toga-ai 1.0.47 → 1.0.49

package/knowledge/2.0/apps/worker2/features/elite-freshservice-sync.md

@@ -36,11 +36,12 @@ Dispatched via action `Elite/Webhook` on the worker queue.
 
 ## Constants
 
-```php
-const CLIENT_UUID_ELITE = '97627e9d-605f-3ded-9e83-97a4ec7a0c15';
-const API_UUID_ELITE    = 'ee08cf3d-caee-462d-adb5-acc5c36b1f01';
-const API_SECRET_ELITE  = 'c2701d21-1908-4895-aaed-2e6456710e8d';
-```
+Defined in `worker2/Worker/Elite.php` — **values not reproduced here (credentials);
+read them from the source/config:**
+
+- `CLIENT_UUID_ELITE` — Elite's TOGA 2 client UUID
+- `API_UUID_ELITE` — API identity UUID
+- `API_SECRET_ELITE` — API secret (sensitive)
 
 ## Freshservice API — gotchas
 

package/knowledge/clients/elite/profile.md

@@ -3,10 +3,10 @@ title: Elite
 framework: "2.0"
 project: Worker
 client: elite
-type: client-feature
+type: profile
 status: active
 updated: 2026-06-10
-owners: []
+owners: [snaredla]
 files:
   - worker2/Worker/Elite.php
   - library/app/api/toga2.php
@@ -23,13 +23,12 @@ keeps Freshservice and TOGA 2 in sync via webhook-driven worker jobs.
 
 ## TOGA 2 API credentials
 
-Constants live in `worker2/Worker/Elite.php`:
+Three constants live in `worker2/Worker/Elite.php` — **values intentionally not reproduced
+here. Read them from the source/config; never paste secret values into knowledge docs.**
 
-```php
-const CLIENT_UUID_ELITE = '97627e9d-605f-3ded-9e83-97a4ec7a0c15';
-const API_UUID_ELITE    = 'ee08cf3d-caee-462d-adb5-acc5c36b1f01';
-const API_SECRET_ELITE  = 'c2701d21-1908-4895-aaed-2e6456710e8d';
-```
+- `CLIENT_UUID_ELITE` — Elite's TOGA 2 client UUID
+- `API_UUID_ELITE` — API identity UUID
+- `API_SECRET_ELITE` — API secret (sensitive; treat as a credential)
 
 The library version of the sync methods (`library/app/api/toga2.php`) passes these in as
 parameters — they are not constants there.

package/knowledge.js

@@ -183,6 +183,19 @@ function cmdManifest() {
 /*   front-end|hybrid>  --q=<keywords to match feature docs>            */
 /* ------------------------------------------------------------------ */
 
+function extractSection(body, heading) {
+    const lines = body.split(/\r?\n/);
+    const want = ('## ' + heading).toLowerCase();
+    const start = lines.findIndex(l => l.trim().toLowerCase() === want);
+    if (start === -1) return '';
+    const out = [];
+    for (let i = start + 1; i < lines.length; i++) {
+        if (/^##\s/.test(lines[i])) break;
+        out.push(lines[i]);
+    }
+    return out.join('\n').trim();
+}
+
 function cmdPreflight(args) {
     const registry = loadRegistry();
     const chosen = String(args.repos || '').split(',').map(s => s.trim()).filter(Boolean);
@@ -217,21 +230,27 @@ function cmdPreflight(args) {
     const fileInfo = (rel) => ({ path: rel, exists: fs.existsSync(path.join(ROOT, rel.split('/').join(path.sep))) });
     const matchQ = (d) => !q || (((d.data.title || '') + ' ' + (d.data.files || []).join(' ') + ' ' + d.body).toLowerCase().includes(q));
 
-    // per-repo inventory; feature docs only for explicitly chosen repos
+    // per-repo inventory. Chosen repos load FULL architecture + matched features.
+    // Non-chosen repos (deps, incl. framework core) get their `## Summary` inlined
+    // here so kickoff reads zero extra files for them — full doc lazy on demand.
     const repoOut = loadSet.map(repo => {
         const e = registry.find(x => x.repo === repo);
         const fw = e ? e.framework : '';
         const repoDir = path.join(ROOT, fw, 'apps', repo);
         const isChosen = chosenSet.has(repo);
+        const archRel = `${fw}/apps/${repo}/architecture.md`;
+        const archDoc = docs.find(d => d.rel === archRel);
         let features = [];
         if (isChosen) {
             features = docs
                 .filter(d => d.file.startsWith(repoDir + path.sep) && d.data.type !== 'architecture' && matchQ(d))
                 .map(d => ({ path: d.rel, title: d.data.title || '', files: (d.data.files || []).join(', ') }));
         }
+        const summary = (!isChosen && archDoc) ? (extractSection(archDoc.body, 'Summary') || firstSentence(archDoc.body)) : '';
         return {
             repo, framework: fw, project: e ? e.project : '', role: e ? e.role : '', chosen: isChosen,
-            architecture: fileInfo(`${fw}/apps/${repo}/architecture.md`),
+            architecture: fileInfo(archRel),
+            summary,
             features,
         };
     });
@@ -265,16 +284,22 @@ function cmdPreflight(args) {
         };
     }
 
-    // ordered read list — mirrors kickoff Step 4: core arch → repo arch+features → standards → client
+    // ordered read list — mirrors kickoff Step 4 precedence (core first, then chosen
+    // repos + features, then standards, then client). Chosen repos → a FULL architecture
+    // read; non-chosen → an inline-`summary` entry the skill should NOT open unless it
+    // needs deeper detail (lazy:true). Core ordering preserved so foundational context
+    // (even when summarized) comes before app context.
     const reads = [];
-    for (const r of repoOut.filter(r => r.role === 'core')) {
-        reads.push({ label: 'core-architecture', repo: r.repo, ...r.architecture });
-        for (const f of r.features) reads.push({ label: 'feature', repo: r.repo, path: f.path, exists: true, title: f.title });
-    }
-    for (const r of repoOut.filter(r => r.role !== 'core')) {
-        reads.push({ label: r.chosen ? 'repo-architecture' : 'dep-architecture', repo: r.repo, ...r.architecture });
-        for (const f of r.features) reads.push({ label: 'feature', repo: r.repo, path: f.path, exists: true, title: f.title });
-    }
+    const pushRepoRead = (r) => {
+        if (r.chosen) {
+            reads.push({ label: 'repo-architecture', repo: r.repo, path: r.architecture.path, exists: r.architecture.exists });
+            for (const f of r.features) reads.push({ label: 'feature', repo: r.repo, path: f.path, exists: true, title: f.title });
+        } else {
+            reads.push({ label: 'architecture-summary', repo: r.repo, role: r.role, path: r.architecture.path, exists: r.architecture.exists, lazy: true, summary: r.summary });
+        }
+    };
+    for (const r of repoOut.filter(r => r.role === 'core')) pushRepoRead(r);
+    for (const r of repoOut.filter(r => r.role !== 'core')) pushRepoRead(r);
     for (const s of standards) reads.push({ label: 'standard', path: s.path, exists: s.exists });
     if (client) {
         reads.push({ label: 'client-profile', path: client.profile.path, exists: client.profile.exists });
@@ -516,6 +541,37 @@ function relRow(d, baseDir) {
     return `| [${d.data.title || path.basename(d.file, '.md')}](${relLink(d, baseDir)}) | ${firstSentence(d.body)} | ${(d.data.files || []).join(', ')} |`;
 }
 
+/* ------------------------------------------------------------------ */
+/* secret scanner — knowledge docs must never contain credential       */
+/* values. High-confidence patterns only (named secret assignments,    */
+/* AWS keys, PEM blocks) so legitimate UUIDs/IDs don't false-positive.  */
+/* Wired into validate → blocks publish on a hit.                       */
+/* ------------------------------------------------------------------ */
+
+const SECRET_NAME = /(secret|password|passwd|api[_-]?key|apikey|access[_-]?key|client[_-]?secret|private[_-]?key|auth[_-]?token|bearer)/i;
+const SECRET_PLACEHOLDER = /(<[^>]+>|redact|example|placeholder|your[_-]|xxxx|\.\.\.|\*\*\*|changeme|dummy|sensitive|not reproduced)/i;
+
+function scanSecrets(content) {
+    const hits = [];
+    const lines = content.split(/\r?\n/);
+    for (let i = 0; i < lines.length; i++) {
+        const ln = lines[i];
+        if (/-----BEGIN [A-Z0-9 ]*PRIVATE KEY-----/.test(ln)) { hits.push({ line: i + 1, reason: 'private key block' }); continue; }
+        if (/\bAKIA[0-9A-Z]{16}\b/.test(ln)) { hits.push({ line: i + 1, reason: 'AWS access key id' }); continue; }
+        // NAME = "value" or NAME: value where NAME looks like a credential
+        const m = ln.match(/([A-Za-z0-9_]*(?:secret|password|passwd|api[_-]?key|apikey|access[_-]?key|client[_-]?secret|private[_-]?key|auth[_-]?token)[A-Za-z0-9_]*)\s*[:=]\s*['"]?([^'"\s]{8,})['"]?/i);
+        if (m && SECRET_NAME.test(m[1]) && !SECRET_PLACEHOLDER.test(ln)) {
+            // Only flag a literal-looking value (hex/token/base64). Reject code
+            // references like `_Config::database(...)`, `getenv(...)`, `$var` — those
+            // are how secrets SHOULD be loaded, not leaked values.
+            const val = m[2];
+            const looksLiteral = /^[A-Za-z0-9_\-\/+=.]{8,}$/.test(val) && !/^[A-Z][A-Za-z0-9_]*$/.test(val);
+            if (looksLiteral) hits.push({ line: i + 1, reason: `literal value assigned to "${m[1]}"` });
+        }
+    }
+    return hits;
+}
+
 /* ------------------------------------------------------------------ */
 /* command: validate                                                   */
 /* ------------------------------------------------------------------ */
@@ -572,6 +628,10 @@ function cmdValidate() {
             }
         }
         if (ELEVATED_TYPES.includes(d.data.type)) elevated.push(d.rel);
+        for (const s of scanSecrets(fs.readFileSync(d.file, 'utf8'))) {
+            fail(`${d.rel}:${s.line}: possible secret committed — ${s.reason}; redact it (reference the config/constant location, never paste credential values into knowledge docs)`);
+            ok = false;
+        }
     }
 
     if (elevated.length) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "toga-ai",
-  "version": "1.0.47",
+  "version": "1.0.49",
   "description": "TOGA Technology Team Claude Knowledge System — shared AI coding harness with skills, knowledge base CLI, and project installer for Claude Code.",
   "keywords": [
     "claude",

package/skills/capture/SKILL.md

@@ -143,6 +143,12 @@ For a client `profile.md`, the `title:` **is** the client's formal name (e.g. "C
 there is no separate name field; `validate` requires `title`. See New-client onboarding.
 Add `related:` cross-links. Append new repos to `<TEAM_REPO>/knowledge/registry.json`.
 
+**Never paste secret VALUES into a doc** — no API secrets, passwords, private keys, tokens,
+or live credential strings. Document *where* a credential lives (the constant name, the
+config key, the file) but not its value. `validate` (run by Step 6's publish and the
+pre-commit hook) scans for credential literals and **fails the publish** if it finds one, so
+a leaked secret blocks the whole capture until redacted. Reference, never reproduce.
+
 ## Step 6 — Publish (validate → index → mirror → rebase-push, one command)
 
 Finish every capture with the deterministic publisher — **do not** run validate/index/git

package/skills/kickoff/SKILL.md

@@ -144,10 +144,13 @@ node "<TEAM_REPO>/knowledge.js" kickoff-preflight \
 
 It prints minified JSON:
 - `loadSet` — framework core(s) + chosen repos + transitive `dependsOn`, in load order.
-- `repos[]` — each with `architecture` `{path,exists}`, `role`, `chosen`, and matched
-  `features[]` (features are returned only for the repos the developer chose, not deps).
+- `repos[]` — each with `architecture` `{path,exists}`, `role`, `chosen`, an inline
+  `summary` (for non-chosen repos), and matched `features[]` (features returned only for the
+  repos the developer chose, not deps).
 - `standards[]` and `client` `{title, profile, docs[]}` — both `{path,exists}`-flagged.
-- `reads[]` — **the ordered list of knowledge files to read**, each `{label, path, exists}`.
+- `reads[]` — **the ordered work list** (see Step 4). Full-read entries carry `{label, path,
+  exists}`; non-chosen repos instead carry `{label:'architecture-summary', summary, lazy:true}`
+  with the Summary text inlined so no file read is needed.
 - `unknown[]` — any `--repos` value not in the registry (run New-repo onboarding for each).
 
 **Do not run `deps` or `search` separately, and do not probe the filesystem for these docs.**
@@ -163,14 +166,25 @@ Never ask for a repo not in `loadSet`.
 
 ## Step 4 — Load the knowledge
 
-Read every entry in the preflight `reads[]` array **in order**, resolving each `path`
-against `<TEAM_REPO>/knowledge/`. Skip entries with `exists:false` — that doc isn't written
-yet; note it in the Step 5 summary as "no knowledge captured yet."
-
-The `reads[]` order already encodes the correct precedence (framework core architecture →
-chosen-repo architecture + matched features → dep architecture → standards → client profile +
-client docs), and already unions across `1.0/` and `2.0/` for a both-frameworks session. You
-do not need to re-derive this order or run any further `search`.
+Walk the preflight `reads[]` array **in order**. Each entry is one of:
+
+- **`lazy:true` (label `architecture-summary`)** — a repo the developer did NOT choose as
+  focus (a dependency or framework core). The entry already carries an inline `summary`
+  string — **use that summary as your context for this repo; do NOT open the file.** Only
+  open its `path` later, on demand, if a task actually requires that repo's deep internals.
+  This is the token-saving default: foundational orientation without loading the full doc.
+- **Any other entry (no `lazy` flag)** — the chosen repos' architecture + matched feature
+  docs, standards, and client docs. **Read these in full**, resolving `path` against
+  `<TEAM_REPO>/knowledge/`.
+- **`exists:false`** — skip; that doc isn't written yet. Note it in the Step 5 summary as
+  "no knowledge captured yet."
+
+The `reads[]` order already encodes the correct precedence (core first, then chosen-repo
+architecture + matched features, then standards, then client profile + client docs) and
+already unions across `1.0/` and `2.0/`. Do not re-derive this order or run further `search`.
+
+If, while working, you find you need the full architecture of a summarized (`lazy`) repo,
+just read its `path` then — that's the intended lazy-load, not a kickoff failure.
 
 **Do NOT create or modify any `CLAUDE.md` stub** — kickoff only reads. A blank session is a
 valid choice; this skill is opt-in.