recodeee · NagyVikt · Apr 10, 2026 · Apr 10, 2026 · Apr 10, 2026 · Apr 10, 2026
@@ -20,13 +20,12 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Setup Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: ${{ matrix.node }}
-          cache: npm
 
       - name: Install
         run: npm install --ignore-scripts

@@ -0,0 +1,42 @@
+name: CodeQL
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+  schedule:
+    - cron: '35 3 * * 1'
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze (javascript-typescript)
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language:
+          - javascript-typescript
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@a4e1a019f5e24960714ff6296aee04b736cbc3cf # v3.29.6
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@a4e1a019f5e24960714ff6296aee04b736cbc3cf # v3.29.6
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@a4e1a019f5e24960714ff6296aee04b736cbc3cf # v3.29.6
@@ -2,6 +2,9 @@ name: Release to npm (provenance)
 
 on:
   workflow_dispatch:
+  push:
+    tags:
+      - 'v*'
   release:
     types: [published]
 
@@ -17,17 +20,17 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Setup Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 22
           registry-url: https://registry.npmjs.org
           cache: npm
 
       - name: Install
-        run: npm install --ignore-scripts
+        run: npm ci --ignore-scripts
 
       - name: Verify
         run: |

@@ -20,16 +20,19 @@ jobs:
       id-token: write
       actions: read
       contents: read
+      checks: read
+      issues: read
+      pull-requests: read
 
     steps:
       - name: Run analysis
-        uses: ossf/scorecard-action@v2.4.0
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
         with:
           results_file: results.sarif
           results_format: sarif
           publish_results: true
 
       - name: Upload SARIF results to Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@a4e1a019f5e24960714ff6296aee04b736cbc3cf # v3.29.6
         with:
           sarif_file: results.sarif
@@ -1 +1,2 @@
 .omx/
+node_modules
@@ -26,6 +26,7 @@ This AGENTS.md is the top-level operating contract for this repository.
 - Reuse existing patterns before introducing new abstractions.
 - No new dependencies without explicit request.
 - Keep diffs small, reviewable, and reversible.
+- When work from an agent-created branch is merged into `main`, always bump the npm package version and include the updated `package.json` and lockfile in that merge.
 - Run lint/typecheck/tests/static analysis after changes.
 - Final reports must include: changed files, simplifications made, and remaining risks.
 

@@ -5,7 +5,7 @@ Thanks for contributing to `musafety`.
 ## Development setup
 
 ```bash
-npm install
+npm ci
 npm test
 node --check bin/multiagent-safety.js
 npm pack --dry-run

@@ -1,4 +1,4 @@
-# musafety
+# musafety (MULTI AGENTS SAFETY PROTCOL)
 
 [![npm version](https://img.shields.io/npm/v/musafety?color=cb3837&logo=npm)](https://www.npmjs.com/package/musafety)
 [![CI](https://github.com/recodeecom/multiagent-safety/actions/workflows/ci.yml/badge.svg)](https://github.com/recodeecom/multiagent-safety/actions/workflows/ci.yml)
@@ -40,6 +40,7 @@ Package page: https://www.npmjs.com/package/musafety
 - Dedicated security disclosure policy in [`SECURITY.md`](./SECURITY.md)
 
 Related tools:
+
 - [oh-my-codex (OMX)](https://github.com/Yeachan-Heo/oh-my-codex)
 - [OpenSpec](https://github.com/Fission-AI/OpenSpec)
 
@@ -56,12 +57,37 @@ That one command runs:
 2. asks strict Y/N approval only if something is missing,
 3. installs guardrail scripts/hooks,
 4. repairs common safety problems,
-5. scans and reports final status.
+5. installs local Codex + Claude musafety helper skill files if missing,
+6. scans and reports final status.
 
 ## Setup screenshot
 
 ![musafety setup success screenshot](https://raw.githubusercontent.com/recodeecom/multiagent-safety/main/docs/images/setup-success.svg)
 
+## Status logs screenshot
+
+![musafety service status screenshot](https://raw.githubusercontent.com/recodeecom/multiagent-safety/main/docs/images/musafety-service-status.svg)
+
+## AI helper skills installed by setup/doctor
+
+`musafety setup` and `musafety doctor` also ensure these local helper files exist:
+
+- Codex skill: `.codex/skills/musafety/SKILL.md`
+- Claude command: `.claude/commands/musafety.md` (use as `/musafety`)
+
+## Scorecard report generation
+
+Create/update markdown reports from OpenSSF Scorecard JSON:
+
+```sh
+musafety report scorecard --repo github.com/recodeecom/multiagent-safety
+```
+
+By default this writes:
+
+- `docs/reports/openssf-scorecard-baseline-YYYY-MM-DD.md`
+- `docs/reports/openssf-scorecard-remediation-plan-YYYY-MM-DD.md`
+
 ## Workflow protocol screenshots
 
 ### 1) Start isolated agent branch/worktree
@@ -82,7 +108,36 @@ That one command runs:
 musafety copy-prompt
 ```
 
-This prints a ready-to-paste prompt. Example output:
+This prints a ready-to-paste prompt.
+
+### Prompt preview (SVG)
+
+![musafety copy prompt screenshot](https://raw.githubusercontent.com/recodeecom/multiagent-safety/main/docs/images/copy-prompt-output.svg)
+
+### Commands-only copy mode
+
+If you only want executable commands (without explanatory text):
+
+```sh
+musafety copy-commands
+```
+
+Example output:
+
+```sh
+npm i -g musafety
+musafety setup
+musafety doctor
+bash scripts/agent-branch-start.sh "task" "agent-name"
+python3 scripts/agent-file-locks.py claim --branch "$(git rev-parse --abbrev-ref HEAD)" <file...>
+bash scripts/agent-branch-finish.sh --branch "$(git rev-parse --abbrev-ref HEAD)"
+bash scripts/openspec/init-plan-workspace.sh "<plan-slug>"
+musafety protect add release staging
+musafety sync --check
+musafety sync
+```
+
+Full checklist output:
 
 ```text
 Use this exact checklist to setup multi-agent safety in this repository for Codex or Claude.
@@ -99,8 +154,7 @@ Use this exact checklist to setup multi-agent safety in this repository for Code
      - n = skip global installs
 
 3) If setup reports warnings/errors, repair + re-check:
-   musafety fix
-   musafety scan
+   musafety doctor
 
 4) Confirm next safe agent workflow commands:
    bash scripts/agent-branch-start.sh "task" "agent-name"
@@ -123,20 +177,25 @@ Use this exact checklist to setup multi-agent safety in this repository for Code
 ```sh
 musafety status [--target <path>] [--json]
 musafety setup [--target <path>] [--dry-run] [--yes-global-install|--no-global-install] [--no-gitignore]
+musafety doctor [--target <path>] [--dry-run] [--json] [--keep-stale-locks] [--no-gitignore]
 musafety copy-prompt
+musafety copy-commands
 musafety protect list [--target <path>]
 musafety protect add <branch...> [--target <path>]
 musafety protect remove <branch...> [--target <path>]
 musafety protect set <branch...> [--target <path>]
 musafety protect reset [--target <path>]
 musafety sync --check [--target <path>] [--base <branch>] [--json]
 musafety sync [--target <path>] [--base <branch>] [--strategy rebase|merge] [--ff-only]
+musafety report scorecard [--target <path>] [--repo github.com/<owner>/<repo>] [--scorecard-json <file>] [--output-dir <path>] [--date YYYY-MM-DD]
 bash scripts/agent-worktree-prune.sh --base dev   # manual stale worktree cleanup
 bash scripts/openspec/init-plan-workspace.sh <plan-slug>   # optional OpenSpec plan scaffold
 ```
 
 No command defaults to `musafety status` (non-mutating health/status view).
 `musafety status` reports CLI/runtime info, global OMX/OpenSpec service status, and repo safety service state.
+When run in an interactive terminal, default `musafety` checks npm for a newer version first
+and asks `[Y/n]` whether to update immediately (default is `Y`).
 
 - Interactive setup: prompts for Y/N approval before global OMX/OpenSpec install.
 - Interactive prompt is strict (`[y/n]`) and waits for explicit answer.
@@ -148,6 +207,7 @@ No command defaults to `musafety status` (non-mutating health/status view).
 musafety install [--target <path>] [--force] [--skip-agents] [--skip-package-json] [--no-gitignore] [--dry-run]
 musafety fix [--target <path>] [--dry-run] [--keep-stale-locks] [--no-gitignore]
 musafety scan [--target <path>] [--json]
+musafety report help
 ```
 
 ## Keep agent branches synced with dev
@@ -160,6 +220,7 @@ musafety sync
 ```
 
 Defaults:
+
 - base branch: `dev` (or `multiagent.baseBranch`)
 - strategy: `rebase` (or `multiagent.sync.strategy`)
 
@@ -226,6 +287,8 @@ scripts/agent-file-locks.py
 scripts/install-agent-git-hooks.sh
 scripts/openspec/init-plan-workspace.sh
 .githooks/pre-commit
+.codex/skills/musafety/SKILL.md
+.claude/commands/musafety.md
 .omx/state/agent-file-locks.json
 ```