odd-studio 2.1.0 → 2.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/bin/odd-studio.js +19 -5
- package/package.json +1 -1
- package/skill/SKILL.md +57 -2
- package/skill/docs/build/build-protocol.md +7 -1
package/bin/odd-studio.js
CHANGED
|
@@ -110,20 +110,34 @@ program
|
|
|
110
110
|
print.warn('Safety hooks not installed. Git guardrails and quality gates will not run.');
|
|
111
111
|
}
|
|
112
112
|
|
|
113
|
-
// 4.
|
|
114
|
-
print.step(4,
|
|
115
|
-
const
|
|
113
|
+
// 4. Install Checkpoint security scanning tools
|
|
114
|
+
print.step(4, 5, 'Installing Checkpoint security scanning tools...');
|
|
115
|
+
const spinner4a = ora({ text: '', indent: 4 }).start();
|
|
116
|
+
try {
|
|
117
|
+
const { execSync } = await import('child_process');
|
|
118
|
+
execSync('npx @darrenjcoxon/vibeguard --install-tools --quiet 2>/dev/null', { stdio: 'ignore', timeout: 60000 });
|
|
119
|
+
spinner4a.stop();
|
|
120
|
+
print.ok('Checkpoint security tools installed');
|
|
121
|
+
} catch (e) {
|
|
122
|
+
spinner4a.stop();
|
|
123
|
+
print.warn('Checkpoint tools could not be installed automatically');
|
|
124
|
+
print.info('Run: npx @darrenjcoxon/vibeguard --install-tools to enable security scanning');
|
|
125
|
+
}
|
|
126
|
+
|
|
127
|
+
// 5. Configure ruflo MCP server (cross-session memory)
|
|
128
|
+
print.step(5, 5, 'Configuring ruflo memory server...');
|
|
129
|
+
const spinner5 = ora({ text: '', indent: 4 }).start();
|
|
116
130
|
try {
|
|
117
131
|
const { default: setupMcp } = await import('../scripts/setup-mcp.js');
|
|
118
132
|
const mcpResult = await setupMcp();
|
|
119
|
-
|
|
133
|
+
spinner5.stop();
|
|
120
134
|
if (mcpResult.mcpJsonUpdated || mcpResult.settingsUpdated) {
|
|
121
135
|
print.ok('Ruflo MCP server configured — cross-session memory enabled');
|
|
122
136
|
} else {
|
|
123
137
|
print.ok('Ruflo MCP server already configured');
|
|
124
138
|
}
|
|
125
139
|
} catch (e) {
|
|
126
|
-
|
|
140
|
+
spinner5.stop();
|
|
127
141
|
print.warn('Could not configure ruflo automatically: ' + e.message);
|
|
128
142
|
print.info('Manual setup: add ruflo to ~/.mcp.json and enable in ~/.claude/settings.json');
|
|
129
143
|
print.info('See: https://github.com/ruvnet/ruflo for installation instructions');
|
package/package.json
CHANGED
package/skill/SKILL.md
CHANGED
|
@@ -192,7 +192,59 @@ After collecting the description, call `mcp__ruflo__agent_spawn` with the custom
|
|
|
192
192
|
|
|
193
193
|
---
|
|
194
194
|
|
|
195
|
-
###
|
|
195
|
+
### `confirm`
|
|
196
|
+
|
|
197
|
+
The domain expert types `confirm` when all verification steps for the current outcome have passed on a single complete run.
|
|
198
|
+
|
|
199
|
+
Execute the following steps in order:
|
|
200
|
+
|
|
201
|
+
**1. Run Checkpoint.**
|
|
202
|
+
|
|
203
|
+
Execute via Bash: `npx @darrenjcoxon/vibeguard --security-only -o json 2>/dev/null`
|
|
204
|
+
|
|
205
|
+
Display to the domain expert: "Checkpoint running..."
|
|
206
|
+
|
|
207
|
+
Parse the JSON output. Look for findings with severity `critical`, `high`, or `secret`.
|
|
208
|
+
|
|
209
|
+
**If Checkpoint is not installed** (command fails or returns an error): skip silently and display "Checkpoint not installed — type `npx @darrenjcoxon/vibeguard --install-tools` in your terminal to enable security scanning." Then proceed to step 3.
|
|
210
|
+
|
|
211
|
+
**2. If Checkpoint finds critical, high, or secret findings:**
|
|
212
|
+
|
|
213
|
+
Do NOT advance to the next outcome.
|
|
214
|
+
|
|
215
|
+
Translate each finding from technical language to a plain-language fix instruction. Do not show raw scanner output to the domain expert.
|
|
216
|
+
|
|
217
|
+
Brief the build agent directly with the fix instructions. Do not ask the domain expert to review them.
|
|
218
|
+
|
|
219
|
+
Display: "Checkpoint found [N] security issue(s) in this outcome. The build agent is fixing them now. This does not affect your verification — the outcome behaves correctly. Once the security fix is complete, Checkpoint will run again automatically."
|
|
220
|
+
|
|
221
|
+
After the build agent applies fixes, re-run Checkpoint automatically (repeat step 1). Repeat until Checkpoint is clear. Then proceed to step 3.
|
|
222
|
+
|
|
223
|
+
**3. If Checkpoint is clear:**
|
|
224
|
+
|
|
225
|
+
Display: "Checkpoint clear."
|
|
226
|
+
|
|
227
|
+
Commit the verified state via git with message: `feat: verified [outcome name] — [phase]`
|
|
228
|
+
|
|
229
|
+
Call `mcp__ruflo__memory_store` key `odd-outcome-[name]` with status `verified`, namespace `odd-project`.
|
|
230
|
+
|
|
231
|
+
Update `.odd/state.json`: mark outcome as verified, set `nextStep` to the next outcome in the phase.
|
|
232
|
+
|
|
233
|
+
Display:
|
|
234
|
+
|
|
235
|
+
---
|
|
236
|
+
|
|
237
|
+
**[Outcome name] — verified and committed.**
|
|
238
|
+
|
|
239
|
+
Checkpoint: clear.
|
|
240
|
+
|
|
241
|
+
**Next:** [next outcome name and one-sentence description]
|
|
242
|
+
|
|
243
|
+
Type `*build` to begin, or `*status` to see the full phase progress.
|
|
244
|
+
|
|
245
|
+
---
|
|
246
|
+
|
|
247
|
+
---
|
|
196
248
|
|
|
197
249
|
Generate the IDE Session Brief. This is a standalone document that a developer or AI coding agent can use to execute a build session without needing to ask planning questions.
|
|
198
250
|
|
|
@@ -428,8 +480,11 @@ At key moments in the methodology, proactively explain why the current step matt
|
|
|
428
480
|
**Plan signed off:**
|
|
429
481
|
"The Master Implementation Plan is approved. You have a sequenced, dependency-respecting build order, anchored to real personas and verified outcomes. This is the document that turns a vision into an executable build. You are ready."
|
|
430
482
|
|
|
483
|
+
**Checkpoint clear (first time):**
|
|
484
|
+
"Checkpoint runs automatically every time you confirm an outcome. It scans what was just built for security issues — exposed secrets, missing authentication checks, injection vulnerabilities — and briefs the build agent to fix anything it finds before you move on. You do not need to understand what it found or how it was fixed. Security is not a separate concern in ODD Studio. It is built into the rhythm of the build."
|
|
485
|
+
|
|
431
486
|
**Phase complete:**
|
|
432
|
-
"Phase complete. All outcomes in this phase have been verified. The contracts they exposed are now available to the next phase. Well done — this is exactly how a well-planned build should progress."
|
|
487
|
+
"Phase complete. All outcomes in this phase have been verified and cleared by Checkpoint. The contracts they exposed are now available to the next phase. Well done — this is exactly how a well-planned build should progress."
|
|
433
488
|
|
|
434
489
|
---
|
|
435
490
|
|
|
@@ -61,7 +61,13 @@ Collect all failures from the verification run and send them in a single message
|
|
|
61
61
|
|
|
62
62
|
When all steps pass on a single complete run, type `confirm`.
|
|
63
63
|
|
|
64
|
-
ODD Studio
|
|
64
|
+
ODD Studio runs Checkpoint — a security scan of everything built in this outcome. The domain expert does not trigger this, read the results, or action any findings. It happens automatically.
|
|
65
|
+
|
|
66
|
+
If Checkpoint finds no issues, ODD Studio commits the verified state, updates ruflo memory, and presents the next outcome.
|
|
67
|
+
|
|
68
|
+
If Checkpoint finds security issues, ODD Studio briefs the build agent with the findings and triggers a fix. The domain expert waits. Once the fix is complete, Checkpoint runs again. When it is clear, the outcome is committed and the next outcome is presented.
|
|
69
|
+
|
|
70
|
+
The domain expert did not write a commit message, update a status file, identify security issues, or decide what comes next. The tool handled all of that.
|
|
65
71
|
|
|
66
72
|
---
|
|
67
73
|
|