npm - shipwright-cli - Versions diffs - 3.2.0 → 3.3.0 - Mend

shipwright-cli 3.2.0 → 3.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (279) hide show

package/.claude/agents/code-reviewer.md +2 -0
package/.claude/agents/devops-engineer.md +2 -0
package/.claude/agents/doc-fleet-agent.md +2 -0
package/.claude/agents/pipeline-agent.md +2 -0
package/.claude/agents/shell-script-specialist.md +2 -0
package/.claude/agents/test-specialist.md +2 -0
package/.claude/hooks/agent-crash-capture.sh +32 -0
package/.claude/hooks/post-tool-use.sh +3 -2
package/.claude/hooks/pre-tool-use.sh +35 -3
package/README.md +4 -4
package/claude-code/hooks/config-change.sh +18 -0
package/claude-code/hooks/instructions-reloaded.sh +7 -0
package/claude-code/hooks/worktree-create.sh +25 -0
package/claude-code/hooks/worktree-remove.sh +20 -0
package/config/code-constitution.json +130 -0
package/dashboard/middleware/auth.ts +134 -0
package/dashboard/middleware/constants.ts +21 -0
package/dashboard/public/index.html +2 -6
package/dashboard/public/styles.css +100 -97
package/dashboard/routes/auth.ts +38 -0
package/dashboard/server.ts +66 -25
package/dashboard/services/config.ts +26 -0
package/dashboard/services/db.ts +118 -0
package/dashboard/src/canvas/pixel-agent.ts +298 -0
package/dashboard/src/canvas/pixel-sprites.ts +440 -0
package/dashboard/src/canvas/shipyard-effects.ts +367 -0
package/dashboard/src/canvas/shipyard-scene.ts +616 -0
package/dashboard/src/canvas/submarine-layout.ts +267 -0
package/dashboard/src/components/header.ts +8 -7
package/dashboard/src/core/router.ts +1 -0
package/dashboard/src/design/submarine-theme.ts +253 -0
package/dashboard/src/main.ts +2 -0
package/dashboard/src/types/api.ts +2 -1
package/dashboard/src/views/activity.ts +2 -1
package/dashboard/src/views/shipyard.ts +39 -0
package/dashboard/types/index.ts +166 -0
package/docs/plans/2026-02-28-compound-audit-and-shipyard-design.md +186 -0
package/docs/plans/2026-02-28-skipper-shipwright-implementation-plan.md +1182 -0
package/docs/plans/2026-02-28-skipper-shipwright-integration-design.md +531 -0
package/docs/plans/2026-03-01-ai-powered-skill-injection-design.md +298 -0
package/docs/plans/2026-03-01-ai-powered-skill-injection-plan.md +1109 -0
package/docs/plans/2026-03-01-capabilities-cleanup-plan.md +658 -0
package/docs/plans/2026-03-01-clean-architecture-plan.md +924 -0
package/docs/plans/2026-03-01-compound-audit-cascade-design.md +191 -0
package/docs/plans/2026-03-01-compound-audit-cascade-plan.md +921 -0
package/docs/plans/2026-03-01-deep-integration-plan.md +851 -0
package/docs/plans/2026-03-01-pipeline-audit-trail-design.md +145 -0
package/docs/plans/2026-03-01-pipeline-audit-trail-plan.md +770 -0
package/docs/plans/2026-03-01-refined-depths-brand-design.md +382 -0
package/docs/plans/2026-03-01-refined-depths-implementation.md +599 -0
package/docs/plans/2026-03-01-skipper-kernel-integration-design.md +203 -0
package/docs/plans/2026-03-01-unified-platform-design.md +272 -0
package/docs/plans/2026-03-07-claude-code-feature-integration-design.md +189 -0
package/docs/plans/2026-03-07-claude-code-feature-integration-plan.md +1165 -0
package/docs/research/BACKLOG_QUICK_REFERENCE.md +352 -0
package/docs/research/CUTTING_EDGE_RESEARCH_2026.md +546 -0
package/docs/research/RESEARCH_INDEX.md +439 -0
package/docs/research/RESEARCH_SOURCES.md +440 -0
package/docs/research/RESEARCH_SUMMARY.txt +275 -0
package/docs/superpowers/specs/2026-03-10-pipeline-quality-revolution-design.md +341 -0
package/package.json +2 -2
package/scripts/lib/adaptive-model.sh +427 -0
package/scripts/lib/adaptive-timeout.sh +316 -0
package/scripts/lib/audit-trail.sh +309 -0
package/scripts/lib/auto-recovery.sh +471 -0
package/scripts/lib/bandit-selector.sh +431 -0
package/scripts/lib/bootstrap.sh +104 -2
package/scripts/lib/causal-graph.sh +455 -0
package/scripts/lib/compat.sh +126 -0
package/scripts/lib/compound-audit.sh +337 -0
package/scripts/lib/constitutional.sh +454 -0
package/scripts/lib/context-budget.sh +359 -0
package/scripts/lib/convergence.sh +594 -0
package/scripts/lib/cost-optimizer.sh +634 -0
package/scripts/lib/daemon-adaptive.sh +10 -0
package/scripts/lib/daemon-dispatch.sh +106 -17
package/scripts/lib/daemon-failure.sh +34 -4
package/scripts/lib/daemon-patrol.sh +23 -2
package/scripts/lib/daemon-poll-github.sh +361 -0
package/scripts/lib/daemon-poll-health.sh +299 -0
package/scripts/lib/daemon-poll.sh +27 -611
package/scripts/lib/daemon-state.sh +112 -66
package/scripts/lib/daemon-triage.sh +10 -0
package/scripts/lib/dod-scorecard.sh +442 -0
package/scripts/lib/error-actionability.sh +300 -0
package/scripts/lib/formal-spec.sh +461 -0
package/scripts/lib/helpers.sh +177 -4
package/scripts/lib/intent-analysis.sh +409 -0
package/scripts/lib/loop-convergence.sh +350 -0
package/scripts/lib/loop-iteration.sh +682 -0
package/scripts/lib/loop-progress.sh +48 -0
package/scripts/lib/loop-restart.sh +185 -0
package/scripts/lib/memory-effectiveness.sh +506 -0
package/scripts/lib/mutation-executor.sh +352 -0
package/scripts/lib/outcome-feedback.sh +521 -0
package/scripts/lib/pipeline-cli.sh +336 -0
package/scripts/lib/pipeline-commands.sh +1216 -0
package/scripts/lib/pipeline-detection.sh +100 -2
package/scripts/lib/pipeline-execution.sh +897 -0
package/scripts/lib/pipeline-github.sh +28 -3
package/scripts/lib/pipeline-intelligence-compound.sh +431 -0
package/scripts/lib/pipeline-intelligence-scoring.sh +407 -0
package/scripts/lib/pipeline-intelligence-skip.sh +181 -0
package/scripts/lib/pipeline-intelligence.sh +100 -1136
package/scripts/lib/pipeline-quality-bash-compat.sh +182 -0
package/scripts/lib/pipeline-quality-checks.sh +17 -715
package/scripts/lib/pipeline-quality-gates.sh +563 -0
package/scripts/lib/pipeline-stages-build.sh +730 -0
package/scripts/lib/pipeline-stages-delivery.sh +965 -0
package/scripts/lib/pipeline-stages-intake.sh +1133 -0
package/scripts/lib/pipeline-stages-monitor.sh +407 -0
package/scripts/lib/pipeline-stages-review.sh +1022 -0
package/scripts/lib/pipeline-stages.sh +59 -2929
package/scripts/lib/pipeline-state.sh +36 -5
package/scripts/lib/pipeline-util.sh +487 -0
package/scripts/lib/policy-learner.sh +438 -0
package/scripts/lib/process-reward.sh +493 -0
package/scripts/lib/project-detect.sh +649 -0
package/scripts/lib/quality-profile.sh +334 -0
package/scripts/lib/recruit-commands.sh +885 -0
package/scripts/lib/recruit-learning.sh +739 -0
package/scripts/lib/recruit-roles.sh +648 -0
package/scripts/lib/reward-aggregator.sh +458 -0
package/scripts/lib/rl-optimizer.sh +362 -0
package/scripts/lib/root-cause.sh +427 -0
package/scripts/lib/scope-enforcement.sh +445 -0
package/scripts/lib/session-restart.sh +493 -0
package/scripts/lib/skill-memory.sh +300 -0
package/scripts/lib/skill-registry.sh +775 -0
package/scripts/lib/spec-driven.sh +476 -0
package/scripts/lib/test-helpers.sh +18 -7
package/scripts/lib/test-holdout.sh +429 -0
package/scripts/lib/test-optimizer.sh +511 -0
package/scripts/shipwright-file-suggest.sh +45 -0
package/scripts/skills/adversarial-quality.md +61 -0
package/scripts/skills/api-design.md +44 -0
package/scripts/skills/architecture-design.md +50 -0
package/scripts/skills/brainstorming.md +43 -0
package/scripts/skills/data-pipeline.md +44 -0
package/scripts/skills/deploy-safety.md +64 -0
package/scripts/skills/documentation.md +38 -0
package/scripts/skills/frontend-design.md +45 -0
package/scripts/skills/generated/.gitkeep +0 -0
package/scripts/skills/generated/_refinements/.gitkeep +0 -0
package/scripts/skills/generated/_refinements/adversarial-quality.patch.md +3 -0
package/scripts/skills/generated/_refinements/architecture-design.patch.md +3 -0
package/scripts/skills/generated/_refinements/brainstorming.patch.md +3 -0
package/scripts/skills/generated/cli-version-management.md +29 -0
package/scripts/skills/generated/collection-system-validation.md +99 -0
package/scripts/skills/generated/large-scale-c-refactoring-coordination.md +97 -0
package/scripts/skills/generated/pattern-matching-similarity-scoring.md +195 -0
package/scripts/skills/generated/test-parallelization-detection.md +65 -0
package/scripts/skills/observability.md +79 -0
package/scripts/skills/performance.md +48 -0
package/scripts/skills/pr-quality.md +49 -0
package/scripts/skills/product-thinking.md +43 -0
package/scripts/skills/security-audit.md +49 -0
package/scripts/skills/systematic-debugging.md +40 -0
package/scripts/skills/testing-strategy.md +47 -0
package/scripts/skills/two-stage-review.md +52 -0
package/scripts/skills/validation-thoroughness.md +55 -0
package/scripts/sw +9 -3
package/scripts/sw-activity.sh +9 -2
package/scripts/sw-adaptive.sh +2 -1
package/scripts/sw-adversarial.sh +2 -1
package/scripts/sw-architecture-enforcer.sh +3 -1
package/scripts/sw-auth.sh +12 -2
package/scripts/sw-autonomous.sh +5 -1
package/scripts/sw-changelog.sh +4 -1
package/scripts/sw-checkpoint.sh +2 -1
package/scripts/sw-ci.sh +5 -1
package/scripts/sw-cleanup.sh +4 -26
package/scripts/sw-code-review.sh +10 -4
package/scripts/sw-connect.sh +2 -1
package/scripts/sw-context.sh +2 -1
package/scripts/sw-cost.sh +48 -3
package/scripts/sw-daemon.sh +66 -9
package/scripts/sw-dashboard.sh +3 -1
package/scripts/sw-db.sh +59 -16
package/scripts/sw-decide.sh +8 -2
package/scripts/sw-decompose.sh +360 -17
package/scripts/sw-deps.sh +4 -1
package/scripts/sw-developer-simulation.sh +4 -1
package/scripts/sw-discovery.sh +325 -2
package/scripts/sw-doc-fleet.sh +4 -1
package/scripts/sw-docs-agent.sh +3 -1
package/scripts/sw-docs.sh +2 -1
package/scripts/sw-doctor.sh +453 -2
package/scripts/sw-dora.sh +4 -1
package/scripts/sw-durable.sh +4 -3
package/scripts/sw-e2e-orchestrator.sh +17 -16
package/scripts/sw-eventbus.sh +7 -1
package/scripts/sw-evidence.sh +364 -12
package/scripts/sw-feedback.sh +550 -9
package/scripts/sw-fix.sh +20 -1
package/scripts/sw-fleet-discover.sh +6 -2
package/scripts/sw-fleet-viz.sh +4 -1
package/scripts/sw-fleet.sh +5 -1
package/scripts/sw-github-app.sh +16 -3
package/scripts/sw-github-checks.sh +3 -2
package/scripts/sw-github-deploy.sh +3 -2
package/scripts/sw-github-graphql.sh +18 -7
package/scripts/sw-guild.sh +5 -1
package/scripts/sw-heartbeat.sh +5 -30
package/scripts/sw-hello.sh +67 -0
package/scripts/sw-hygiene.sh +6 -1
package/scripts/sw-incident.sh +265 -1
package/scripts/sw-init.sh +18 -2
package/scripts/sw-instrument.sh +10 -2
package/scripts/sw-intelligence.sh +42 -6
package/scripts/sw-jira.sh +5 -1
package/scripts/sw-launchd.sh +2 -1
package/scripts/sw-linear.sh +4 -1
package/scripts/sw-logs.sh +4 -1
package/scripts/sw-loop.sh +432 -1128
package/scripts/sw-memory.sh +356 -2
package/scripts/sw-mission-control.sh +6 -1
package/scripts/sw-model-router.sh +481 -26
package/scripts/sw-otel.sh +13 -4
package/scripts/sw-oversight.sh +14 -5
package/scripts/sw-patrol-meta.sh +334 -0
package/scripts/sw-pipeline-composer.sh +5 -1
package/scripts/sw-pipeline-vitals.sh +2 -1
package/scripts/sw-pipeline.sh +53 -2664
package/scripts/sw-pm.sh +12 -5
package/scripts/sw-pr-lifecycle.sh +2 -1
package/scripts/sw-predictive.sh +7 -1
package/scripts/sw-prep.sh +185 -2
package/scripts/sw-ps.sh +5 -25
package/scripts/sw-public-dashboard.sh +15 -3
package/scripts/sw-quality.sh +2 -1
package/scripts/sw-reaper.sh +8 -25
package/scripts/sw-recruit.sh +156 -2303
package/scripts/sw-regression.sh +19 -12
package/scripts/sw-release-manager.sh +3 -1
package/scripts/sw-release.sh +4 -1
package/scripts/sw-remote.sh +3 -1
package/scripts/sw-replay.sh +7 -1
package/scripts/sw-retro.sh +158 -1
package/scripts/sw-review-rerun.sh +3 -1
package/scripts/sw-scale.sh +10 -3
package/scripts/sw-security-audit.sh +6 -1
package/scripts/sw-self-optimize.sh +6 -3
package/scripts/sw-session.sh +9 -3
package/scripts/sw-setup.sh +3 -1
package/scripts/sw-stall-detector.sh +406 -0
package/scripts/sw-standup.sh +15 -7
package/scripts/sw-status.sh +3 -1
package/scripts/sw-strategic.sh +4 -1
package/scripts/sw-stream.sh +7 -1
package/scripts/sw-swarm.sh +18 -6
package/scripts/sw-team-stages.sh +13 -6
package/scripts/sw-templates.sh +5 -29
package/scripts/sw-testgen.sh +7 -1
package/scripts/sw-tmux-pipeline.sh +4 -1
package/scripts/sw-tmux-role-color.sh +2 -0
package/scripts/sw-tmux-status.sh +1 -1
package/scripts/sw-tmux.sh +3 -1
package/scripts/sw-trace.sh +3 -1
package/scripts/sw-tracker-github.sh +3 -0
package/scripts/sw-tracker-jira.sh +3 -0
package/scripts/sw-tracker-linear.sh +3 -0
package/scripts/sw-tracker.sh +3 -1
package/scripts/sw-triage.sh +2 -1
package/scripts/sw-upgrade.sh +3 -1
package/scripts/sw-ux.sh +5 -2
package/scripts/sw-webhook.sh +3 -1
package/scripts/sw-widgets.sh +3 -1
package/scripts/sw-worktree.sh +15 -3
package/scripts/test-skill-injection.sh +1233 -0
package/templates/pipelines/autonomous.json +27 -3
package/templates/pipelines/cost-aware.json +34 -8
package/templates/pipelines/deployed.json +12 -0
package/templates/pipelines/enterprise.json +12 -0
package/templates/pipelines/fast.json +6 -0
package/templates/pipelines/full.json +27 -3
package/templates/pipelines/hotfix.json +6 -0
package/templates/pipelines/standard.json +12 -0
package/templates/pipelines/tdd.json +12 -0

package/scripts/sw-daemon.sh CHANGED Viewed

@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+# shellcheck disable=SC2034  # config vars used by sourced scripts and subshells
 # ╔═══════════════════════════════════════════════════════════════════════════╗
 # ║  shipwright daemon — Autonomous GitHub Issue Watcher                          ║
 # ║  Polls for labeled issues · Spawns pipelines · Manages worktrees      ║
@@ -12,7 +13,7 @@ unset CLAUDECODE 2>/dev/null || true
 trap '' HUP
 trap '' SIGPIPE
-VERSION="3.2.0"
+VERSION="3.3.0"
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 REPO_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
@@ -202,6 +203,8 @@ ISSUE_LIMIT=$(_config_get_int "daemon.issue_limit" 100 2>/dev/null || echo 100)
 PIPELINE_TEMPLATE="autonomous"
 SKIP_GATES=true
 MODEL="opus"
+EFFORT_LEVEL=""
+FALLBACK_MODEL="sonnet"
 BASE_BRANCH="main"
 ON_SUCCESS_REMOVE_LABEL="shipwright"
 ON_SUCCESS_ADD_LABEL="pipeline/complete"
@@ -384,6 +387,8 @@ load_config() {
     PIPELINE_TEMPLATE=$(jq -r '.pipeline_template // "autonomous"' "$config_file")
     SKIP_GATES=$(jq -r '.skip_gates // true' "$config_file")
     MODEL=$(jq -r '.model // "opus"' "$config_file")
+    EFFORT_LEVEL=$(jq -r '.effort_level // ""' "$config_file")
+    FALLBACK_MODEL=$(jq -r '.fallback_model // "sonnet"' "$config_file")
     BASE_BRANCH=$(jq -r '.base_branch // "main"' "$config_file")
     # on_success settings
@@ -444,6 +449,7 @@ load_config() {
     # intelligence engine settings (default "auto" = enable when Claude CLI available)
     INTELLIGENCE_ENABLED=$(jq -r '.intelligence.enabled // "auto"' "$config_file")
     INTELLIGENCE_CACHE_TTL=$(jq -r '.intelligence.cache_ttl_seconds // 3600' "$config_file")
+    INTELLIGENCE_MODEL=$(jq -r '.intelligence.model // "haiku"' "$config_file")
     COMPOSER_ENABLED=$(jq -r '.intelligence.composer_enabled // "auto"' "$config_file")
     # Auto-enable intelligence when Claude is available (unless explicitly disabled)
@@ -474,14 +480,27 @@ load_config() {
             COMPOSER_ENABLED=false
         fi
     fi
-    OPTIMIZATION_ENABLED=$(jq -r '.intelligence.optimization_enabled // false' "$config_file")
-    PREDICTION_ENABLED=$(jq -r '.intelligence.prediction_enabled // false' "$config_file")
+    OPTIMIZATION_ENABLED=$(jq -r '.intelligence.optimization_enabled // "auto"' "$config_file")
+    PREDICTION_ENABLED=$(jq -r '.intelligence.prediction_enabled // "auto"' "$config_file")
     ANOMALY_THRESHOLD=$(jq -r '.intelligence.anomaly_threshold // 3.0' "$config_file")
     # adaptive thresholds (intelligence-driven operational tuning)
-    ADAPTIVE_THRESHOLDS_ENABLED=$(jq -r '.intelligence.adaptive_enabled // false' "$config_file")
+    ADAPTIVE_THRESHOLDS_ENABLED=$(jq -r '.intelligence.adaptive_enabled // "auto"' "$config_file")
     PRIORITY_STRATEGY=$(jq -r '.intelligence.priority_strategy // "quick-wins-first"' "$config_file")
+    # Auto-resolve "auto" for prediction, optimization, adaptive (same pattern as intelligence/composer)
+    local _flag_val=""
+    for _flag_var in OPTIMIZATION_ENABLED PREDICTION_ENABLED ADAPTIVE_THRESHOLDS_ENABLED; do
+        eval "_flag_val=\"\${${_flag_var}}\""
+        if [[ "$_flag_val" == "auto" ]]; then
+            if command -v claude &>/dev/null; then
+                eval "${_flag_var}=true"
+            else
+                eval "${_flag_var}=false"
+            fi
+        fi
+    done
     # gh_retry: enable retry wrapper on critical GitHub API calls
     GH_RETRY_ENABLED=$(jq -r '.gh_retry // true' "$config_file")
@@ -547,11 +566,24 @@ setup_dirs() {
     STATE_FILE="$DAEMON_DIR/daemon-state.json"
     LOG_FILE="$DAEMON_DIR/daemon.log"
     LOG_DIR="$DAEMON_DIR/logs"
-    WORKTREE_DIR=".worktrees"
+    # ── Worktree Directory (must be absolute for security) ──
+    # Always use repo-level .claude/worktrees (self-healing: create .claude if missing)
+    local _abs_cwd
+    _abs_cwd="$(cd "$(pwd)" && pwd)"
+    WORKTREE_DIR="${_abs_cwd}/.claude/worktrees"
     PAUSE_FLAG="${HOME}/.shipwright/daemon-pause.flag"
     mkdir -p "$LOG_DIR"
     mkdir -p "$HOME/.shipwright/progress"
+    mkdir -p "$WORKTREE_DIR"
+    # Ensure worktrees are gitignored
+    local _gitignore="${_abs_cwd}/.gitignore"
+    if [[ -f "$_gitignore" ]] && ! grep -q '\.claude/worktrees' "$_gitignore" 2>/dev/null; then
+        echo ".claude/worktrees/" >> "$_gitignore"
+    fi
 }
 # ─── Adaptive Threshold Helpers ──────────────────────────────────────────────
@@ -559,7 +591,20 @@ setup_dirs() {
 # from historical data instead of using fixed defaults.
 # Every function falls back to the config default when no data exists.
-ADAPTIVE_THRESHOLDS_ENABLED="${ADAPTIVE_THRESHOLDS_ENABLED:-false}"
+# Auto-resolve intelligence defaults when no config file is loaded.
+# All three default to "auto" → true when Claude CLI is available.
+_auto_resolve_intelligence() {
+    local val="${1:-auto}"
+    if [[ "$val" == "auto" ]]; then
+        command -v claude &>/dev/null && echo "true" || echo "false"
+    else
+        echo "$val"
+    fi
+}
+INTELLIGENCE_MODEL="${INTELLIGENCE_MODEL:-haiku}"
+OPTIMIZATION_ENABLED=$(_auto_resolve_intelligence "${OPTIMIZATION_ENABLED:-auto}")
+PREDICTION_ENABLED=$(_auto_resolve_intelligence "${PREDICTION_ENABLED:-auto}")
+ADAPTIVE_THRESHOLDS_ENABLED=$(_auto_resolve_intelligence "${ADAPTIVE_THRESHOLDS_ENABLED:-auto}")
 PRIORITY_STRATEGY="${PRIORITY_STRATEGY:-quick-wins-first}"
 EMPTY_QUEUE_CYCLES=0
@@ -672,7 +717,8 @@ daemon_start() {
         fi
         # Export current PATH so detached session finds claude, gh, etc.
-        local tmux_cmd="export PATH='${PATH}'; ${cmd_args[*]}"
+        # Unset CLAUDECODE so daemon works when started from inside Claude Code
+        local tmux_cmd="unset CLAUDECODE 2>/dev/null; export PATH='${PATH}'; ${cmd_args[*]}"
         tmux new-session -d -s "sw-daemon" "$tmux_cmd" 2>/dev/null || {
             # Session may already exist — try killing and recreating
             tmux kill-session -t "sw-daemon" 2>/dev/null || true
@@ -937,6 +983,11 @@ daemon_init() {
     mkdir -p "$config_dir"
+    # Set restrictive umask for sensitive files (owner-only: 600)
+    local _old_umask
+    _old_umask=$(umask)
+    umask 0077
     cat > "$config_file" << 'CONFIGEOF'
 {
   "watch_label": "shipwright",
@@ -1002,10 +1053,12 @@ daemon_init() {
   "estimated_cost_per_job_usd": 5.0,
   "intelligence": {
     "enabled": "auto",
+    "model": "haiku",
     "cache_ttl_seconds": 3600,
     "composer_enabled": "auto",
-    "optimization_enabled": true,
-    "prediction_enabled": true,
+    "optimization_enabled": "auto",
+    "prediction_enabled": "auto",
+    "adaptive_enabled": "auto",
     "adversarial_enabled": false,
     "simulation_enabled": false,
     "architecture_enabled": false,
@@ -1015,6 +1068,10 @@ daemon_init() {
 }
 CONFIGEOF
+    # Restore umask and ensure file has restricted permissions
+    umask "$_old_umask"
+    chmod 600 "$config_file"
     success "Generated config: ${config_file}"
     echo ""
     echo -e "${DIM}Edit this file to customize the daemon behavior, then run:${RESET}"

package/scripts/sw-dashboard.sh CHANGED Viewed

@@ -6,7 +6,7 @@
 set -euo pipefail
 trap 'echo "ERROR: $BASH_SOURCE:$LINENO exited with status $?" >&2' ERR
-VERSION="3.2.0"
+VERSION="3.3.0"
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 # ─── Cross-platform compatibility ──────────────────────────────────────────
@@ -29,6 +29,7 @@ fi
 if [[ "$(type -t emit_event 2>/dev/null)" != "function" ]]; then
   emit_event() {
     local event_type="$1"; shift; mkdir -p "${HOME}/.shipwright"
+    # shellcheck disable=SC2155
     local payload="{\"ts\":\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\",\"type\":\"$event_type\""
     while [[ $# -gt 0 ]]; do local key="${1%%=*}" val="${1#*=}"; payload="${payload},\"${key}\":\"${val}\""; shift; done
     echo "${payload}}" >> "${HOME}/.shipwright/events.jsonl"
@@ -41,6 +42,7 @@ TEAMS_DIR="${HOME}/.shipwright"
 PID_FILE="${TEAMS_DIR}/dashboard.pid"
 LOG_DIR="${TEAMS_DIR}/logs"
 LOG_FILE="${LOG_DIR}/dashboard.log"
+# shellcheck disable=SC2034
 EVENTS_FILE="${TEAMS_DIR}/events.jsonl"
 DEFAULT_PORT=$(_config_get_int "dashboard.port" 8767 2>/dev/null || echo 8767)

package/scripts/sw-db.sh CHANGED Viewed

@@ -14,9 +14,11 @@ if [[ -n "${_SW_DB_LOADED:-}" ]] && [[ "${BASH_SOURCE[0]}" != "$0" ]]; then
 fi
 _SW_DB_LOADED=1
-VERSION="3.2.0"
+# shellcheck disable=SC2034
+VERSION="3.3.0"
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-REPO_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
+# shellcheck disable=SC2034
+REPO_DIR="${REPO_DIR:-$(cd "$SCRIPT_DIR/.." && pwd)}"
 # ─── Cross-platform compatibility ──────────────────────────────────────────
 # shellcheck source=lib/compat.sh
@@ -37,7 +39,8 @@ fi
 if [[ "$(type -t emit_event 2>/dev/null)" != "function" ]]; then
   emit_event() {
     local event_type="$1"; shift; mkdir -p "${HOME}/.shipwright"
-    local payload="{\"ts\":\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\",\"type\":\"$event_type\""
+    local payload
+    payload="{\"ts\":\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\",\"type\":\"$event_type\""
     while [[ $# -gt 0 ]]; do local key="${1%%=*}" val="${1#*=}"; payload="${payload},\"${key}\":\"${val}\""; shift; done
     echo "${payload}}" >> "${HOME}/.shipwright/events.jsonl"
   }
@@ -50,6 +53,7 @@ SCHEMA_VERSION=6
 # JSON fallback paths
 EVENTS_FILE="${DB_DIR}/events.jsonl"
 DAEMON_STATE_FILE="${DB_DIR}/daemon-state.json"
+# shellcheck disable=SC2034
 DEVELOPER_REGISTRY_FILE="${DB_DIR}/developer-registry.json"
 COST_FILE_JSON="${DB_DIR}/costs.json"
 BUDGET_FILE_JSON="${DB_DIR}/budget.json"
@@ -107,12 +111,12 @@ ensure_db_dir() {
 # ─── SQL Execution Helper ──────────────────────────────────────────────────
 # Runs SQL with proper error handling. Silent on success.
 _db_exec() {
-    sqlite3 "$DB_FILE" "$@" 2>/dev/null
+    sqlite3 -cmd ".timeout 5000" "$DB_FILE" "$@" 2>/dev/null
 }
 # Runs SQL and returns output. Returns 1 on failure.
 _db_query() {
-    sqlite3 "$DB_FILE" "$@" 2>/dev/null || return 1
+    sqlite3 -cmd ".timeout 5000" "$DB_FILE" "$@" 2>/dev/null || return 1
 }
 # ─── Initialize Database Schema ──────────────────────────────────────────────
@@ -700,7 +704,10 @@ db_query_events() {
     if [[ -f "$db_file" ]] && command -v sqlite3 &>/dev/null; then
         local where_clause=""
-        [[ -n "$filter" ]] && where_clause="WHERE type = '$filter'"
+        if [[ -n "$filter" ]]; then
+            filter="${filter//$_SQL_SQ/$_SQL_SQ$_SQL_SQ}"
+            where_clause="WHERE type = '$filter'"
+        fi
         local result
         result=$(sqlite3 -json "$db_file" "SELECT ts, ts_epoch, type, job_id, stage, status, duration_secs, metadata FROM events $where_clause ORDER BY ts_epoch DESC LIMIT $limit" 2>/dev/null) || true
         if [[ -n "$result" ]]; then
@@ -728,13 +735,19 @@ db_query_events_since() {
     local since_epoch="$1"
     local event_type="${2:-}"
     local to_epoch="${3:-}"
+    # Validate numeric epoch values
+    [[ ! "$since_epoch" =~ ^[0-9]+$ ]] && { echo "[]"; return 0; }
     local db_file="${DB_FILE:-$HOME/.shipwright/shipwright.db}"
     if [[ -f "$db_file" ]] && command -v sqlite3 &>/dev/null; then
         local type_filter=""
-        [[ -n "$event_type" ]] && type_filter="AND type = '$event_type'"
+        if [[ -n "$event_type" ]]; then
+            event_type="${event_type//$_SQL_SQ/$_SQL_SQ$_SQL_SQ}"
+            type_filter="AND type = '$event_type'"
+        fi
         local to_filter=""
-        [[ -n "$to_epoch" ]] && to_filter="AND ts_epoch <= $to_epoch"
+        # Numeric validation for epoch values
+        [[ -n "$to_epoch" && "$to_epoch" =~ ^[0-9]+$ ]] && to_filter="AND ts_epoch <= $to_epoch"
         local result
         result=$(sqlite3 -json "$db_file" "SELECT ts, ts_epoch, type, job_id, stage, status, duration_secs, metadata FROM events WHERE ts_epoch >= $since_epoch $type_filter $to_filter ORDER BY ts_epoch DESC" 2>/dev/null) || true
         if [[ -n "$result" ]]; then
@@ -1182,8 +1195,12 @@ db_save_pattern() {
 db_query_patterns() {
     local repo_hash="$1" pattern_type="${2:-}" limit="${3:-20}"
     if ! db_available; then echo "[]"; return 0; fi
+    repo_hash="${repo_hash//$_SQL_SQ/$_SQL_SQ$_SQL_SQ}"
     local where="WHERE repo_hash = '$repo_hash'"
-    [[ -n "$pattern_type" ]] && where="$where AND pattern_type = '$pattern_type'"
+    if [[ -n "$pattern_type" ]]; then
+        pattern_type="${pattern_type//$_SQL_SQ/$_SQL_SQ$_SQL_SQ}"
+        where="$where AND pattern_type = '$pattern_type'"
+    fi
     _db_query -json "SELECT * FROM memory_patterns $where ORDER BY frequency DESC, last_seen_at DESC LIMIT $limit;" || echo "[]"
 }
@@ -1191,6 +1208,8 @@ db_query_patterns() {
 db_save_decision() {
     local repo_hash="$1" decision_type="$2" context="$3" decision="$4" metadata="${5:-}"
     if ! db_available; then return 1; fi
+    repo_hash="${repo_hash//$_SQL_SQ/$_SQL_SQ$_SQL_SQ}"
+    decision_type="${decision_type//$_SQL_SQ/$_SQL_SQ$_SQL_SQ}"
     context="${context//$_SQL_SQ/$_SQL_SQ$_SQL_SQ}"
     decision="${decision//$_SQL_SQ/$_SQL_SQ$_SQL_SQ}"
     metadata="${metadata//$_SQL_SQ/$_SQL_SQ$_SQL_SQ}"
@@ -1201,17 +1220,24 @@ db_save_decision() {
 db_update_decision_outcome() {
     local decision_id="$1" outcome="$2" confidence="${3:-}"
     if ! db_available; then return 1; fi
+    # Validate numeric IDs to prevent injection
+    [[ ! "$decision_id" =~ ^[0-9]+$ ]] && return 1
     outcome="${outcome//$_SQL_SQ/$_SQL_SQ$_SQL_SQ}"
-    local set_clause="outcome = '$outcome', updated_at = '$(now_iso)'"
-    [[ -n "$confidence" ]] && set_clause="$set_clause, confidence = $confidence"
+    local set_clause
+    set_clause="outcome = '$outcome', updated_at = '$(now_iso)'"
+    [[ -n "$confidence" && "$confidence" =~ ^[0-9.]+$ ]] && set_clause="$set_clause, confidence = $confidence"
     _db_exec "UPDATE memory_decisions SET $set_clause WHERE id = $decision_id;"
 }
 db_query_decisions() {
     local repo_hash="$1" decision_type="${2:-}" limit="${3:-20}"
     if ! db_available; then echo "[]"; return 0; fi
+    repo_hash="${repo_hash//$_SQL_SQ/$_SQL_SQ$_SQL_SQ}"
     local where="WHERE repo_hash = '$repo_hash'"
-    [[ -n "$decision_type" ]] && where="$where AND decision_type = '$decision_type'"
+    if [[ -n "$decision_type" ]]; then
+        decision_type="${decision_type//$_SQL_SQ/$_SQL_SQ$_SQL_SQ}"
+        where="$where AND decision_type = '$decision_type'"
+    fi
     _db_query -json "SELECT * FROM memory_decisions $where ORDER BY updated_at DESC LIMIT $limit;" || echo "[]"
 }
@@ -1219,7 +1245,10 @@ db_query_decisions() {
 db_save_embedding() {
     local content_hash="$1" source_type="$2" content_text="$3" repo_hash="${4:-}"
     if ! db_available; then return 1; fi
+    content_hash="${content_hash//$_SQL_SQ/$_SQL_SQ$_SQL_SQ}"
+    source_type="${source_type//$_SQL_SQ/$_SQL_SQ$_SQL_SQ}"
     content_text="${content_text//$_SQL_SQ/$_SQL_SQ$_SQL_SQ}"
+    repo_hash="${repo_hash//$_SQL_SQ/$_SQL_SQ$_SQL_SQ}"
     _db_exec "INSERT OR IGNORE INTO memory_embeddings (content_hash, source_type, content_text, repo_hash, created_at)
               VALUES ('$content_hash', '$source_type', '$content_text', '$repo_hash', '$(now_iso)');"
 }
@@ -1228,8 +1257,14 @@ db_query_embeddings() {
     local source_type="${1:-}" repo_hash="${2:-}" limit="${3:-50}"
     if ! db_available; then echo "[]"; return 0; fi
     local where="WHERE 1=1"
-    [[ -n "$source_type" ]] && where="$where AND source_type = '$source_type'"
-    [[ -n "$repo_hash" ]] && where="$where AND repo_hash = '$repo_hash'"
+    if [[ -n "$source_type" ]]; then
+        source_type="${source_type//$_SQL_SQ/$_SQL_SQ$_SQL_SQ}"
+        where="$where AND source_type = '$source_type'"
+    fi
+    if [[ -n "$repo_hash" ]]; then
+        repo_hash="${repo_hash//$_SQL_SQ/$_SQL_SQ$_SQL_SQ}"
+        where="$where AND repo_hash = '$repo_hash'"
+    fi
     _db_query -json "SELECT id, content_hash, source_type, content_text, repo_hash, created_at FROM memory_embeddings $where ORDER BY created_at DESC LIMIT $limit;" || echo "[]"
 }
@@ -1368,8 +1403,10 @@ db_sync_push() {
     # Push via HTTP
     local response
     local auth_header=""
+    # shellcheck disable=SC2089
     [[ -n "${SYNC_TOKEN:-}" ]] && auth_header="-H 'Authorization: Bearer ${SYNC_TOKEN}'"
+    # shellcheck disable=SC2090
     response=$(curl -s --connect-timeout 10 --max-time 30 -w "%{http_code}" -o /dev/null \
         -X POST "${SYNC_URL}/api/sync/push" \
         -H "Content-Type: application/json" \
@@ -1400,9 +1437,11 @@ db_sync_pull() {
     last_sync=$(_db_query "SELECT value FROM _sync_metadata WHERE key = 'last_pull_epoch';" || echo "0")
     local auth_header=""
+    # shellcheck disable=SC2089
     [[ -n "${SYNC_TOKEN:-}" ]] && auth_header="-H 'Authorization: Bearer ${SYNC_TOKEN}'"
     local response_body
+    # shellcheck disable=SC2090
     response_body=$(curl -s --connect-timeout 10 --max-time 30 \
         "${SYNC_URL}/api/sync/pull?since=${last_sync}" \
         -H "Accept: application/json" \
@@ -1451,6 +1490,7 @@ migrate_json_data() {
         info "Importing events from ${EVENTS_FILE}..."
         local evt_count=0
         local evt_skipped=0
+        # shellcheck disable=SC2106
         while IFS= read -r line; do
             [[ -z "$line" ]] && continue
             local e_ts e_epoch e_type e_job e_stage e_status
@@ -1484,7 +1524,8 @@ migrate_json_data() {
             j_result=$(echo "$job" | jq -r '.result // ""')
             j_dur=$(echo "$job" | jq -r '.duration // ""')
             j_at=$(echo "$job" | jq -r '.completed_at // ""')
-            local j_id="migrated-${j_issue}-$(echo "$j_at" | tr -dc '0-9' | tail -c 10)"
+            local j_id
+            j_id="migrated-${j_issue}-$(echo "$j_at" | tr -dc '0-9' | tail -c 10)"
             _db_exec "INSERT OR IGNORE INTO daemon_state (job_id, issue_number, status, result, duration, completed_at, started_at, updated_at) VALUES ('${j_id}', ${j_issue}, 'completed', '${j_result}', '${j_dur}', '${j_at}', '${j_at}', '$(now_iso)');" 2>/dev/null && job_count=$((job_count + 1))
         done < <(jq -c '.completed[]' "$DAEMON_STATE_FILE" 2>/dev/null)
@@ -1583,7 +1624,7 @@ export_db() {
     costs_json=$(_db_query "SELECT json_group_array(json_object('model', model, 'stage', stage, 'cost_usd', cost_usd, 'ts', ts)) FROM (SELECT * FROM cost_entries ORDER BY ts_epoch DESC LIMIT 1000);" || echo "[]")
     local tmp_file
-    tmp_file=$(mktemp "${output_file}.tmp.XXXXXX")
+    tmp_file=$(mktemp "${output_file}.tmp.XXXXXX") || { error "mktemp failed for db export"; return 1; }
     jq -n \
         --arg exported_at "$(now_iso)" \
         --argjson events "$events_json" \
@@ -1670,7 +1711,9 @@ show_status() {
     # Sync status
     local device_id last_push last_pull
     device_id=$(_db_query "SELECT value FROM _sync_metadata WHERE key = 'device_id';" || echo "not set")
+    # shellcheck disable=SC2034
     last_push=$(_db_query "SELECT value FROM _sync_metadata WHERE key = 'last_push_epoch';" || echo "never")
+    # shellcheck disable=SC2034
     last_pull=$(_db_query "SELECT value FROM _sync_metadata WHERE key = 'last_pull_epoch';" || echo "never")
     local unsynced_events unsynced_costs
     unsynced_events=$(_db_query "SELECT COUNT(*) FROM events WHERE synced = 0;" || echo "0")

package/scripts/sw-decide.sh CHANGED Viewed

@@ -5,7 +5,8 @@
 # ╚═══════════════════════════════════════════════════════════════════════════╝
 set -euo pipefail
-VERSION="3.2.0"
+# shellcheck disable=SC2034
+VERSION="3.3.0"
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 # ─── Dependencies ─────────────────────────────────────────────────────────────
@@ -17,8 +18,10 @@ source "$SCRIPT_DIR/lib/decide-scoring.sh"
 source "$SCRIPT_DIR/lib/decide-autonomy.sh"
 # ─── Config ───────────────────────────────────────────────────────────────────
+# shellcheck disable=SC2034
 DECISION_ENABLED=$(policy_get ".decision.enabled" "false")
 DEDUP_WINDOW_DAYS=$(policy_get ".decision.dedup_window_days" "7")
+# shellcheck disable=SC2034
 OUTCOME_LEARNING=$(policy_get ".decision.outcome_learning_enabled" "true")
 OUTCOME_MIN_SAMPLES=$(policy_get ".decision.outcome_min_samples" "10")
@@ -227,7 +230,9 @@ decide_run() {
     while [[ $# -gt 0 ]]; do
         case "$1" in
             --dry-run) dry_run=true; shift ;;
-            --once)    once=true; shift ;;
+            --once)
+                # shellcheck disable=SC2034
+                once=true; shift ;;
             *)         shift ;;
         esac
     done
@@ -432,6 +437,7 @@ decide_log() {
     local found=false
     for i in $(seq 0 $((days - 1))); do
         local date_str
+        # shellcheck disable=SC2106
         date_str=$(date -u -v-${i}d +%Y-%m-%d 2>/dev/null || date -u -d "${i} days ago" +%Y-%m-%d 2>/dev/null || continue)
         local log_file="${DECISIONS_DIR}/daily-log-${date_str}.jsonl"
         [[ ! -f "$log_file" ]] && continue