Closed
Conversation
added 13 commits
April 10, 2026 10:49
This adds a new [musafety] Doctor/fix: /home/deadpool/Documents/multiagent-safety - unchanged scripts/agent-branch-start.sh - unchanged scripts/agent-branch-finish.sh - unchanged scripts/agent-worktree-prune.sh - unchanged scripts/agent-file-locks.py - unchanged scripts/install-agent-git-hooks.sh - unchanged scripts/openspec/init-plan-workspace.sh - unchanged .githooks/pre-commit - unchanged .omx/state/agent-file-locks.json - unchanged .gitignore - unchanged package.json - unchanged AGENTS.md - hooksPath set core.hooksPath=.githooks [musafety] Scan target: /home/deadpool/Documents/multiagent-safety [musafety] Branch: main [musafety] ✅ No safety issues detected. [musafety] ✅ Repo is correctly musafe. command that runs repair + verification in one pass so users can quickly recover drifted setups and confirm whether a repository is currently musafe. README and tests were updated accordingly. Constraint: User requested direct delivery on main in this workspace Rejected: Alias doctor directly to setup | setup also handles global installs and interactive prompts not needed for drift repair Confidence: high Scope-risk: moderate Reversibility: clean Directive: Keep doctor as fix+scan focused remediation; avoid expanding it into install/publish flows Tested: npm test (31/31 passing) Not-tested: manual Windows shell execution
Refined the musafety-tools status block to be easier to scan at a glance, with TTY-enhanced separators/colors and a plain-text fallback for logs/CI. The command list remains concise and aligned with the core help output. Constraint: Keep output copy-paste friendly in non-interactive environments Rejected: Full rich/verbose command docs in status output | too noisy for regular status checks Confidence: high Scope-risk: narrow Reversibility: clean Directive: Keep command summary concise in status; reserve detailed docs for README/help only Tested: npm test (31/31 passing) Not-tested: manual Windows terminal color rendering
Added a new README screenshot section showing the musafety status/log presentation, using a terminal-style SVG that mirrors the current command layout and recommendation footer. Constraint: Keep README visuals lightweight and repository-local Rejected: PNG screenshot artifact | larger binary and harder to diff/update Confidence: high Scope-risk: narrow Reversibility: clean Directive: Update this SVG when status log command wording changes materially Tested: npm test (31/31 passing) Not-tested: npm README rendering preview
This introduces managed template files for a local Codex musafety skill and Claude /musafety command, then wires them into install/fix flows so setup automatically provisions them and doctor repairs them if missing. Constraint: Keep install/fix behavior idempotent and repo-local Rejected: Writing skills into user home directories | harder to test and risky for shared environments Confidence: high Scope-risk: moderate Reversibility: clean Directive: If skill/command behavior changes, update templates and setup verification expectations together Tested: node --test test/install.test.js test/metadata.test.js (31/31 passing) Not-tested: manual Claude /musafety command execution in live Claude client
Bumped package version from 0.4.6 to 0.4.7 so the next publish can be cut as a new npm release. Constraint: Keep the release bump isolated to package manifest versioning Rejected: Bundling unrelated pending workspace edits in this release bump | increases release risk Confidence: high Scope-risk: narrow Reversibility: clean Directive: Publish this version only after required CI and PR checks are green Tested: npm pack --dry-run (musafety@0.4.7 tarball generated) Not-tested: npm publish
CI jobs were failing before tests because setup-node npm cache and npm ci both require a lockfile. This repo's PR branch state currently does not guarantee a committed lockfile, so the workflow now installs dependencies with npm install --ignore-scripts and avoids cache mode that hard-fails on missing lockfiles. Constraint: CI must stay green for pull_request merges even when package-lock.json is absent Rejected: Commit package-lock.json as a required fix | branch currently carries unrelated local changes and lockfile enforcement was not an explicit repo policy Rejected: Keep npm ci and add conditional lockfile logic | more workflow complexity than needed for this immediate failure mode Confidence: high Scope-risk: narrow Reversibility: clean Directive: If lockfile policy becomes mandatory, re-enable npm ci together with committed lockfile governance Tested: node --test test/install.test.js test/metadata.test.js Tested: node --check bin/multiagent-safety.js Tested: npm install --ignore-scripts Not-tested: Full GitHub Actions rerun after push
Added two timestamped reports from the provided Scorecard snapshot: a baseline score/check breakdown and a prioritized remediation plan for raising the repository score. Constraint: Report based on screenshot evidence provided in-session Rejected: Live scorecard fetch from network | user supplied authoritative snapshot to document now Confidence: medium Scope-risk: narrow Reversibility: clean Directive: Refresh these reports after each major scorecard re-run to keep deltas current Tested: Manual review of captured check scores against screenshot Not-tested: automated scorecard ingestion pipeline
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Collaborator
Author
|
Update: I pushed a follow-up commit to resolve the CodeQL alert in (proper regex escaping). All checks are now green.\n\nThis PR is currently blocked only by branch policy requiring approval from someone other than the last pusher before merge. |
Collaborator
Author
|
Update: I pushed a follow-up commit to resolve the CodeQL alert in test/install.test.js (proper regex escaping). All checks are now green. This PR is currently blocked only by branch policy requiring approval from someone other than the last pusher before merge. |
Collaborator
Author
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why\nDirect pushes to
mainare blocked by branch protection.\n\n## What\n- pushes current localmain-ahead commits via branchchore/push-via-pr-2026-04-10\n- updates localoriginremote to moved repository URLrecodeecom/musafety\n\n## Verification\n- npm test\n- node --check bin/multiagent-safety.js\n- npm pack --dry-run\n