odd-studio 2.0.0 → 2.2.0

package/bin/odd-studio.js

@@ -62,7 +62,7 @@ program
     console.log(chalk.bold(`  Setting up: ${chalk.cyan(resolvedName)}\n`));
 
     // 1. Scaffold project structure
-    print.step(1, 3, 'Creating project structure...');
+    print.step(1, 4, 'Creating project structure...');
     const spinner1 = ora({ text: '', indent: 4 }).start();
     try {
       await scaffoldProject(targetDir, resolvedName);
@@ -76,7 +76,7 @@ program
 
     // 2. Install /odd skill
     if (!options.skipSkill) {
-      print.step(2, 3, 'Installing /odd skill into Claude Code...');
+      print.step(2, 4, 'Installing /odd skill into Claude Code...');
       const spinner2 = ora({ text: '', indent: 4 }).start();
       try {
         const result = await installSkill(PACKAGE_ROOT);
@@ -88,13 +88,13 @@ program
         print.info('Manual install: copy ' + chalk.dim('skill/') + ' to ' + chalk.dim('~/.claude/skills/odd/'));
       }
     } else {
-      print.step(2, 3, 'Skipping skill install (--skip-skill)');
+      print.step(2, 4, 'Skipping skill install (--skip-skill)');
       print.warn('Remember to install the skill manually for /odd to work in Claude Code.');
     }
 
     // 3. Setup hooks
     if (!options.skipHooks) {
-      print.step(3, 3, 'Installing safety hooks into Claude Code settings...');
+      print.step(3, 4, 'Installing safety hooks into Claude Code settings...');
       const spinner3 = ora({ text: '', indent: 4 }).start();
       try {
         const result = await setupHooks(PACKAGE_ROOT);
@@ -106,10 +106,43 @@ program
         print.info('Manual install: add entries from ' + chalk.dim('hooks/') + ' to ~/.claude/settings.json');
       }
     } else {
-      print.step(3, 3, 'Skipping hooks (--skip-hooks)');
+      print.step(3, 4, 'Skipping hooks (--skip-hooks)');
       print.warn('Safety hooks not installed. Git guardrails and quality gates will not run.');
     }
 
+    // 4. Install Checkpoint security scanning tools
+    print.step(4, 5, 'Installing Checkpoint security scanning tools...');
+    const spinner4a = ora({ text: '', indent: 4 }).start();
+    try {
+      const { execSync } = await import('child_process');
+      execSync('npx @darrenjcoxon/vibeguard --install-tools --quiet 2>/dev/null', { stdio: 'ignore', timeout: 60000 });
+      spinner4a.stop();
+      print.ok('Checkpoint security tools installed');
+    } catch (e) {
+      spinner4a.stop();
+      print.warn('Checkpoint tools could not be installed automatically');
+      print.info('Run: npx @darrenjcoxon/vibeguard --install-tools  to enable security scanning');
+    }
+
+    // 5. Configure ruflo MCP server (cross-session memory)
+    print.step(5, 5, 'Configuring ruflo memory server...');
+    const spinner5 = ora({ text: '', indent: 4 }).start();
+    try {
+      const { default: setupMcp } = await import('../scripts/setup-mcp.js');
+      const mcpResult = await setupMcp();
+      spinner5.stop();
+      if (mcpResult.mcpJsonUpdated || mcpResult.settingsUpdated) {
+        print.ok('Ruflo MCP server configured — cross-session memory enabled');
+      } else {
+        print.ok('Ruflo MCP server already configured');
+      }
+    } catch (e) {
+      spinner5.stop();
+      print.warn('Could not configure ruflo automatically: ' + e.message);
+      print.info('Manual setup: add ruflo to ~/.mcp.json and enable in ~/.claude/settings.json');
+      print.info('See: https://github.com/ruvnet/ruflo for installation instructions');
+    }
+
     // ── Done ──
     print.blank();
     console.log(chalk.bold.green('  ✓ ODD Studio is ready.\n'));
@@ -188,6 +221,15 @@ program
       s2.fail('Hooks update failed: ' + e.message);
     }
 
+    const s3 = ora({ text: 'Checking ruflo MCP configuration...', indent: 4 }).start();
+    try {
+      const { default: setupMcp } = await import('../scripts/setup-mcp.js');
+      const mcpResult = await setupMcp();
+      s3.succeed(mcpResult.mcpJsonUpdated || mcpResult.settingsUpdated ? 'Ruflo MCP configured' : 'Ruflo MCP already configured');
+    } catch (e) {
+      s3.fail('Ruflo MCP check failed: ' + e.message);
+    }
+
     print.blank();
     print.ok('Upgrade complete.');
     print.blank();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "odd-studio",
-  "version": "2.0.0",
+  "version": "2.2.0",
   "description": "Outcome-Driven Development for Claude Code — a planning and build harness for domain experts building serious software with AI.",
   "keywords": [
     "claude-code",

package/scripts/postinstall.js

@@ -13,16 +13,19 @@ if (!isGlobal && !isNpx) {
   process.exit(0);
 }
 
-import('./install-skill.js')
-  .then(({ default: installSkill }) => {
-    const pkg = new URL('..', import.meta.url).pathname;
-    return installSkill(pkg.replace(/\/$/, ''));
-  })
+const pkg = new URL('..', import.meta.url).pathname.replace(/\/$/, '');
+
+Promise.all([
+  import('./install-skill.js').then(({ default: installSkill }) => installSkill(pkg)),
+  import('./setup-hooks.js').then(({ default: setupHooks }) => setupHooks(pkg)),
+  import('./setup-mcp.js').then(({ default: setupMcp }) => setupMcp()),
+])
   .then(() => {
-    console.log('✓ ODD Studio: /odd skill installed into Claude Code');
+    console.log('✓ ODD Studio: /odd skill, safety hooks, and ruflo memory installed into Claude Code');
+    console.log('  Run: npx odd-studio init [project-name]  to scaffold your first project.');
   })
   .catch((e) => {
     // Non-fatal — user can run odd-studio init manually
-    console.log('⚠ ODD Studio: Could not auto-install skill (' + e.message + ')');
+    console.log('⚠ ODD Studio: Could not complete setup (' + e.message + ')');
     console.log('  Run: npx odd-studio init  to complete setup.');
   });

package/scripts/setup-mcp.js

@@ -0,0 +1,68 @@
+'use strict';
+import fs from 'fs-extra';
+import path from 'path';
+import os from 'os';
+
+const MCP_JSON_PATH = path.join(os.homedir(), '.mcp.json');
+const SETTINGS_PATH = path.join(os.homedir(), '.claude', 'settings.json');
+
+const RUFLO_SERVER_ENTRY = {
+  type: 'stdio',
+  command: 'npx',
+  args: ['ruflo@latest', 'mcp', 'start'],
+  env: {},
+};
+
+/**
+ * Configures the ruflo MCP server so that cross-session memory works.
+ *
+ * Two writes required:
+ *   1. ~/.mcp.json — defines the server (npx ruflo@latest mcp start)
+ *   2. ~/.claude/settings.json — adds "ruflo" to enabledMcpjsonServers
+ *
+ * Both are idempotent: existing entries are left untouched.
+ */
+export default async function setupMcp() {
+  const result = { mcpJsonUpdated: false, settingsUpdated: false };
+
+  // ── 1. Add ruflo to ~/.mcp.json ────────────────────────────────────────────
+  let mcpConfig = { mcpServers: {} };
+  if (fs.existsSync(MCP_JSON_PATH)) {
+    try {
+      mcpConfig = await fs.readJson(MCP_JSON_PATH);
+    } catch {
+      // Corrupt file — start fresh but preserve any valid content
+      mcpConfig = { mcpServers: {} };
+    }
+  }
+  if (!mcpConfig.mcpServers) mcpConfig.mcpServers = {};
+
+  if (!mcpConfig.mcpServers.ruflo) {
+    mcpConfig.mcpServers.ruflo = RUFLO_SERVER_ENTRY;
+    await fs.writeJson(MCP_JSON_PATH, mcpConfig, { spaces: 2 });
+    result.mcpJsonUpdated = true;
+  }
+
+  // ── 2. Enable ruflo in ~/.claude/settings.json ─────────────────────────────
+  await fs.ensureDir(path.join(os.homedir(), '.claude'));
+  let settings = {};
+  if (fs.existsSync(SETTINGS_PATH)) {
+    try {
+      settings = await fs.readJson(SETTINGS_PATH);
+    } catch {
+      settings = {};
+    }
+  }
+
+  if (!Array.isArray(settings.enabledMcpjsonServers)) {
+    settings.enabledMcpjsonServers = [];
+  }
+
+  if (!settings.enabledMcpjsonServers.includes('ruflo')) {
+    settings.enabledMcpjsonServers.push('ruflo');
+    await fs.writeJson(SETTINGS_PATH, settings, { spaces: 2 });
+    result.settingsUpdated = true;
+  }
+
+  return result;
+}

package/skill/SKILL.md

@@ -192,7 +192,59 @@ After collecting the description, call `mcp__ruflo__agent_spawn` with the custom
 
 ---
 
-### `*export`
+### `confirm`
+
+The domain expert types `confirm` when all verification steps for the current outcome have passed on a single complete run.
+
+Execute the following steps in order:
+
+**1. Run Checkpoint.**
+
+Execute via Bash: `npx @darrenjcoxon/vibeguard --security-only -o json 2>/dev/null`
+
+Display to the domain expert: "Checkpoint running..."
+
+Parse the JSON output. Look for findings with severity `critical`, `high`, or `secret`.
+
+**If Checkpoint is not installed** (command fails or returns an error): skip silently and display "Checkpoint not installed — type `npx @darrenjcoxon/vibeguard --install-tools` in your terminal to enable security scanning." Then proceed to step 3.
+
+**2. If Checkpoint finds critical, high, or secret findings:**
+
+Do NOT advance to the next outcome.
+
+Translate each finding from technical language to a plain-language fix instruction. Do not show raw scanner output to the domain expert.
+
+Brief the build agent directly with the fix instructions. Do not ask the domain expert to review them.
+
+Display: "Checkpoint found [N] security issue(s) in this outcome. The build agent is fixing them now. This does not affect your verification — the outcome behaves correctly. Once the security fix is complete, Checkpoint will run again automatically."
+
+After the build agent applies fixes, re-run Checkpoint automatically (repeat step 1). Repeat until Checkpoint is clear. Then proceed to step 3.
+
+**3. If Checkpoint is clear:**
+
+Display: "Checkpoint clear."
+
+Commit the verified state via git with message: `feat: verified [outcome name] — [phase]`
+
+Call `mcp__ruflo__memory_store` key `odd-outcome-[name]` with status `verified`, namespace `odd-project`.
+
+Update `.odd/state.json`: mark outcome as verified, set `nextStep` to the next outcome in the phase.
+
+Display:
+
+---
+
+**[Outcome name] — verified and committed.**
+
+Checkpoint: clear.
+
+**Next:** [next outcome name and one-sentence description]
+
+Type `*build` to begin, or `*status` to see the full phase progress.
+
+---
+
+---
 
 Generate the IDE Session Brief. This is a standalone document that a developer or AI coding agent can use to execute a build session without needing to ask planning questions.
 
@@ -428,8 +480,11 @@ At key moments in the methodology, proactively explain why the current step matt
 **Plan signed off:**
 "The Master Implementation Plan is approved. You have a sequenced, dependency-respecting build order, anchored to real personas and verified outcomes. This is the document that turns a vision into an executable build. You are ready."
 
+**Checkpoint clear (first time):**
+"Checkpoint runs automatically every time you confirm an outcome. It scans what was just built for security issues — exposed secrets, missing authentication checks, injection vulnerabilities — and briefs the build agent to fix anything it finds before you move on. You do not need to understand what it found or how it was fixed. Security is not a separate concern in ODD Studio. It is built into the rhythm of the build."
+
 **Phase complete:**
-"Phase complete. All outcomes in this phase have been verified. The contracts they exposed are now available to the next phase. Well done — this is exactly how a well-planned build should progress."
+"Phase complete. All outcomes in this phase have been verified and cleared by Checkpoint. The contracts they exposed are now available to the next phase. Well done — this is exactly how a well-planned build should progress."
 
 ---
 

package/skill/docs/build/build-protocol.md

@@ -61,7 +61,13 @@ Collect all failures from the verification run and send them in a single message
 
 When all steps pass on a single complete run, type `confirm`.
 
-ODD Studio commits the verified state, updates ruflo memory, and presents the next outcome. The domain expert did not write a commit message, update a status file, or identify what comes next. The tool handled all of that.
+ODD Studio runs Checkpoint — a security scan of everything built in this outcome. The domain expert does not trigger this, read the results, or action any findings. It happens automatically.
+
+If Checkpoint finds no issues, ODD Studio commits the verified state, updates ruflo memory, and presents the next outcome.
+
+If Checkpoint finds security issues, ODD Studio briefs the build agent with the findings and triggers a fix. The domain expert waits. Once the fix is complete, Checkpoint runs again. When it is clear, the outcome is committed and the next outcome is presented.
+
+The domain expert did not write a commit message, update a status file, identify security issues, or decide what comes next. The tool handled all of that.
 
 ---