odd-studio 2.1.0 → 2.2.1

package/bin/odd-studio.js

@@ -62,7 +62,7 @@ program
     console.log(chalk.bold(`  Setting up: ${chalk.cyan(resolvedName)}\n`));
 
     // 1. Scaffold project structure
-    print.step(1, 4, 'Creating project structure...');
+    print.step(1, 5, 'Creating project structure...');
     const spinner1 = ora({ text: '', indent: 4 }).start();
     try {
       await scaffoldProject(targetDir, resolvedName);
@@ -76,7 +76,7 @@ program
 
     // 2. Install /odd skill
     if (!options.skipSkill) {
-      print.step(2, 4, 'Installing /odd skill into Claude Code...');
+      print.step(2, 5, 'Installing /odd skill into Claude Code...');
       const spinner2 = ora({ text: '', indent: 4 }).start();
       try {
         const result = await installSkill(PACKAGE_ROOT);
@@ -88,13 +88,13 @@ program
         print.info('Manual install: copy ' + chalk.dim('skill/') + ' to ' + chalk.dim('~/.claude/skills/odd/'));
       }
     } else {
-      print.step(2, 4, 'Skipping skill install (--skip-skill)');
+      print.step(2, 5, 'Skipping skill install (--skip-skill)');
       print.warn('Remember to install the skill manually for /odd to work in Claude Code.');
     }
 
     // 3. Setup hooks
     if (!options.skipHooks) {
-      print.step(3, 4, 'Installing safety hooks into Claude Code settings...');
+      print.step(3, 5, 'Installing safety hooks into Claude Code settings...');
       const spinner3 = ora({ text: '', indent: 4 }).start();
       try {
         const result = await setupHooks(PACKAGE_ROOT);
@@ -106,24 +106,38 @@ program
         print.info('Manual install: add entries from ' + chalk.dim('hooks/') + ' to ~/.claude/settings.json');
       }
     } else {
-      print.step(3, 4, 'Skipping hooks (--skip-hooks)');
+      print.step(3, 5, 'Skipping hooks (--skip-hooks)');
       print.warn('Safety hooks not installed. Git guardrails and quality gates will not run.');
     }
 
-    // 4. Configure ruflo MCP server (cross-session memory)
-    print.step(4, 4, 'Configuring ruflo memory server...');
-    const spinner4 = ora({ text: '', indent: 4 }).start();
+    // 4. Install Checkpoint security scanning tools
+    print.step(4, 5, 'Installing Checkpoint security scanning tools...');
+    const spinner4a = ora({ text: '', indent: 4 }).start();
+    try {
+      const { execSync } = await import('child_process');
+      execSync('npx @darrenjcoxon/vibeguard --install-tools --quiet 2>/dev/null', { stdio: 'ignore', timeout: 60000 });
+      spinner4a.stop();
+      print.ok('Checkpoint security tools installed');
+    } catch (e) {
+      spinner4a.stop();
+      print.warn('Checkpoint tools could not be installed automatically');
+      print.info('Run: npx @darrenjcoxon/vibeguard --install-tools  to enable security scanning');
+    }
+
+    // 5. Configure ruflo MCP server (cross-session memory)
+    print.step(5, 5, 'Configuring ruflo memory server...');
+    const spinner5 = ora({ text: '', indent: 4 }).start();
     try {
       const { default: setupMcp } = await import('../scripts/setup-mcp.js');
       const mcpResult = await setupMcp();
-      spinner4.stop();
+      spinner5.stop();
       if (mcpResult.mcpJsonUpdated || mcpResult.settingsUpdated) {
         print.ok('Ruflo MCP server configured — cross-session memory enabled');
       } else {
         print.ok('Ruflo MCP server already configured');
       }
     } catch (e) {
-      spinner4.stop();
+      spinner5.stop();
       print.warn('Could not configure ruflo automatically: ' + e.message);
       print.info('Manual setup: add ruflo to ~/.mcp.json and enable in ~/.claude/settings.json');
       print.info('See: https://github.com/ruvnet/ruflo for installation instructions');
@@ -138,8 +152,9 @@ program
     if (projectName) {
       console.log('  1. ' + chalk.cyan(`cd ${projectName}`));
     }
-    console.log('  ' + (projectName ? '2' : '1') + '. Open Claude Code: ' + chalk.cyan('claude .'));
-    console.log('  ' + (projectName ? '3' : '2') + '. Start your ODD session: ' + chalk.cyan('/odd'));
+    console.log('  ' + (projectName ? '2' : '1') + '. Restart Claude Code: ' + chalk.cyan('quit and reopen') + chalk.dim(' (activates ruflo memory + hooks)'));
+    console.log('  ' + (projectName ? '3' : '2') + '. Open your project: ' + chalk.cyan('claude .'));
+    console.log('  ' + (projectName ? '4' : '3') + '. Start your ODD session: ' + chalk.cyan('/odd'));
     print.blank();
 
     console.log(chalk.dim('  ODD Studio implements Outcome-Driven Development.'));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "odd-studio",
-  "version": "2.1.0",
+  "version": "2.2.1",
   "description": "Outcome-Driven Development for Claude Code — a planning and build harness for domain experts building serious software with AI.",
   "keywords": [
     "claude-code",

package/scripts/postinstall.js

@@ -22,6 +22,7 @@ Promise.all([
 ])
   .then(() => {
     console.log('✓ ODD Studio: /odd skill, safety hooks, and ruflo memory installed into Claude Code');
+    console.log('  → Restart Claude Code now to activate ruflo memory and hooks.');
     console.log('  Run: npx odd-studio init [project-name]  to scaffold your first project.');
   })
   .catch((e) => {

package/skill/SKILL.md

@@ -192,7 +192,59 @@ After collecting the description, call `mcp__ruflo__agent_spawn` with the custom
 
 ---
 
-### `*export`
+### `confirm`
+
+The domain expert types `confirm` when all verification steps for the current outcome have passed on a single complete run.
+
+Execute the following steps in order:
+
+**1. Run Checkpoint.**
+
+Execute via Bash: `npx @darrenjcoxon/vibeguard --security-only -o json 2>/dev/null`
+
+Display to the domain expert: "Checkpoint running..."
+
+Parse the JSON output. Look for findings with severity `critical`, `high`, or `secret`.
+
+**If Checkpoint is not installed** (command fails or returns an error): skip silently and display "Checkpoint not installed — type `npx @darrenjcoxon/vibeguard --install-tools` in your terminal to enable security scanning." Then proceed to step 3.
+
+**2. If Checkpoint finds critical, high, or secret findings:**
+
+Do NOT advance to the next outcome.
+
+Translate each finding from technical language to a plain-language fix instruction. Do not show raw scanner output to the domain expert.
+
+Brief the build agent directly with the fix instructions. Do not ask the domain expert to review them.
+
+Display: "Checkpoint found [N] security issue(s) in this outcome. The build agent is fixing them now. This does not affect your verification — the outcome behaves correctly. Once the security fix is complete, Checkpoint will run again automatically."
+
+After the build agent applies fixes, re-run Checkpoint automatically (repeat step 1). Repeat until Checkpoint is clear. Then proceed to step 3.
+
+**3. If Checkpoint is clear:**
+
+Display: "Checkpoint clear."
+
+Commit the verified state via git with message: `feat: verified [outcome name] — [phase]`
+
+Call `mcp__ruflo__memory_store` key `odd-outcome-[name]` with status `verified`, namespace `odd-project`.
+
+Update `.odd/state.json`: mark outcome as verified, set `nextStep` to the next outcome in the phase.
+
+Display:
+
+---
+
+**[Outcome name] — verified and committed.**
+
+Checkpoint: clear.
+
+**Next:** [next outcome name and one-sentence description]
+
+Type `*build` to begin, or `*status` to see the full phase progress.
+
+---
+
+---
 
 Generate the IDE Session Brief. This is a standalone document that a developer or AI coding agent can use to execute a build session without needing to ask planning questions.
 
@@ -428,8 +480,11 @@ At key moments in the methodology, proactively explain why the current step matt
 **Plan signed off:**
 "The Master Implementation Plan is approved. You have a sequenced, dependency-respecting build order, anchored to real personas and verified outcomes. This is the document that turns a vision into an executable build. You are ready."
 
+**Checkpoint clear (first time):**
+"Checkpoint runs automatically every time you confirm an outcome. It scans what was just built for security issues — exposed secrets, missing authentication checks, injection vulnerabilities — and briefs the build agent to fix anything it finds before you move on. You do not need to understand what it found or how it was fixed. Security is not a separate concern in ODD Studio. It is built into the rhythm of the build."
+
 **Phase complete:**
-"Phase complete. All outcomes in this phase have been verified. The contracts they exposed are now available to the next phase. Well done — this is exactly how a well-planned build should progress."
+"Phase complete. All outcomes in this phase have been verified and cleared by Checkpoint. The contracts they exposed are now available to the next phase. Well done — this is exactly how a well-planned build should progress."
 
 ---
 

package/skill/docs/build/build-protocol.md

@@ -61,7 +61,13 @@ Collect all failures from the verification run and send them in a single message
 
 When all steps pass on a single complete run, type `confirm`.
 
-ODD Studio commits the verified state, updates ruflo memory, and presents the next outcome. The domain expert did not write a commit message, update a status file, or identify what comes next. The tool handled all of that.
+ODD Studio runs Checkpoint — a security scan of everything built in this outcome. The domain expert does not trigger this, read the results, or action any findings. It happens automatically.
+
+If Checkpoint finds no issues, ODD Studio commits the verified state, updates ruflo memory, and presents the next outcome.
+
+If Checkpoint finds security issues, ODD Studio briefs the build agent with the findings and triggers a fix. The domain expert waits. Once the fix is complete, Checkpoint runs again. When it is clear, the outcome is committed and the next outcome is presented.
+
+The domain expert did not write a commit message, update a status file, identify security issues, or decide what comes next. The tool handled all of that.
 
 ---