vibe-forge 0.2.1 → 0.3.1

package/.claude/commands/forge.md

@@ -18,45 +18,51 @@ Based on the first argument, do ONE of the following:
 You are now the **Vibe Forge Planning Hub** - a multi-expert planning team.
 
 #### Your Identity
-@agents/planning-hub/personality.md
+
+@_vibe-forge/agents/planning-hub/personality.md
 
 #### Project Context
+
 @context/project-context.md
 
 #### Current Forge State
-@context/forge-state.yaml
+
+@_vibe-forge/context/forge-state.yaml
 
 #### Task Overview
-Pending tasks:
-!`ls tasks/pending/ 2>/dev/null || echo "None"`
 
-In-progress tasks:
-!`ls tasks/in-progress/ 2>/dev/null || echo "None"`
+Check the task folders for current work:
 
-Tasks needing changes:
-!`ls tasks/needs-changes/ 2>/dev/null || echo "None"`
+- `_vibe-forge/tasks/pending/` - Tasks waiting to be picked up
+- `_vibe-forge/tasks/in-progress/` - Tasks currently being worked on
+- `_vibe-forge/tasks/needs-changes/` - Tasks that need revision
 
-**Startup:** Display the team assembly welcome as shown in your personality's Startup Behavior section. Show the forge council assembling, then check current work status.
+**Startup:** Display the team assembly welcome as shown in your personality's Startup Behavior section. Show the forge council assembling, then use the Glob tool to check for .md files in the task folders above and report the current work status.
 
 ---
 
 ### If `$1` is "status" → Show Status Dashboard
 
-Display a formatted status dashboard:
+Display a formatted status dashboard.
 
 #### Forge State
-@context/forge-state.yaml
+
+@_vibe-forge/context/forge-state.yaml
 
 #### Task Counts
-!`echo "Pending:       $(ls tasks/pending/*.md 2>/dev/null | wc -l || echo 0)"`
-!`echo "In Progress:   $(ls tasks/in-progress/*.md 2>/dev/null | wc -l || echo 0)"`
-!`echo "Completed:     $(ls tasks/completed/*.md 2>/dev/null | wc -l || echo 0)"`
-!`echo "In Review:     $(ls tasks/review/*.md 2>/dev/null | wc -l || echo 0)"`
-!`echo "Needs Changes: $(ls tasks/needs-changes/*.md 2>/dev/null | wc -l || echo 0)"`
-!`echo "Approved:      $(ls tasks/approved/*.md 2>/dev/null | wc -l || echo 0)"`
+
+Use the Glob tool to count .md files in each task folder:
+
+- `_vibe-forge/tasks/pending/*.md` - Pending
+- `_vibe-forge/tasks/in-progress/*.md` - In Progress
+- `_vibe-forge/tasks/completed/*.md` - Completed
+- `_vibe-forge/tasks/review/*.md` - In Review
+- `_vibe-forge/tasks/needs-changes/*.md` - Needs Changes
+- `_vibe-forge/tasks/approved/*.md` - Approved
 
 Format output like:
-```
+
+```text
 🔥 VIBE FORGE - Status Dashboard
 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 [Task counts and state summary]
@@ -71,23 +77,23 @@ Format output like:
 
 Available agents (with aliases):
 
-| Agent | Aliases | Role |
-|-------|---------|------|
-| anvil | frontend, ui, fe | Frontend Developer |
-| furnace | backend, api, be | Backend Developer |
-| crucible | test, testing, qa | Tester / QA |
-| sentinel | review, reviewer, cr | Code Reviewer |
-| scribe | docs, documentation | Documentation |
-| herald | release, deploy | Release Manager |
-| ember | devops, ops, infra | DevOps |
-| aegis | security, sec, appsec | Security |
+| Agent    | Aliases              | Role              |
+| -------- | -------------------- | ----------------- |
+| anvil    | frontend, ui, fe     | Frontend Developer |
+| furnace  | backend, api, be     | Backend Developer |
+| crucible | test, testing, qa    | Tester / QA       |
+| sentinel | review, reviewer, cr | Code Reviewer     |
+| scribe   | docs, documentation  | Documentation     |
+| herald   | release, deploy      | Release Manager   |
+| ember    | devops, ops, infra   | DevOps            |
+| aegis    | security, sec, appsec | Security         |
 
 If `$2` is empty, show the table above and ask which agent to spawn.
 
 If `$2` is provided, run:
 
 ```bash
-./bin/forge-spawn.sh $2
+./_vibe-forge/bin/forge-spawn.sh $2
 ```
 
 Confirm the spawn. If an alias was used (e.g., "frontend"), mention the resolved name: "Spawning **Anvil** (frontend)..."
@@ -99,17 +105,20 @@ Confirm the spawn. If an alias was used (e.g., "frontend"), mention the resolved
 **Task description:** `$2` `$3` `$4` (remaining arguments)
 
 #### Task Template
-@config/task-template.md
+
+@_vibe-forge/config/task-template.md
 
 #### Existing Tasks
-!`ls tasks/pending/ 2>/dev/null || echo "None pending"`
+
+Use the Glob tool to list files in `_vibe-forge/tasks/pending/*.md`
 
 If no description provided, ask:
+
 - What needs to be done?
 - Which agent? (anvil, furnace, crucible, sentinel, scribe, herald, ember, aegis)
 - Priority? (high, medium, low)
 
-Generate task ID as `task-XXX` (next sequential number), create file at `tasks/pending/task-XXX.md`.
+Generate task ID as `task-XXX` (next sequential number), create file at `_vibe-forge/tasks/pending/task-XXX.md`.
 
 ---
 

package/.claude/settings.local.json

@@ -1,7 +1,16 @@
 {
   "permissions": {
     "allow": [
-      "Bash(ls:*)"
+      "Bash(ls:*)",
+      "Bash(git pull:*)",
+      "Bash(npm view:*)",
+      "Bash(gh run list:*)",
+      "Bash(gh run view:*)",
+      "Bash(gh secret list:*)",
+      "Bash(git add:*)",
+      "Bash(git commit:*)",
+      "Bash(gh workflow run:*)",
+      "Bash(gh repo view:*)"
     ]
   }
 }

package/bin/forge-setup.sh

@@ -305,7 +305,36 @@ configure_daemon() {
 }
 
 # =============================================================================
-# STEP 8: Create Project Context
+# STEP 8: Install Slash Command
+# =============================================================================
+
+install_slash_command() {
+    echo ""
+    echo "Installing /forge slash command..."
+
+    # Parent project directory (one level up from _vibe-forge)
+    local parent_dir
+    parent_dir="$(dirname "$FORGE_ROOT")"
+
+    local target_dir="$parent_dir/.claude/commands"
+    local source_file="$FORGE_ROOT/.claude/commands/forge.md"
+
+    # Create .claude/commands in parent project if it doesn't exist
+    mkdir -p "$target_dir"
+
+    # Copy the forge command
+    if [[ -f "$source_file" ]]; then
+        cp "$source_file" "$target_dir/forge.md"
+        echo -e "${GREEN}✅ Slash command installed:${NC} $target_dir/forge.md"
+        echo "   Use /forge in Claude Code to access Vibe Forge"
+    else
+        echo -e "${YELLOW}⚠️  Could not find forge command template${NC}"
+        echo "   You may need to manually copy .claude/commands/forge.md"
+    fi
+}
+
+# =============================================================================
+# STEP 9: Create Project Context
 # =============================================================================
 
 detect_project_info() {
@@ -414,7 +443,7 @@ EOF
 }
 
 # =============================================================================
-# STEP 9: Setup Complete
+# STEP 10: Setup Complete
 # =============================================================================
 
 setup_complete() {
@@ -423,11 +452,12 @@ setup_complete() {
     echo -e "${GREEN}🔥 Vibe Forge initialized!${NC}"
     echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
     echo ""
-    echo "Ready to start! Run:"
+    echo "Ready to start! Open Claude Code in this project and run:"
     echo ""
-    echo -e "  ${BLUE}forge${NC}              Start the Planning Hub"
-    echo -e "  ${BLUE}forge status${NC}       Check forge status"
-    echo -e "  ${BLUE}forge help${NC}         See all commands"
+    echo -e "  ${BLUE}/forge${NC}              Start the Planning Hub"
+    echo -e "  ${BLUE}/forge status${NC}       Show status dashboard"
+    echo -e "  ${BLUE}/forge spawn anvil${NC}  Spawn a worker agent"
+    echo -e "  ${BLUE}/forge help${NC}         See all commands"
     echo ""
     echo "Optional: Edit context/project-context.md to add more details."
     echo ""
@@ -446,6 +476,7 @@ main() {
     if validate_setup; then
         configure_terminal
         configure_daemon
+        install_slash_command
         create_project_context
         setup_complete
     else

package/docs/npm-publishing.md

@@ -0,0 +1,95 @@
+# npm Publishing with OIDC Trusted Publishing
+
+This document explains how Vibe Forge publishes to npm using GitHub Actions OIDC trusted publishing - no npm tokens required.
+
+## Overview
+
+npm's [trusted publishing](https://docs.npmjs.com/trusted-publishers/) uses OpenID Connect (OIDC) to authenticate GitHub Actions workflows directly with npm. This eliminates the need to store npm tokens as secrets.
+
+## Requirements
+
+1. **npm CLI v11.5.1+** - OIDC support was added in npm 11.5.1
+2. **Public GitHub repository** - Provenance attestation only works with public repos
+3. **Trusted Publisher configured on npmjs.com** - Links your package to your GitHub repo
+
+## Setup
+
+### 1. Configure Trusted Publisher on npm
+
+1. Go to https://www.npmjs.com/package/vibe-forge/access
+2. Under "Trusted Publishers", add a new publisher:
+   - **Publisher**: GitHub Actions
+   - **Organization/user**: SpasticPalate
+   - **Repository**: vibe-forge
+   - **Workflow filename**: publish.yml
+   - **Environment name**: (leave empty)
+
+### 2. GitHub Actions Workflow
+
+The workflow requires specific permissions and npm version:
+
+```yaml
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write  # Required for OIDC token generation
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+
+      # npm 11.5.1+ required for OIDC
+      - run: npm install -g npm@latest
+
+      - run: npm publish --provenance --access public
+```
+
+Key points:
+- `id-token: write` permission enables OIDC token generation
+- `--provenance` flag enables signed provenance attestation
+- No `NODE_AUTH_TOKEN` or `NPM_TOKEN` needed
+
+## Troubleshooting
+
+### "Access token expired or revoked" with E404
+
+**Cause**: npm CLI version is too old (< 11.5.1)
+
+**Fix**: Add `npm install -g npm@latest` before publishing
+
+### "Unsupported GitHub Actions source repository visibility: private"
+
+**Cause**: Provenance attestation only works with public repositories
+
+**Fix**: Either make the repo public, or remove `--provenance` and use a granular npm token instead
+
+### "ENEEDAUTH - need auth"
+
+**Cause**: OIDC token not being generated/used
+
+**Fix**: Ensure `id-token: write` permission is set on the job
+
+### 404 on publish despite correct setup
+
+**Cause**: Trusted Publisher configuration doesn't match workflow
+
+**Fix**: Verify on npmjs.com that:
+- Organization/user matches exactly (case-sensitive)
+- Repository name matches exactly
+- Workflow filename matches exactly (e.g., `publish.yml`)
+
+## Benefits
+
+- **No secrets to manage** - No npm tokens to rotate or accidentally expose
+- **Provenance attestation** - Packages are cryptographically signed with build info
+- **Audit trail** - Provenance is published to Sigstore transparency log
+
+## References
+
+- [npm Trusted Publishers](https://docs.npmjs.com/trusted-publishers/)
+- [npm Provenance](https://docs.npmjs.com/generating-provenance-statements/)
+- [GitHub: npm trusted publishing GA](https://github.blog/changelog/2025-07-31-npm-trusted-publishing-with-oidc-is-generally-available/)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vibe-forge",
-  "version": "0.2.1",
+  "version": "0.3.1",
   "description": "Multi-agent development orchestration system for terminal-native vibe coding",
   "keywords": [
     "vibe-coding",