rhachet-roles-ehmpathy 1.13.11 → 1.13.13

package/dist/logic/roles/mechanic/.skills/init.bhuild.sh

@@ -118,10 +118,37 @@ given()
 ...
 EOF
 
+# findsert 2.criteria.src
+findsert "$BEHAVIOR_DIR/2.criteria.src" << 'EOF'
+declare the behavioral criteria required in order to fulfill
+- this wish $BEHAVIOR_DIR_REL/0.wish.md
+- this vision $BEHAVIOR_DIR_REL/1.vision.md (if declared)
+
+via bdd declarations, per your briefs
+
+via the template in $BEHAVIOR_DIR/2.criteria.md
+
+emit into $BEHAVIOR_DIR/2.criteria.md
+
+---
+
+focus on the behavioral requirements
+- critical paths
+- boundary paths
+
+ignore infra or technical details
+
+focus on behaviors
+
+ensure to cover all of the criteria required to fulfill the full set of behaviors declared in the wish and vision
+EOF
+
 # findsert 3.1.research.domain._.v1.src
 findsert "$BEHAVIOR_DIR/3.1.research.domain._.v1.src" << EOF
-research the domain available in order to fulfill the wish declared
-in $BEHAVIOR_DIR_REL/0.wish.md
+research the domain available in order to fulfill
+- this wish $BEHAVIOR_DIR_REL/0.wish.md
+- this vision $BEHAVIOR_DIR_REL/1.vision.md (if declared)
+- this criteria $BEHAVIOR_DIR_REL/2.criteria.md (if declared)
 
 specifically
 - what are the domain objects that are involved with this wish
@@ -134,7 +161,11 @@ specifically
   - setCreate
   - setUpdate
   - setDelete
-  - ...
+- what are the relationships between the domain objects?
+  - is there a treestruct of decoration?
+  - is there a treestruct of common subdomains?
+  - are there dependencies?
+- how do the domain objects and operations compose to support wish?
 
 ---
 
@@ -154,8 +185,12 @@ EOF
 # findsert 3.2.distill.domain._.v1.src
 findsert "$BEHAVIOR_DIR/3.2.distill.domain._.v1.src" << EOF
 distill the declastruct domain.objects and domain.operations that would
-- enable fulfillment of this wish $BEHAVIOR_DIR_REL/0.wish.md
-- given the research declared here $BEHAVIOR_DIR_REL/3.1.research.domain._.v1.i1.md
+- enable fulfillment of
+  - this wish $BEHAVIOR_DIR_REL/0.wish.md
+  - this vision $BEHAVIOR_DIR_REL/1.vision.md (if declared)
+  - this criteria $BEHAVIOR_DIR_REL/2.criteria.md (if declared)
+- given the research declared here
+  - $BEHAVIOR_DIR_REL/3.1.research.domain._.v1.i1.md (if declared)
 
 procedure
 1. declare the usecases and envision the contract that would be used to fulfill the usecases
@@ -171,7 +206,7 @@ propose a blueprint for how we can implement the wish described
 - in $BEHAVIOR_DIR_REL/0.wish.md
 
 with the domain distillation declared
-- in $BEHAVIOR_DIR_REL/3.2.distill.domain._.v1.i1.md
+- in $BEHAVIOR_DIR_REL/3.2.distill.domain._.v1.i1.md (if declared)
 
 follow the patterns already present in this repo
 
@@ -179,9 +214,10 @@ follow the patterns already present in this repo
 
 reference the below for full context
 - $BEHAVIOR_DIR_REL/0.wish.md
-- $BEHAVIOR_DIR_REL/3.1.research.domain._.v1.i1.md
-- $BEHAVIOR_DIR_REL/3.2.distill.domain._.v1.i1.md
-
+- $BEHAVIOR_DIR_REL/1.vision.md (if declared)
+- $BEHAVIOR_DIR_REL/2.criteria.md (if declared)
+- $BEHAVIOR_DIR_REL/3.1.research.domain._.v1.i1.md (if declared)
+- $BEHAVIOR_DIR_REL/3.2.distill.domain._.v1.i1.md (if declared)
 
 ---
 
@@ -199,6 +235,13 @@ declare a roadmap,
 
 for how to execute the blueprint specified in $BEHAVIOR_DIR_REL/3.3.blueprint.v1.i1.md
 
+ref:
+- $BEHAVIOR_DIR_REL/0.wish.md
+- $BEHAVIOR_DIR_REL/1.vision.md (if declared)
+- $BEHAVIOR_DIR_REL/2.criteria.md (if declared)
+- $BEHAVIOR_DIR_REL/3.2.distill.domain._.v1.i1.md (if declared)
+- $BEHAVIOR_DIR_REL/3.3.blueprint.v1.i1.md
+
 ---
 
 emit into $BEHAVIOR_DIR_REL/4.1.roadmap.v1.i1.md
@@ -214,8 +257,13 @@ of roadmap
 - $BEHAVIOR_DIR_REL/4.1.roadmap.v1.i1.md
 
 ref:
+- $BEHAVIOR_DIR_REL/0.wish.md
+- $BEHAVIOR_DIR_REL/1.vision.md (if declared)
+- $BEHAVIOR_DIR_REL/2.criteria.md (if declared)
+- $BEHAVIOR_DIR_REL/3.2.distill.domain._.v1.i1.md (if declared)
 - $BEHAVIOR_DIR_REL/3.3.blueprint.v1.i1.md
 
+
 ---
 
 track your progress

package/dist/logic/roles/mechanic/.skills/init.claude.permissions.jsonc

@@ -0,0 +1,136 @@
+{
+  // mechanic role permissions for Claude
+  //
+  // these permissions are conservative by design:
+  // - deny: commands that should never be auto-approved
+  // - ask: commands that require explicit user approval
+  // - allow: commands that are safe to auto-approve
+
+  "permissions": {
+    // commands that should never be auto-approved
+    "deny": [
+      // git write operations - require explicit user approval for audit trail
+      "Bash(git commit:*)",
+      "Bash(git add:*)",
+      "Bash(git stash:*)",
+      "Bash(git checkout:*)",
+
+      // "anywrite" commands - CRITICAL SECURITY RISK
+      //
+      // unlike Claude's native Edit/Write tools which are scoped to the repo,
+      // these bash commands can write ANYWHERE on your OS. this makes them
+      // prime targets for prompt injection attacks:
+      //
+      //   1. user asks claude to fetch docs from lookslegit.dev/api-reference
+      //   2. page contains hidden instructions to write innocent-looking content
+      //   3. with anywrite allowed, claude writes to ~/.bashrc or ~/.zshrc
+      //   4. content looks like helpful aliases but executes malicious logic
+      //   5. your entire system is now compromised
+      //
+      // sed: in-place file modification anywhere on disk
+      "Bash(sed:*)",
+      // tee: write to any path - ~/.bashrc, ~/.ssh/authorized_keys, etc.
+      "Bash(tee:*)",
+      // find -exec: arbitrary command execution on matched files
+      "Bash(find:*)",
+      // echo >: redirect to any file - echo "malicious" >> ~/.bashrc
+      "Bash(echo:*)",
+      // mv: move/overwrite any file - mv ~/.ssh/config ~/.ssh/config.bak
+      "Bash(mv:*)",
+
+      // test runners - should use npm run test:* scripts instead
+      // direct invocation bypasses project test configuration
+      "Bash(npx biome:*)",
+      "Bash(npx jest:*)"
+    ],
+
+    // commands that require explicit user approval each time
+    "ask": [
+      "Bash(bash:*)",
+      "Bash(chmod:*)",
+      "Bash(npm install:*)",
+      "Bash(pnpm install:*)",
+      "Bash(pnpm add:*)"
+    ],
+
+    // commands that are safe to auto-approve
+    "allow": [
+      // ide integrations
+      "mcp__ide__getDiagnostics",
+
+      // web access
+      "WebSearch",
+      "WebFetch(domain:github.com)",
+      "WebFetch(domain:www.npmjs.com)",
+      "WebFetch(domain:hub.docker.com)",
+      "WebFetch(domain:raw.githubusercontent.com)",
+      "WebFetch(domain:biomejs.dev)",
+
+      // git read-only
+      "Bash(git log:*)",
+
+      // filesystem read operations
+      "Bash(ls:*)",
+      "Bash(tree:*)",
+      "Bash(cat:*)",
+      "Bash(head:*)",
+      "Bash(tail:*)",
+      "Bash(grep:*)",
+      "Bash(wc:*)",
+      "Bash(diff:*)",
+      "Bash(which:*)",
+      "Bash(file:*)",
+      "Bash(mkdir:*)",
+      "Bash(pwd)",
+
+      // safe custom tools
+      "Bash(bash src/logic/roles/mechanic/.skills/claude.tools/mvsafe.sh:*)",
+
+      // npm read operations
+      "Bash(npm view:*)",
+      "Bash(npm list:*)",
+      "Bash(npm remove:*)",
+
+      // rhachet operations
+      "Bash(npx rhachet roles boot --repo ehmpathy --role mechanic)",
+
+      // self execution of packages
+      "Bash(npx tsx ./bin/run:*)",
+
+      // build operations
+      "Bash(npm run build:*)",
+      "Bash(npm run build:compile)",
+      "Bash(npm run start:testdb:*)",
+
+      // test operations
+      "Bash(npm run test:*)",
+      "Bash(npm run test:types:*)",
+      "Bash(npm run test:format:*)",
+      "Bash(npm run test:lint:*)",
+      "Bash(npm run test:unit:*)",
+      "Bash(npm run test:integration:*)",
+      "Bash(npm run test:acceptance:*)",
+
+      // thorough test operations
+      "Bash(THOROUGH=true npm run test:*)",
+      "Bash(THOROUGH=true npm run test:types:*)",
+      "Bash(THOROUGH=true npm run test:format:*)",
+      "Bash(THOROUGH=true npm run test:lint:*)",
+      "Bash(THOROUGH=true npm run test:unit:*)",
+      "Bash(THOROUGH=true npm run test:integration:*)",
+      "Bash(THOROUGH=true npm run test:acceptance:*)",
+
+      // fix operations
+      "Bash(npm run fix:*)",
+      "Bash(npm run fix:format:*)",
+      "Bash(npm run fix:lint:*)",
+
+      // github cli read operations
+      "Bash(gh pr checks:*)",
+      "Bash(gh pr status:*)",
+
+      // skill sourcing
+      "Bash(source .agent/repo=.this/skills/*)"
+    ]
+  }
+}

package/package.json

@@ -2,7 +2,7 @@
   "name": "rhachet-roles-ehmpathy",
   "author": "ehmpathy",
   "description": "empathetic software construction roles and skills, via rhachet",
-  "version": "1.13.11",
+  "version": "1.13.13",
   "repository": "ehmpathy/rhachet-roles-ehmpathy",
   "homepage": "https://github.com/ehmpathy/rhachet-roles-ehmpathy",
   "keywords": [
@@ -27,7 +27,7 @@
     "fix": "npm run fix:format && npm run fix:lint",
     "build:clean": "rm dist/ -rf",
     "build:compile": "tsc -p ./tsconfig.build.json && tsc-alias -p ./tsconfig.build.json",
-    "build:complete": "rsync -a --prune-empty-dirs --include='*/' --exclude='**/.route/**' --exclude='**/.scratch/**' --exclude='**/.behavior/**' --exclude='**/*.test.sh' --include='**/*.template.md' --include='**/.briefs/**/*.md' --include='**/.briefs/*.md' --include='**/.skills/**/*.sh' --include='**/.skills/*.sh' --include='**/.skills/**/*.json' --include='**/.skills/*.json'  --exclude='*' src/ dist/",
+    "build:complete": "rsync -a --prune-empty-dirs --include='*/' --exclude='**/.route/**' --exclude='**/.scratch/**' --exclude='**/.behavior/**' --exclude='**/*.test.sh' --include='**/*.template.md' --include='**/.briefs/**/*.md' --include='**/.briefs/*.md' --include='**/.skills/**/*.sh' --include='**/.skills/*.sh' --include='**/.skills/**/*.jsonc' --include='**/.skills/*.jsonc' --exclude='*' src/ dist/",
     "build": "npm run build:clean && npm run build:compile && npm run build:complete --if-present",
     "test:commits": "LAST_TAG=$(git describe --tags --abbrev=0 @^ 2> /dev/null || git rev-list --max-parents=0 HEAD) && npx commitlint --from $LAST_TAG --to HEAD --verbose",
     "test:types": "tsc -p ./tsconfig.json --noEmit",