools/_memory-resolve.cjs

@@ -1,7 +1,7 @@
 'use strict';
 
 const { NubosPilotError } = require('../../lib/core.cjs');
-const { readConfigPath } = require('../../lib/config.cjs');
+const { tryReadConfigPath } = require('../../lib/config.cjs');
 const { createMemory } = require('../../lib/memory.cjs');
 
 function resolveMemory(opts) {
@@ -17,7 +17,7 @@ function resolveMemory(opts) {
     });
   }
 
-  const enabled = readConfigPath(cwd, 'memory.enabled', false);
+  const enabled = tryReadConfigPath(cwd, 'memory.enabled', false);
   if (!enabled) {
     throw new NubosPilotError(
       'memory-disabled',
@@ -26,8 +26,8 @@ function resolveMemory(opts) {
     );
   }
 
-  const model = readConfigPath(cwd, 'memory.model', 'Xenova/bge-small-en-v1.5');
-  const alpha = readConfigPath(cwd, 'memory.alpha', 0.6);
+  const model = tryReadConfigPath(cwd, 'memory.model', 'Xenova/bge-small-en-v1.5');
+  const alpha = tryReadConfigPath(cwd, 'memory.alpha', 0.6);
 
   const { createLocalProvider } = require('../../lib/memory-provider-local.cjs');
   const { createUsearchIndex } = require('../../lib/memory-index-usearch.cjs');

package/bin/np-tools/checkpoint.cjs

@@ -1,5 +1,5 @@
 const { NubosPilotError } = require('../../lib/core.cjs');
-const { TASK_ID_RE } = require('../../lib/tasks.cjs');
+const { TASK_ID_RE } = require('../../lib/ids.cjs');
 const {
   startTask,
   writeCheckpoint,

package/bin/np-tools/close-project.cjs

@@ -1,36 +1,10 @@
 'use strict';
 
-const fs = require('node:fs');
-const path = require('node:path');
-const os = require('node:os');
-const crypto = require('node:crypto');
-
-const {
-  NubosPilotError,
-  projectStateDir,
-} = require('../../lib/core.cjs');
+const { NubosPilotError } = require('../../lib/core.cjs');
+const { emitInitPayload } = require('../../lib/init-emit.cjs');
 const archive = require('../../lib/archive.cjs');
 const textMode = require('../../lib/text-mode.cjs');
 
-const INLINE_THRESHOLD_BYTES = 16 * 1024;
-
-function _emit(payload, stdout, cwd) {
-  const json = JSON.stringify(payload, null, 2);
-  if (Buffer.byteLength(json, 'utf-8') <= INLINE_THRESHOLD_BYTES) {
-    stdout.write(json);
-    return;
-  }
-  let tmpDir;
-  try {
-    tmpDir = path.join(projectStateDir(cwd), '.tmp');
-    fs.mkdirSync(tmpDir, { recursive: true });
-  } catch { tmpDir = os.tmpdir(); }
-  const suffix = process.pid + '-' + crypto.randomBytes(4).toString('hex');
-  const tmpPath = path.join(tmpDir, 'init-close-project-' + suffix + '.json');
-  fs.writeFileSync(tmpPath, json, 'utf-8');
-  stdout.write('@file:' + tmpPath);
-}
-
 function _initPayload(cwd) {
   const completion = archive.computeCompletionStatus(cwd);
   const tmDetail = textMode.resolveTextModeDetail(cwd);
@@ -68,7 +42,7 @@ function run(args, ctx) {
     case 'init':
     case undefined: {
       const payload = _initPayload(cwd);
-      _emit(payload, stdout, cwd);
+      emitInitPayload(payload, stdout, cwd, 'close-project');
       return payload;
     }
     case 'check': {