tribunal-kit 4.4.1 → 4.4.3

package/.agent/scripts/verify_all.js

@@ -1,257 +1,248 @@
-#!/usr/bin/env node
-/**
- * verify_all.js — Full pre-deploy validation suite for the Tribunal Agent Kit.
- *
- * Runs comprehensive checks before any production deployment.
- *
- * Usage:
- *   node .agent/scripts/verify_all.js
- *   node .agent/scripts/verify_all.js --skip build,deps
- */
-
-'use strict';
-
-const fs   = require('fs');
-const path = require('path');
-const { execFileSync } = require('child_process');
-
-// ━━━ ANSI colors ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-const RED    = '\x1b[91m';
-const GREEN  = '\x1b[92m';
-const YELLOW = '\x1b[93m';
-const BLUE   = '\x1b[94m';
-const BOLD   = '\x1b[1m';
-const RESET  = '\x1b[0m';
-
-const RESULTS = [];
-
-function section(title) {
-    console.log(`\n${BOLD}${BLUE}━━━ ${title} ━━━${RESET}`);
-}
-
-function ok(label, note) {
-    const msg = `${GREEN}✅ ${label}${RESET}` + (note ? `  ${YELLOW}(${note})${RESET}` : '');
-    console.log(`  ${msg}`);
-    RESULTS.push({ label, passed: true, note: note || '' });
-}
-
-function fail(label, note) {
-    const noteStr = note ? `\n     ${note}` : '';
-    console.log(`  ${RED}❌ ${label}${RESET}${noteStr}`);
-    RESULTS.push({ label, passed: false, note: note || '' });
-}
-
-function skip(label, reason) {
-    console.log(`  ${YELLOW}⏭️  ${label} — ${reason}${RESET}`);
-    RESULTS.push({ label, passed: true, note: `skipped: ${reason}` });
-}
-
-/**
- * Run a shell command and return true if it exits with code 0.
- */
-function run(label, cmd, cwd) {
-    try {
-        const isWindows = process.platform === 'win32';
-        const bin = cmd[0];
-
-        execFileSync(bin, cmd.slice(1), {
-            cwd,
-            stdio: 'pipe',
-            timeout: 120000,
-            encoding: 'utf8',
-            shell: isWindows
-        });
-        ok(label);
-        return true;
-    } catch (err) {
-        if (err.code === 'ENOENT') {
-            skip(label, 'tool not installed — skipping');
-            return true;
-        }
-        if (err.killed) {
-            fail(label, 'timed out after 120s');
-            return false;
-        }
-        const output = ((err.stdout || '') + (err.stderr || '')).trim();
-        fail(label, output ? output.slice(0, 500) : 'non-zero exit code');
-        return false;
-    }
-}
-
-
-/**
- * Scan source files for obviously hardcoded credentials.
- */
-function scanSecrets(cwd) {
-    const patterns = ['password=', 'secret=', 'api_key=', 'private_key=', 'auth_token='];
-    const found = [];
-    const skipDirs = new Set(['node_modules', '.git', 'dist', '__pycache__', '.agent']);
-
-    function walk(dir) {
-        let entries;
-        try { entries = fs.readdirSync(dir, { withFileTypes: true }); } catch { return; }
-
-        for (const entry of entries) {
-            const fullPath = path.join(dir, entry.name);
-            if (entry.isDirectory()) {
-                if (!skipDirs.has(entry.name)) walk(fullPath);
-            } else if (entry.isFile()) {
-                if (!/\.(ts|js|tsx|jsx|py)$/.test(entry.name)) continue;
-
-                let content;
-                try { content = fs.readFileSync(fullPath, 'utf8'); } catch { continue; }
-
-                const lines = content.split('\n');
-                for (let i = 0; i < lines.length; i++) {
-                    const low = lines[i].toLowerCase().trim();
-                    const hasPattern = patterns.some(p => low.includes(p));
-                    if (hasPattern && !low.startsWith('#') && low.includes('=')) {
-                        const rel = path.relative(cwd, fullPath);
-                        found.push(`${rel}:${i + 1}`);
-                    }
-                }
-            }
-        }
-    }
-
-    walk(cwd);
-
-    if (found.length > 0) {
-        fail('Secret scan', found.slice(0, 5).join('\n     '));
-        return false;
-    }
-    ok('Secret scan — no hardcoded credentials found');
-    return true;
-}
-
-
-/**
- * Check if there's a package.json to run npm commands against.
- */
-function hasNpm(cwd) {
-    return fs.existsSync(path.join(cwd, 'package.json'));
-}
-
-
-/**
- * Run all verification checks. Returns number of failures.
- */
-function verifyAll(cwd, skipped) {
-    let failures = 0;
-    RESULTS.length = 0; // Reset for clean runs (prevents accumulation in tests)
-
-    section('1 — Secret Scan');
-    if (!skipped.includes('secrets')) {
-        if (!scanSecrets(cwd)) failures++;
-    } else {
-        skip('Secret scan', 'skipped by flag');
-    }
-
-    section('2 — TypeScript');
-    if (!skipped.includes('typescript')) {
-        if (hasNpm(cwd)) {
-            if (!run('tsc --noEmit', ['npx', 'tsc', '--noEmit'], cwd)) failures++;
-        } else {
-            skip('TypeScript', 'no package.json found in project');
-        }
-    } else {
-        skip('TypeScript', 'skipped by flag');
-    }
-
-    section('3 — ESLint');
-    if (!skipped.includes('lint')) {
-        if (hasNpm(cwd)) {
-            if (!run('ESLint', ['npx', 'eslint', '.', '--max-warnings=0'], cwd)) failures++;
-        } else {
-            skip('ESLint', 'no package.json found in project');
-        }
-    } else {
-        skip('ESLint', 'skipped by flag');
-    }
-
-    section('4 — Unit Tests');
-    if (!skipped.includes('tests')) {
-        if (hasNpm(cwd)) {
-            if (!run('Test suite', ['npm', 'test', '--', '--passWithNoTests'], cwd)) failures++;
-        } else {
-            skip('Tests', 'no package.json found in project');
-        }
-    } else {
-        skip('Tests', 'skipped by flag');
-    }
-
-    section('5 — Build');
-    if (!skipped.includes('build')) {
-        if (hasNpm(cwd)) {
-            if (!run('npm run build', ['npm', 'run', 'build'], cwd)) failures++;
-        } else {
-            skip('Build', 'no package.json found in project');
-        }
-    } else {
-        skip('Build', 'skipped by flag');
-    }
-
-    section('6 — Dependency Audit');
-    if (!skipped.includes('deps')) {
-        if (hasNpm(cwd)) {
-            if (!run('npm audit', ['npm', 'audit', '--audit-level=high'], cwd)) failures++;
-        } else {
-            skip('Dependency audit', 'no package.json found in project');
-        }
-    } else {
-        skip('Dependency audit', 'skipped by flag');
-    }
-
-    // ━━━ Summary ━━━
-    console.log(`\n${BOLD}━━━ Summary ━━━${RESET}`);
-    for (const { label, passed, note } of RESULTS) {
-        const status = passed ? `${GREEN}✅${RESET}` : `${RED}❌${RESET}`;
-        const noteStr = (!passed && note) ? `  ${YELLOW}(${note})${RESET}` : '';
-        console.log(`  ${status} ${label}${noteStr}`);
-    }
-
-    console.log();
-    if (failures === 0) {
-        console.log(`${GREEN}${BOLD}All checks passed — safe to deploy.${RESET}`);
-    } else {
-        console.log(`${RED}${BOLD}${failures} check(s) failed — fix before deploying.${RESET}`);
-    }
-
-    return failures;
-}
-
-
-/**
- * Parse CLI arguments manually (no external dependencies).
- */
-function parseArgs(argv) {
-    const args = { skip: [] };
-    const raw = argv.slice(2);
-
-    for (let i = 0; i < raw.length; i++) {
-        if (raw[i] === '--skip' && raw[i + 1]) {
-            args.skip = raw[++i].split(',').map(s => s.trim().toLowerCase()).filter(Boolean);
-        }
-    }
-    return args;
-}
-
-
-function main() {
-    const args = parseArgs(process.argv);
-    const cwd = process.cwd();
-
-    console.log(`${BOLD}Tribunal — verify_all.js${RESET}`);
-    console.log(`Project: ${cwd}\n`);
-
-    const failures = verifyAll(cwd, args.skip);
-    process.exit(failures > 0 ? 1 : 0);
-}
-
-
-// ━━━ Exports for testing & programmatic use ━━━
-module.exports = { verifyAll, scanSecrets, hasNpm };
-
-if (require.main === module) {
-    main();
-}
+#!/usr/bin/env node
+/**
+ * verify_all.js — Full pre-deploy validation suite for the Tribunal Agent Kit.
+ *
+ * Runs comprehensive checks before any production deployment.
+ *
+ * Usage:
+ *   node .agent/scripts/verify_all.js
+ *   node .agent/scripts/verify_all.js --skip build,deps
+ */
+
+'use strict';
+
+const fs   = require('fs');
+const path = require('path');
+const { execFileSync } = require('child_process');
+
+const {
+    RED, GREEN, YELLOW, BLUE, BOLD, DIM, CYAN, RESET,
+    banner, sectionHeader, summaryTable, timer, formatMs,
+    ok, fail, skip,
+} = require('./_colors');
+
+const { walkDir, hasNpm, SOURCE_EXTENSIONS } = require('./_utils');
+
+// ── Results Tracking ────────────────────────────────────────────────────────
+
+const RESULTS = [];
+
+function trackOk(label, ms, note) {
+    const timing = ms != null ? `${DIM}(${formatMs(ms)})${RESET}` : '';
+    const noteStr = note ? `  ${DIM}${note}${RESET}` : '';
+    console.log(`  ${GREEN}✅ ${label}${RESET} ${timing}${noteStr}`);
+    RESULTS.push({ name: label, status: 'pass', ms, note: note || '' });
+}
+
+function trackFail(label, ms, note) {
+    const timing = ms != null ? `${DIM}(${formatMs(ms)})${RESET}` : '';
+    const noteStr = note ? `\n     ${note}` : '';
+    console.log(`  ${RED}❌ ${label}${RESET} ${timing}${noteStr}`);
+    RESULTS.push({ name: label, status: 'fail', ms, note: note || '' });
+}
+
+function trackSkip(label, reason) {
+    console.log(`  ${YELLOW}⏭️  ${label} — ${reason}${RESET}`);
+    RESULTS.push({ name: label, status: 'skip', note: `skipped: ${reason}` });
+}
+
+// ── Command Runner ──────────────────────────────────────────────────────────
+
+/**
+ * Run a shell command and return true if it exits with code 0.
+ */
+function run(label, cmd, cwd) {
+    const elapsed = timer();
+    try {
+        const isWindows = process.platform === 'win32';
+
+        execFileSync(cmd[0], cmd.slice(1), {
+            cwd,
+            stdio: 'pipe',
+            timeout: 120000,
+            encoding: 'utf8',
+            shell: isWindows
+        });
+        trackOk(label, elapsed());
+        return true;
+    } catch (err) {
+        const ms = elapsed();
+        if (err.code === 'ENOENT') {
+            trackSkip(label, 'tool not installed — skipping');
+            return true;
+        }
+        if (err.killed) {
+            trackFail(label, ms, 'timed out after 120s');
+            return false;
+        }
+        const output = ((err.stdout || '') + (err.stderr || '')).trim();
+        trackFail(label, ms, output ? output.slice(0, 500) : 'non-zero exit code');
+        return false;
+    }
+}
+
+
+/**
+ * Scan source files for obviously hardcoded credentials.
+ * Uses shared walkDir from _utils.js to eliminate duplicated walker code.
+ */
+function scanSecrets(cwd) {
+    const elapsed = timer();
+    const patterns = ['password=', 'secret=', 'api_key=', 'private_key=', 'auth_token='];
+    const found = [];
+
+    const sourceExtensions = new Set(['.ts', '.tsx', '.js', '.jsx', '.py']);
+    const files = walkDir(cwd, { extensions: sourceExtensions });
+
+    for (const fullPath of files) {
+        let content;
+        try { content = fs.readFileSync(fullPath, 'utf8'); } catch { continue; }
+
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+            const low = lines[i].toLowerCase().trim();
+            const hasPattern = patterns.some(p => low.includes(p));
+            if (hasPattern && !low.startsWith('#') && low.includes('=')) {
+                const rel = path.relative(cwd, fullPath);
+                found.push(`${rel}:${i + 1}`);
+            }
+        }
+    }
+
+    const ms = elapsed();
+    if (found.length > 0) {
+        trackFail('Secret scan', ms, found.slice(0, 5).join('\n     '));
+        return false;
+    }
+    trackOk('Secret scan — no hardcoded credentials found', ms, `${files.length} files scanned`);
+    return true;
+}
+
+
+/**
+ * Run all verification checks. Returns number of failures.
+ */
+function verifyAll(cwd, skipped) {
+    let failures = 0;
+    RESULTS.length = 0; // Reset for clean runs (prevents accumulation in tests)
+    const totalTimer = timer();
+
+    console.log(sectionHeader('Secret Scan', 1));
+    if (!skipped.includes('secrets')) {
+        if (!scanSecrets(cwd)) failures++;
+    } else {
+        trackSkip('Secret scan', 'skipped by flag');
+    }
+
+    console.log(sectionHeader('TypeScript', 2));
+    if (!skipped.includes('typescript')) {
+        if (hasNpm(cwd)) {
+            if (!run('tsc --noEmit', ['npx', 'tsc', '--noEmit'], cwd)) failures++;
+        } else {
+            trackSkip('TypeScript', 'no package.json found in project');
+        }
+    } else {
+        trackSkip('TypeScript', 'skipped by flag');
+    }
+
+    console.log(sectionHeader('ESLint', 3));
+    if (!skipped.includes('lint')) {
+        if (hasNpm(cwd)) {
+            if (!run('ESLint', ['npx', 'eslint', '.', '--max-warnings=0'], cwd)) failures++;
+        } else {
+            trackSkip('ESLint', 'no package.json found in project');
+        }
+    } else {
+        trackSkip('ESLint', 'skipped by flag');
+    }
+
+    console.log(sectionHeader('Unit Tests', 4));
+    if (!skipped.includes('tests')) {
+        if (hasNpm(cwd)) {
+            if (!run('Test suite', ['npm', 'test', '--', '--passWithNoTests'], cwd)) failures++;
+        } else {
+            trackSkip('Tests', 'no package.json found in project');
+        }
+    } else {
+        trackSkip('Tests', 'skipped by flag');
+    }
+
+    console.log(sectionHeader('Build', 5));
+    if (!skipped.includes('build')) {
+        if (hasNpm(cwd)) {
+            if (!run('npm run build', ['npm', 'run', 'build'], cwd)) failures++;
+        } else {
+            trackSkip('Build', 'no package.json found in project');
+        }
+    } else {
+        trackSkip('Build', 'skipped by flag');
+    }
+
+    console.log(sectionHeader('Dependency Audit', 6));
+    if (!skipped.includes('deps')) {
+        if (hasNpm(cwd)) {
+            if (!run('npm audit', ['npm', 'audit', '--audit-level=high'], cwd)) failures++;
+        } else {
+            trackSkip('Dependency audit', 'no package.json found in project');
+        }
+    } else {
+        trackSkip('Dependency audit', 'skipped by flag');
+    }
+
+    // ━━━ Summary Table ━━━
+    const totalMs = totalTimer();
+    console.log(`\n${BOLD}${CYAN}━━━ Verification Summary ━━━${RESET}`);
+    summaryTable(RESULTS);
+
+    const passCount = RESULTS.filter(r => r.status === 'pass').length;
+    const failCount = RESULTS.filter(r => r.status === 'fail').length;
+    const skipCount = RESULTS.filter(r => r.status === 'skip').length;
+
+    console.log(`\n  ${DIM}Total: ${RESULTS.length} checks in ${formatMs(totalMs)}${RESET}`);
+    console.log(`  ${GREEN}${passCount} passed${RESET}  ${failCount > 0 ? `${RED}${failCount} failed${RESET}  ` : ''}${skipCount > 0 ? `${YELLOW}${skipCount} skipped${RESET}` : ''}`);
+
+    console.log();
+    if (failures === 0) {
+        console.log(`${GREEN}${BOLD}  ✔ All checks passed — safe to deploy.${RESET}`);
+    } else {
+        console.log(`${RED}${BOLD}  ✖ ${failures} check(s) failed — fix before deploying.${RESET}`);
+    }
+    console.log();
+
+    return failures;
+}
+
+
+/**
+ * Parse CLI arguments manually (no external dependencies).
+ */
+function parseArgs(argv) {
+    const args = { skip: [] };
+    const raw = argv.slice(2);
+
+    for (let i = 0; i < raw.length; i++) {
+        if (raw[i] === '--skip' && raw[i + 1]) {
+            args.skip = raw[++i].split(',').map(s => s.trim().toLowerCase()).filter(Boolean);
+        }
+    }
+    return args;
+}
+
+
+function main() {
+    const args = parseArgs(process.argv);
+    const cwd = process.cwd();
+
+    console.log(banner('verify_all.js', { Project: cwd }));
+
+    const failures = verifyAll(cwd, args.skip);
+    process.exit(failures > 0 ? 1 : 0);
+}
+
+
+// ━━━ Exports for testing & programmatic use ━━━
+module.exports = { verifyAll, scanSecrets, hasNpm };
+
+if (require.main === module) {
+    main();
+}

package/.agent/skills/agent-organizer/SKILL.md

@@ -148,3 +148,45 @@ Review these questions before confirming output:
 
 ## VBC Protocol (Verification-Before-Completion)
 You MUST verify existing code signatures and variables before attempting to modify or call them. No hallucination is permitted.
+
+
+---
+
+## 🤖 LLM-Specific Traps
+
+AI coding assistants often fall into specific bad habits when dealing with this domain. These are strictly forbidden:
+
+1. **Over-engineering:** Proposing complex abstractions or distributed systems when a simpler approach suffices.
+2. **Hallucinated Libraries/Methods:** Using non-existent methods or packages. Always `// VERIFY` or check `package.json` / `requirements.txt`.
+3. **Skipping Edge Cases:** Writing the "happy path" and ignoring error handling, timeouts, or data validation.
+4. **Context Amnesia:** Forgetting the user's constraints and offering generic advice instead of tailored solutions.
+5. **Silent Degradation:** Catching and suppressing errors without logging or re-raising.
+
+---
+
+## 🏛️ Tribunal Integration (Anti-Hallucination)
+
+**Slash command: `/review` or `/tribunal-full`**
+**Active reviewers: `logic-reviewer` · `security-auditor`**
+
+### ❌ Forbidden AI Tropes
+
+1. **Blind Assumptions:** Never make an assumption without documenting it clearly with `// VERIFY: [reason]`.
+2. **Silent Degradation:** Catching and suppressing errors without logging or handling.
+3. **Context Amnesia:** Forgetting the user's constraints and offering generic advice instead of tailored solutions.
+
+### ✅ Pre-Flight Self-Audit
+
+Review these questions before confirming output:
+```
+✅ Did I rely ONLY on real, verified tools and methods?
+✅ Is this solution appropriately scoped to the user's constraints?
+✅ Did I handle potential failure modes and edge cases?
+✅ Have I avoided generic boilerplate that doesn't add value?
+```
+
+### 🛑 Verification-Before-Completion (VBC) Protocol
+
+**CRITICAL:** You must follow a strict "evidence-based closeout" state machine.
+- ❌ **Forbidden:** Declaring a task complete because the output "looks correct."
+- ✅ **Required:** You are explicitly forbidden from finalizing any task without providing **concrete evidence** (terminal output, passing tests, compile success, or equivalent proof) that your output works as intended.

package/.agent/skills/agentic-patterns/SKILL.md

@@ -313,3 +313,45 @@ Review these questions before confirming output:
 
 ## VBC Protocol (Verification-Before-Completion)
 You MUST verify existing code signatures and variables before attempting to modify or call them. No hallucination is permitted.
+
+
+---
+
+## 🤖 LLM-Specific Traps
+
+AI coding assistants often fall into specific bad habits when dealing with this domain. These are strictly forbidden:
+
+1. **Over-engineering:** Proposing complex abstractions or distributed systems when a simpler approach suffices.
+2. **Hallucinated Libraries/Methods:** Using non-existent methods or packages. Always `// VERIFY` or check `package.json` / `requirements.txt`.
+3. **Skipping Edge Cases:** Writing the "happy path" and ignoring error handling, timeouts, or data validation.
+4. **Context Amnesia:** Forgetting the user's constraints and offering generic advice instead of tailored solutions.
+5. **Silent Degradation:** Catching and suppressing errors without logging or re-raising.
+
+---
+
+## 🏛️ Tribunal Integration (Anti-Hallucination)
+
+**Slash command: `/review` or `/tribunal-full`**
+**Active reviewers: `logic-reviewer` · `security-auditor`**
+
+### ❌ Forbidden AI Tropes
+
+1. **Blind Assumptions:** Never make an assumption without documenting it clearly with `// VERIFY: [reason]`.
+2. **Silent Degradation:** Catching and suppressing errors without logging or handling.
+3. **Context Amnesia:** Forgetting the user's constraints and offering generic advice instead of tailored solutions.
+
+### ✅ Pre-Flight Self-Audit
+
+Review these questions before confirming output:
+```
+✅ Did I rely ONLY on real, verified tools and methods?
+✅ Is this solution appropriately scoped to the user's constraints?
+✅ Did I handle potential failure modes and edge cases?
+✅ Have I avoided generic boilerplate that doesn't add value?
+```
+
+### 🛑 Verification-Before-Completion (VBC) Protocol
+
+**CRITICAL:** You must follow a strict "evidence-based closeout" state machine.
+- ❌ **Forbidden:** Declaring a task complete because the output "looks correct."
+- ✅ **Required:** You are explicitly forbidden from finalizing any task without providing **concrete evidence** (terminal output, passing tests, compile success, or equivalent proof) that your output works as intended.

package/.agent/skills/ai-prompt-injection-defense/SKILL.md

@@ -182,3 +182,45 @@ Review these questions before confirming output:
 
 ## VBC Protocol (Verification-Before-Completion)
 You MUST verify existing code signatures and variables before attempting to modify or call them. No hallucination is permitted.
+
+
+---
+
+## 🤖 LLM-Specific Traps
+
+AI coding assistants often fall into specific bad habits when dealing with this domain. These are strictly forbidden:
+
+1. **Over-engineering:** Proposing complex abstractions or distributed systems when a simpler approach suffices.
+2. **Hallucinated Libraries/Methods:** Using non-existent methods or packages. Always `// VERIFY` or check `package.json` / `requirements.txt`.
+3. **Skipping Edge Cases:** Writing the "happy path" and ignoring error handling, timeouts, or data validation.
+4. **Context Amnesia:** Forgetting the user's constraints and offering generic advice instead of tailored solutions.
+5. **Silent Degradation:** Catching and suppressing errors without logging or re-raising.
+
+---
+
+## 🏛️ Tribunal Integration (Anti-Hallucination)
+
+**Slash command: `/review` or `/tribunal-full`**
+**Active reviewers: `logic-reviewer` · `security-auditor`**
+
+### ❌ Forbidden AI Tropes
+
+1. **Blind Assumptions:** Never make an assumption without documenting it clearly with `// VERIFY: [reason]`.
+2. **Silent Degradation:** Catching and suppressing errors without logging or handling.
+3. **Context Amnesia:** Forgetting the user's constraints and offering generic advice instead of tailored solutions.
+
+### ✅ Pre-Flight Self-Audit
+
+Review these questions before confirming output:
+```
+✅ Did I rely ONLY on real, verified tools and methods?
+✅ Is this solution appropriately scoped to the user's constraints?
+✅ Did I handle potential failure modes and edge cases?
+✅ Have I avoided generic boilerplate that doesn't add value?
+```
+
+### 🛑 Verification-Before-Completion (VBC) Protocol
+
+**CRITICAL:** You must follow a strict "evidence-based closeout" state machine.
+- ❌ **Forbidden:** Declaring a task complete because the output "looks correct."
+- ✅ **Required:** You are explicitly forbidden from finalizing any task without providing **concrete evidence** (terminal output, passing tests, compile success, or equivalent proof) that your output works as intended.