Skip to content

chore(deps): bump gitleaks/gitleaks-action from 2.3.9 to 3.0.0#4

Closed
dependabot[bot] wants to merge 66 commits into
mainfrom
dependabot/github_actions/gitleaks/gitleaks-action-3.0.0
Closed

chore(deps): bump gitleaks/gitleaks-action from 2.3.9 to 3.0.0#4
dependabot[bot] wants to merge 66 commits into
mainfrom
dependabot/github_actions/gitleaks/gitleaks-action-3.0.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 4, 2026

Copy link
Copy Markdown

Bumps gitleaks/gitleaks-action from 2.3.9 to 3.0.0.

Release notes

Sourced from gitleaks/gitleaks-action's releases.

v3.0.0

What's changed

gitleaks-action v3 migrates the runtime from Node 20 to Node 24. No changes to inputs, outputs, or behavior. Update your workflow from gitleaks/gitleaks-action@v2 to gitleaks/gitleaks-action@v3.

Migration

# Before
- uses: gitleaks/gitleaks-action@v2
After

uses: gitleaks/gitleaks-action@v3

Why

GitHub is deprecating the Node 20 runtime for Actions:

  • June 2, 2026: GitHub flips the runner default to Node 24. Workflows using gitleaks-action@v2 (Node 20) will still run, but only if ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true is set as an environment variable.
  • September 16, 2026: Node 20 is removed from GitHub-hosted runners entirely. gitleaks-action@v2 stops working regardless of any opt-out flag.

Changes

  • action.yml: runtime node20node24
  • @actions/core: 1.10.0 → 1.11.1
  • dist/ rebuilt
  • Example workflows updated to actions/checkout@v6 and gitleaks-action@v3
  • README updated with v3 migration guide

Self-hosted runners

If you use self-hosted runners, ensure your runner version is >= v2.327.1 (required for Node 24 support).

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bootstrap the 2ndBrain-mogging plugin repo:
- Directory skeleton for .claude-plugin, skills (10), agents, commands,
  hooks, scheduled, vault-template (01-06), docs, tests + sample-vault
  fixture, bin, references.
- MIT LICENSE (2026 lorecraft-io).
- CHANGELOG.md seeded with 0.1.0 initial-release entry.
- Stub README.md (agent 12 will expand).
- .gitignore covering macOS, Node, env files, test-vault Claude memory,
  and install-script signature artifacts.
…cs, tests

- 10 SKILL.md: save, wiki, challenge, emerge, backfill, aliases, autoresearch, canvas, tether, connect
- install.sh + uninstall.sh + doctor.sh + backup-vault.sh (jq-merge Stop hook, symlinks, launchd)
- 4 launchd plists (morning/nightly/weekly/health, audit-only default)
- references/wiki-schema.md single source of truth
- Test harness: 8 test files + fixtures + orchestrator
- Docs: README, PHILOSOPHY, MIGRATION, CONTRIBUTING, CHANGELOG + 5 why-not-*.md + foundations
- Security: .gitleaks.toml + GitHub Actions secret-scan + config/{secrets.patterns,nathan.pii}
- Plugin manifest: .claude-plugin/plugin.json + marketplace.json
- vault-template/ scaffold
- hooks/stop-save.sh

Amalgamation of Karpathy LLM Wiki + Jens/NulightJens + eugeniu + AgriciDaniel + NicholasSpisak.
…rontmatter cleanup

W4W audit remediation:
- install.sh: add idempotency guard (skip merge if our hook already present, detect by 2ndBrain-mogging/hooks/stop- path fingerprint)
- install.sh: inline Stop overlay referenced hooks/stop-hook.sh but repo ships hooks/stop-save.sh — corrected
- skills/emerge/SKILL.md: add missing allowed-tools frontmatter field
- skills/wiki/SKILL.md: strip legacy /cingest + /clint reference from description
- Replace all 68+ real names with <PERSON-X>/<PROJECT-X> placeholders
- Add docs/placeholder-names.md (public convention reference)
- Add docs/MIGRATION.md (phase-by-phase runbook)
- Expand CHANGELOG v0.1.0 + add v0.1.1 entry
- Update README: 7-folder vault diagram, credits, namespacing note
- Fix launchd plists: $HOME placeholder replacing hardcoded paths
- Fix .gitleaks.toml: remove self-leaking rules; add .example companion
- Add .gitignore entries for private PII/gitleaks files
- Add .filter-repo-replacements.example.txt for operator reference
- Bootstrap Claude-Memory/aliases.yaml seed template
- Fix install.sh idempotency guard (already in f17930e, retained)
- Fix skills/emerge frontmatter: add allowed-tools field
- Fix skills/wiki description: strip legacy /cingest+/clint reference
- Fix tests/test_onboarding.sh: correct install.sh flags
- Vault-template sidecars updated with placeholder convention
…ls + schema

Human feedback (2026-04-17): "auto-delete" and "silently delete" phrasing — even
when used in guardrail context ("do NOT auto-delete") — reads sideways as if
deletion was on the table. Softened to "flag for human review" and "remove without
flagging" framing across:

- skills/wiki/SKILL.md §7: "do NOT auto-delete the link" -> "flag for human
  review. Never remove the link without explicit human approval."
- skills/save/SKILL.md §1: "never silent overwrite" -> explicit diff-and-approval
  overwrite language.
- skills/save/SKILL.md §2.1 (50/50 rule): "silent misfiling" -> "unflagged
  misfiling" (preserves the prevention intent without invoking silence).
- references/wiki-schema.md §3: "Do NOT silently delete the link" -> "Never remove
  the link itself without flagging it for human review — removal is a human-only
  action."

Behavior unchanged — skills never deleted files. This is pure phrasing cleanup
to remove alarming language from instruction manuals.
…orruption

Critical fix to v0.1.1's PII-scrub regression. The .filter-repo-replacements.txt
rule `regex:\buri\b==><person-i>` did not honor its word-boundary anchors when
git-filter-repo applied it, so `uri` got replaced as a literal substring inside
dozens of ordinary English words across public files. Same bug for `\balan\b`.

Reverted corruption across 19 files:
- CHANGELOG.md (headings), docs/SECURITY.md (title + body), references/wiki-schema.md
- scripts/prepublish-check.sh (4 hits), .github/workflows/secret-scan.yml (1 — BROKEN ACTION)
- skills/wiki/SKILL.md, skills/save/SKILL.md, skills/backfill/SKILL.md, skills/challenge/SKILL.md
- commands/save.md, commands/autoresearch.md
- vault-template/CLAUDE.md, vault-template/AGENTS.md
- docs/CREDITS.md, docs/foundations/{03,05}-*-analysis.md, docs/CLAUDE-MD-PATCH.md
- config/nathan.pii.example, .gitleaks.private.toml.example

Most critical: secret-scan.yml's `uses: trufflesecurity/trufflehog@main` was
corrupted to `trufflesec<person-i>ty/trufflehog@main` — GitHub Actions failed
to resolve this on every push since v0.1.1 shipped.

Also in this release: auto-delete / silent-op phrasing scrub from skills +
schema (rolls up the earlier 79dce5f scrub commit into the v0.1.2 release).

Plugin manifest bumped 0.1.0 -> 0.1.2 (matches CHANGELOG).

The .filter-repo-replacements.txt config itself is preserved — the mapping
rule is correct in intent, the bug is how git-filter-repo interpreted it.
A future rewrite needs either a newer git-filter-repo, a different syntax,
or explicit Uri/Alan capitalization-only rules.
The trufflesecurity/trufflehog@main action wrapper appends --fail itself,
so repeating it in extra_args caused "flag 'fail' cannot be repeated"
errors and broke every secret-scan run since the action's last bump.
… + docs + schema

15-agent /fswarmmax fix swarm closes all known pre-mogging folder drift across
skill runtime paths, README tables, migration docs, and the CLAUDE-MD-PATCH
template appended to user vaults at install.

Skill-runtime fixes (agents 11 + supporting):
- 31 of 49 pre-mogging folder references updated across 9 skill files +
  references/wiki-schema.md to resolve against the post-mogging 7-folder
  layout (01-Conversations / 02-Sources / 03-Concepts / 04-Index / 05-Projects
  / 06-Tasks / Claude-Memory). Historical prose describing the rename itself
  left verbatim (18 cases).

docs/CLAUDE-MD-PATCH.md (agent 13):
- Full rewrite, 147 -> 192 lines. Marker renamed <!-- mogging:* --> to
  <!-- 2ndbrain-mogging:* --> for namespace clarity.
- Now carries the canonical 7-folder table, killed-folders callout,
  grandfathered-type mapping, 10 skills list, 4 scheduled agents with correct
  times, 3 non-negotiables, bot-prefix commits table, 9 hard rules.

README.md (agent 12):
- Regime-ownership table updated to post-mogging folder names.
- Scheduled-agents table rewritten to match shipped plists + agent-spec
  write paths (all writing to 01-Conversations/VAULT/reports/*).
- Backward-compat line inverted (aliases.yaml is for entity names, not
  folder-structure compat).

MIGRATION.md + CONTRIBUTING.md (agent 14):
- MIGRATION.md folder-numbering callout updated to 7-folder scheme.
- CONTRIBUTING.md test harness path tests/run-all.sh -> tests/run_all.sh.

.filter-repo-replacements.example.txt (agent 8):
- Added explicit WARNING about v0.1.1 substring-bleed regression.
  Future forks see the corruption signature and the literal-only defense.

plugin.json version 0.1.2 -> 0.1.3.

Known gap: install.sh does not currently consume docs/CLAUDE-MD-PATCH.md.
Follow-up task — flagged in CHANGELOG.
Closes the v0.1.3 known gap. Before this commit, docs/CLAUDE-MD-PATCH.md was
the canonical post-mogging contract that was supposed to be appended to
every user's vault CLAUDE.md at install time — but install.sh never read
the file, so it was documentation-only. New users got skills + agents +
launchd plists wired up but no contract installed into their CLAUDE.md.

Added apply_claude_md_patch() as step 9.5, running between link_claude_memory
and install_launchd:

- Extracts the canonical block (markers inclusive) from docs/CLAUDE-MD-PATCH.md
  using awk line-range matching on the `<!-- 2ndbrain-mogging:start -->` /
  `<!-- 2ndbrain-mogging:end -->` markers (149 lines as of 0.1.4).

- Idempotent: detects existing namespaced markers in $VAULT/CLAUDE.md and
  replaces the block between them. Never duplicates on re-run.

- Legacy migration: vaults carrying the pre-namespaced
  `<!-- mogging:start -->` / `<!-- mogging:end -->` markers from older
  installs get the legacy block stripped and replaced with the new
  namespaced block in a single pass. No manual migration step.

- Backup-before-mutation (non-negotiable #1): copies existing CLAUDE.md to
  $VAULT/Claude-Memory/backups/YYYY-MM-DD-HHMMSS/CLAUDE.md.bak before any
  write. Aborts cleanly on extraction failure (new exit code 41).

- Fresh vaults: creates a minimal CLAUDE.md header and anchors the patch
  block below it.

- Preserves all content above the markers byte-for-byte; drops trailing
  blank lines before appending so repeat runs don't accrete whitespace.

- Honors --dry-run (logs intended patch, no write) and --apply (writes).

Verified: `bash -n install.sh` passes; the awk extractor returns the
expected 149-line block on the current CLAUDE-MD-PATCH.md.

plugin.json bumped 0.1.3 -> 0.1.4.
Vendor the 11-file ADR-050 intelligence loop from ruvnet/ruflo (MIT,
re-shipped via lorecraft-io/fidgetflo) into helpers/ with a provenance
header on each file. Add hooks/intelligence-hooks.json overlay for 5
hook types (PreToolUse, PostToolUse, UserPromptSubmit, SessionStart,
SessionEnd). Extend install.sh with --with-intelligence (default off)
and --symlink flags; hardlink is default with EXDEV symlink fallback.
jq-merge preserves the mogging Stop hook untouched via array-concat on
each of the 5 hook keys, same discipline as the existing Stop-hook
merge. Update docs/CREDITS.md with the 6th upstream entry. Update
README.md with a "What we retired" section naming the killed legacy
folders (00-Inbox / 01-Fleeting / 05-Templates / 06-Assets), add the
new install flags to the Flags table, add a "Self-learning tier
(opt-in)" subsection, and add the ruflo bullet to Credits.
README:
- Full rewrite in Nate voice with the maxxing→mogging origin story
  (Jens-flavored 2ndBrain-maxxing → tested 5 alternatives → merged best-of-five
  → self-learning was the missing piece → built for a layman).
- Banner at top (2ndbrainmogging.png).
- Quick Navigation table with hotlinks to every section.
- Dedicated "Install Obsidian first" section pointing at obsidian.md with
  4-step manual install + ~/Desktop/BRAIN folder suggestion.
- Vault structure section now shows 05-Projects/ with example-project-1..3
  placeholders (no real project names leaked).
- 12 skills (10 existing + /import-claude + /import-notes) each described
  in plain English — one sentence per skill, no marketing fluff.
- Optional "Bring your existing stuff in" section at the end covering both
  importers + /tether + /connect + /wiki audit follow-up loop.
- Killed "The Obsidian + Claude Code second brain that respects your existing
  infrastructure" opener (it was wrong and boring).
- Credits section honestly names the 5 upstream systems (AgriciDaniel,
  eugeniu, Jens, Karpathy, NicholasSpisak) + ruvnet for the opt-in
  intelligence tier.

New skills (both plugin-namespaced):
- skills/import-claude/SKILL.md — one-shot Claude.ai / ChatGPT export
  ingest, alias-classified, dry-run-previewed, writes conversation captures
  to 01-Conversations/, LIT-* mirrors to 02-Sources/, concept stubs to
  03-Concepts/, respects owner: human, commits [bot:import-claude].
- skills/import-notes/SKILL.md — broad import covering Apple Notes
  (Exporter.app), OneNote (.docx), Notion (md+csv), Evernote (.enex),
  and raw .md/.txt/.docx/.pptx/.xlsx/.html/.rtf piles. Same routing
  rulebook as /import-claude.

New helper scripts (no step-N language):
- scripts/import-claude.sh — finds the mogged vault, locates the export
  zip (Claude.ai data-*-batch-*.zip or ChatGPT chatgpt-*.zip), extracts
  to <vault>/.import-staging/<ts>-claude/, then hands off to /import-claude.
- scripts/import-notes.sh — checks for Exporter.app (macOS), validates
  pandoc + xlsx2csv, scans Desktop/Downloads/Documents for candidate
  files, then hands off to /import-notes.

New docs (literal content, not redirects):
- docs/PARSING-GUIDE.md — categorization rulebook rewritten for the
  7-folder mogged layout (01-Conversations / 02-Sources / 03-Concepts /
  04-Index / 05-Projects / 06-Tasks / Claude-Memory). Owner contract,
  file conversion rules, decision table.
- docs/github-vault-guide.md — how to link 05-Projects/<project>/ to
  GitHub repos, gh CLI lookup pattern, path-substituted from the old
  07-Projects/ version.
- docs/claude-project-sync-guide.md — per-project subfolder layout
  (conversations/ + knowledge/ + assets/), file routing rules,
  validation (fake-PDF detection, magic-byte checks for zip formats),
  wikilink rules.

Verified: shellcheck clean at warn + error severity; no hardcoded
secrets in tracked files.
HARD RULE per feedback_call_me_nate: canonical is 'Nate Davidovich /
Lorecraft'. 'Nathan' must never appear in shipped public content.

9 skill files touched (emerge/wiki/tether/challenge/aliases/connect/save
SKILL.md). Body + examples normalized; filesystem paths with macOS
username /Users/nathandavidovich/ stay as-is (those are the OS
username, not the user's name).
README:
- Replace 'Jens (the AI-influencer guy on IG, you know who I mean)' with
  '[Jens Heitmann](https://www.instagram.com/jens.heitmann/)' in both the
  origin story and the Credits section. Credit where credit is due.

Remaining Nathan→Nate hits caught by a deeper grep (agents/, tests/,
references/) — all swept. The only remaining 'Nathan' occurrence in the
repo is inside .filter-repo-replacements.txt which is gitignored (local
name-mapping dictionary, never pushed).
- helpers/pattern-consolidator.sh 85-87: drop 'local' — the assignments
  live inside a top-level case statement, not a function. Shellcheck
  SC2168 error. Dropping 'local' is the safe fix (the vars are only
  read in the same case branch).

- README Credits + origin story: proper attribution for the sources
  that deserve it.
    - eugeniu → https://github.com/eugeniughelbur/obsidian-second-brain
    - Jens Heitmann → https://github.com/NulightJens/ai-second-brain-skills
      (repo), plus his Instagram profile
- Credits list cleaned up; eugeniu and Jens now link to their actual
  repos (and Jens gets both repo + IG, since you asked for the IG link
  earlier too).

Audit state:
- shellcheck error-level: clean across all shell files
- secrets: zero
- tracked 'Nathan': zero
- ruvnet/claude-flow trailers: zero
- skills: 12 README rows = 12 on disk, all slash commands resolve
- cross-refs: all skill MD ../../docs/ paths resolve
- README links: all local paths resolve
- Remaining: shellcheck WARNING-level style issues in vendored
  helpers/learning-optimizer.sh (SC2155) + install.sh (SC2034) —
  vendored/upstream code, left untouched.
…ls' self-learning

- 'Took the best 200 ideas from the five and threw out the other 800'
  was rhetorical precision that wasn't real; replaced with the honest
  merge-and-cut phrasing.
- Self-learning paragraph: acknowledged a couple of the originals
  already had a self-learning layer (bootstrapping theirs was the
  heavy part) — this pack's is opt-in and ships clean.
…list PATH

README:
- The self-learning tier claim that it was vendored from 'ruvnet's
  claude-flow / ruflo pattern-graph (ADR-050)' is not supported. The
  specific files (learning-service.mjs, pattern-consolidator.sh, etc.)
  do not exist at common paths in ruvnet/claude-flow or ruvnet/ruflo
  (ruvnet/ruflo is a Docker chat-UI / MCP-bridge / ruvocal project,
  not a pattern-graph intelligence loop). Three spots edited:
    - 'What you get' bullet — generic 'pattern-graph' framing only
    - Self-learning tier section — drop 'sixth upstream' + ADR-050
    - Credits list — drop ruvnet entry entirely

- (Provenance headers inside helpers/*.sh + helpers/*.mjs still claim
  'Vendored from claude-flow / ruflo (c) ruvnet'. Those files are
  out-of-scope for this README edit; flagged separately.)

Plist templates — scheduled/launchd/io.lorecraft.mogging.*.plist:
- PATH env var now includes $HOME/.local/bin + $HOME/bin ahead of
  /opt/homebrew/bin. Previously the installed plists could not find
  `claude` because it lives at ~/.local/bin/claude — exit code 127
  on every tick on real user systems. Fixed for future installs.
…ands

Claude Code CLI doesn't have --headless or --audit. 'claude -p PROMPT'
is already the non-interactive form. The 'audit' intent is semantic —
carried by the prompt text 'execute agents/NAME.md in audit mode' — not
a CLI flag. Including the bogus flags caused every scheduled tick to
exit 1 with 'error: unknown option --headless'.

Caught when re-running the installer against BRAIN2 and kicking a
manual run of the morning agent — cd worked, claude resolved via
the patched PATH (commit 1621ccb), but then the CLI rejected the flags.
… projects

Closes the gap where install.sh assumed a pre-populated vault. New users
running ./install.sh --vault ~/Desktop/BRAIN --apply against a fresh
Obsidian vault now get the full 7-folder layout + index + example
projects, instead of an empty folder where every skill write would fail.

install.sh:
- New --no-seed-vault flag (default: seed). Documented in --help, defaults
  block, README install table, and main() pipeline.
- New seed_vault_from_template() at step 3.5 (between vault validation
  and settings backup). For each entry under vault-template/, copies it
  into $VAULT only if the destination does not exist. Strictly additive
  — no overwrites. Idempotent: re-running prints '0 entries seeded,
  N already present'.

vault-template/:
- 05-Projects/example-project-1/example-project-1.md
- 05-Projects/example-project-2/example-project-2.md
- 05-Projects/example-project-3/example-project-3.md
  Each demonstrates the filename=foldername rule with frontmatter,
  knowledge-base section, conversations section, related-projects
  cross-links, and a GitHub-Repos section (project 1 only).
- 04-Index/Projects-Index.md
  Seed index that lists the three example projects + INCUBATOR + a
  'how to add a new project' walkthrough. Makes [[example-project-1]]
  resolve in the graph immediately on install.
- Removed empty .gitkeep stubs in 04-Index/ and 05-Projects/ now that
  real content exists.

README:
- Install flags table: documented --no-seed-vault.
- 'On --apply' summary now mentions the seed step explicitly.

Verified end-to-end against a throwaway empty vault:
- First install: 9 top-level entries seeded (CLAUDE.md, AGENTS.md, all
  6 numbered folders, Claude-Memory/, .DS_Store filtered).
- Re-run: 0 seeded, 9 already present. Idempotent.
- All 6 expected files present in the resulting vault.
- shellcheck error-clean, bash -n clean.
… of ruvnet/ruflo@v3.5.80)

Per the audit verification: the self-learning tier code (helpers/) is
ruvnet's ruflo@v3.5.80, squash-imported into FidgetFlo, then vendored
here. The MIT license requires preserving the copyright notice if the
code stays — and the code stays.

Restoring the attribution in the README only (per direction):
- 'What you get' bullet now credits FidgetFlo with a parenthetical
  pointing at the ruflo v3.5.80 tag (since ruvnet/ruflo's main branch
  was rewritten to a different project after v3.5.80 — the tag is
  where the actual code still lives).
- Self-learning tier section now names FidgetFlo as the upstream and
  notes the upstream-of-upstream chain.
- docs/CREDITS.md, helpers/ provenance headers, and other places
  intentionally left untouched per direction.
Comprehensive fix of every finding surfaced by the preceding 5-agent audit.
14 parallel worker agents with non-overlapping file zones; 1 QA validator
confirmed 19/19 checks green before this atomic commit.

CRITICAL bugs fixed:
- vault-template/CLAUDE.md + AGENTS.md rewritten to match actual shipped
  skills (12: save/wiki/challenge/emerge/connect/tether/backfill/aliases/
  autoresearch/canvas/import-claude/import-notes) and agents (4: morning/
  nightly/weekly/health). Previously listed fictional /capture/promote/link/
  moc/project/task skills + "Graph Repair Agent / Inbox Processor /
  Task Syncer / Weekly Curator" agents. This is what gets seeded into
  every new user's vault — fix is critical.
- All 4 agents (morning/nightly/weekly/health) now commit with their own
  [bot:<name>] prefix instead of [bot:wiki-heal]; this unbreaks the n8n
  W1 echo-loop they were built to prevent.
- skills/save/SKILL.md: type: literature → type: source (prior value
  halted the canonical parser on /save's own output).
- skills/autoresearch/SKILL.md: LIT-{slug} → SRC-YYYY-MM-DD-{slug} +
  type: source; removed writes to nonexistent 03-Concepts/synthesis/ and
  03-Concepts/entities/ subdirs; concept + synthesis stubs land flat in
  03-Concepts/.
- commands/*.md reconciled against every SKILL.md: dropped fabricated
  cosine-similarity auto-writes in connect (skill is read-only),
  fabricated promote subcommand in wiki, TODO-resolve mode in autoresearch,
  [bot:wiki-add] prefixes on skills with no commit flow, and the banned
  MOC-*.md filename pattern in tether.
- helpers/ provenance headers rewritten — the prior "no local modifications"
  claim was materially false (intelligence.cjs is 31674 bytes vs upstream
  ruflo@v3.5.80's 8565; memory.js, router.js, session.js don't exist in
  the upstream tag). New headers honestly frame the files as a FidgetFlo-
  internal build descended from ruvnet/ruflo@v3.5.80 with extended
  pattern-graph logic, dual-copyright MIT (ruvnet + Lorecraft LLC).
- LICENSE now preserves ruvnet's upstream copyright (MIT §1 compliance);
  new NOTICE file at repo root documents the dual-copyright chain.
- test_onboarding.sh: 16/50 FAIL → 50/50 PASS. Removed 6 phantom-skill
  assertions (onboard/recall/distill/index/route/scrub — never shipped);
  repointed .claude-plugin/plugin.json assertions from vault to repo root
  (it's the plugin manifest, not a vault asset).
- tests/run_all.sh: SKIP was silently counted as PASS; now reports
  separate pass/skip/fail buckets + --strict flag to promote skips to
  fails for CI.
- bin/doctor.sh: printed [doctor:FAIL] but exited 0; now tracks a FAIL
  counter and exits 3 on any fail. Plugin-registration probe downgraded
  to info (install.sh never calls `claude plugin add` — symlinks are
  the source of truth).
- scripts/prepublish-check.sh: exited 0 when gitleaks missing (silent
  bypass of secret gate); now exits 10 on missing tools. Added
  --skip-missing-tools dev flag.
- scripts/import-claude.sh: no --dry-run/--yes gate before extracting;
  now requires TTY confirmation, --yes, or --dry-run. Added full arg
  parser + --help + proper exit codes (0/1/2).
- scripts/import-notes.sh: silently ignored --vault flag (no arg
  parser); now has real flags (--vault/--source/--kind/--dry-run/
  --yes/--help) with usage/exit-code discipline.

HIGH/MEDIUM fixes:
- README: "ten skills" → "twelve skills" in origin story; install `--apply`
  summary rewritten to include all 14 main() steps (prior summary hid
  the CLAUDE.md patch, Claude-Memory symlink, intelligence tier, and
  doctor run); `{example-project-1,2,3, INCUBATOR}` extra space fixed;
  Credits bullet paragraph spacing fixed.
- docs/CLAUDE-MD-PATCH.md: 10 skills → 12; added bot-prefix rows for
  import-claude / import-notes / reconcile.
- docs/MIGRATION.md: retired `<!-- mogging:start/end -->` markers →
  `<!-- 2ndbrain-mogging:* -->`; hardcoded WORK/OBSIDIAN path replaced
  with generic vault-encoded-path resolver.
- docs/CREDITS.md: Karpathy + other folder-mapping prose rewritten for
  the 7-folder contract; claude-flow/agentic-flow section updated to
  match new helper provenance headers; NulightJens license verified
  via GitHub API.
- docs/SECURITY.md: placeholder disclosure email → GitHub Security
  Advisories URL + real backup address; example.com URLs → real
  release URLs.
- docs/github-vault-guide.md: /tether claim softened to match actual
  behavior.
- install.sh: unused DRY_RUN var removed (SC2034); apply_claude_md_patch
  now content-diff idempotent (no more mtime churn on re-run); nested
  .DS_Store scrub in seed_vault_from_template; top-level step index
  comment above main() for README-audit parity.
- vault-template: added SOUL.md, CRITICAL_FACTS.md, index.md, log.md,
  06-Tasks/TASKS.md stubs; .gitkeep files in all 4 VAULT/ subdirs so
  they survive git-clone; example-project-1 gained content/ + misc-
  building/ + GITHUB/ subdirs matching the README layout diagram.
- skills/tether: dropped 04-MOC back-compat; generalized 05-Projects/
  GITHUB hub pattern for template use.
- skills/canvas: replaced [[MOC-*]] pattern with [[*-Index]].
- skills/emerge: Sunday 9pm → Friday 6pm (weekly agent — prior time was
  the health agent's).
- skills/wiki: audit report destination moved to 01-Conversations/VAULT/
  reports/ matching scheduled-agent contract.
- skills/backfill: hardcoded `-2ndBrain` path softened to generic
  <encoded-vault-path>.
- agents/health.md: retired 07-Projects example → 05-Projects +
  06-Tasks current paths.
- CI workflow: `actions/checkout@v4`, `gitleaks/gitleaks-action@v2`,
  `trufflesecurity/trufflehog@main` all pinned to full 40-char SHAs
  (SHA-pinning + human-readable version comment).
- helpers/learning-optimizer.sh: `npx agentic-flow@alpha` pinned to
  `@3.0.0-alpha.2`; helpers/learning-hooks.sh: better-sqlite3 pinned
  to `^11`.
- CHANGELOG.md [Unreleased] populated with everything between v0.1.4
  and this commit.

QA VALIDATION (19/19 PASS before commit):
shellcheck --severity=error clean on all 17 .sh files; bash -n clean;
node --check clean on all 8 helpers; zero secrets in tracked files;
12 skills ↔ 12 dirs ↔ 12 commands ↔ 12 rows in README/patch; 4 agents
↔ 4 plists with aligned names; all retired folder names confined to
historical callouts; zero "Nathan" prose hits; LICENSE dual-copyright
+ NOTICE present; all 11 helper provenance headers honest; CI
SHA-pinned; tests/run_all.sh green; install.sh on empty vault seeds
13 entries + idempotent re-run; all README external URLs HEAD 200;
all 4 launchd plists loaded with exit 0.
Two blockers on the self-learning install path:

1. Launchd plists had PATH set but no nvm bin, so scheduled agents
   hit `sh: exec: node: not found` in SessionEnd hook. Sourcing
   $HOME/.nvm/nvm.sh inside ProgramArguments makes it version-agnostic
   — no hardcoded vN.N.N path to maintain.

2. merge_intelligence_hooks() used `(.[0] * .[1]) as $m | $m | .[0]...`
   — after the `$m |`, the pipeline context is the merged object, so
   `.[0]` threw "Cannot index object with number". Binding $old/$new
   before the merge fixes it and leaves the hook-array concat logic
   untouched. Verified: Stop hook preserved, 5 intelligence hooks
   appended, settings.json valid JSON.

Verified end-to-end: install.sh --with-intelligence completes, doctor
passes, 4 launchd jobs reload with working node PATH.
Closes the broken cross-reference in cli-maxxing's README that promised
"2ndBrain-mogging... registers the Obsidian MCP with Claude Code" — until
now, mogging did no such thing. Adds step 10.7:

  claude mcp add --scope user obsidian -- npx -y obsidian-mcp "$VAULT"

Runs by default on every --apply; idempotent (skips if already registered);
opt out with --no-obsidian-mcp. Gracefully noops if the claude CLI or
$VAULT isn't set. README gains a row in the flag table, an "Obsidian MCP"
subsection explaining upstream + rewire command, and an inline mention in
the --apply step order.
…statusline

Closes the second half of cli-maxxing's broken cross-reference (the first
half — obsidian-mcp — was closed in 6a237ec). Cli-maxxing's README promises
"2ndBrain-mogging adds a 🧠 brain indicator" to its statusline but mogging
never contributed anything. Also fixes a live bug: cli-maxxing's hardcoded
path regex was OBSIDIAN/(2ndBrain|MASTER), which doesn't match Nate's
renamed BRAIN2 vault, so the 🧠 indicator was silently broken.

Architecture: marker-file handshake.

- mogging writes $HOME/.claude/.mogging-vault containing the absolute
  vault path (step 10.8, opt out via --no-statusline-brain).
- cli-maxxing's statusline reads that file and case-matches $CWD against
  the contents. Exact-match or trailing-/ prefix wins; siblings like
  BRAIN2-OLD correctly don't. Legacy path regex kept as fallback for
  pre-marker installs.
- No mogging installed → marker absent → indicator never shows. No
  cli-maxxing installed → marker is a harmless ~100-byte no-op.

Also fixes an idempotency-check regex in install_obsidian_mcp — it anchored
on [[:space:]] but `claude mcp list` uses `<name>:` separators, so the
already-registered detection was silently missing and re-adding raised a
warn. Now anchors on `^obsidian:`.

README gains a "Statusline (redirect to cli-maxxing)" section, a flag-table
row, and an inline mention in the --apply step order.
Adds entries for the three install.sh changes that shipped today but
hadn't landed in CHANGELOG yet:

- 10da40f: launchd plists now source nvm; jq merge bug in
  merge_intelligence_hooks fixed so --with-intelligence completes
- 6a237ec: step 10.7 registers obsidian-mcp with Claude Code
- 6f73239: step 10.8 writes ~/.claude/.mogging-vault marker for
  cli-maxxing statusline

No version bump — this repo doesn't semver; the [Unreleased] section
just picks up three new bullets.
README: add Prerequisites section before the install steps — claude and jq
must be installed first; includes exact fix commands for both.

install.sh: replace terse exit messages with full remediation instructions
pointing to cli-maxxing step-1 (claude) and brew/apt/dnf (jq/git). Dry-run
banner is now a hard-to-miss box that shows the exact --apply command to use.
--vault-missing and --vault-not-a-directory errors now include Obsidian guidance.
Previously only secret-scan.yml ran in CI. This closes three gaps:

- test.yml: runs tests/run_all.sh on ubuntu-latest + macos-latest with
  jq preinstalled. 5 test_*.sh scripts are now CI-verified instead of
  relying on local runs only.
- lint.yml: shellcheck (pinned ludeeus/action-shellcheck@00cae500 =
  v2.0.0) at warning severity + bash -n syntax check across all 18
  tracked shell files.
- dependabot.yml: weekly github-actions updates with 'dependencies'
  label, matching the cli-maxxing / creativity-maxxing convention.

All new workflows:
- pin actions/checkout to 34e114876b0b11c390a56381ad16ebd13914f8d5
  (v4.3.1) with persist-credentials: false
- set permissions: contents: read (minimal)
- set timeout-minutes on every job
- use a concurrency group with cancel-in-progress.
fidgetcoding and others added 24 commits April 25, 2026 20:50
- .gitleaks.toml extends gitleaks default rules with project-specific allowlists
  for the 2026-04-25 redacted-token markers + intentional template placeholders.
- scripts/install-pre-commit-hook.sh — idempotent local-hook installer.
- README documents the hook + bypass.

Source: #8 from project_repo_readme_polish_backlog + 2026-04-25 secret-scrub
…commits

Lint Shell Scripts (5 shellcheck violations cleared):
- install.sh:264,273 SC2088 — tildes in warn() strings are LITERAL display
  text the user pastes; annotated with `shellcheck disable=SC2088` rather
  than rewriting to $HOME (which would change what the user reads).
- bin/doctor.sh:170,176 SC2088 — same fix, same rationale.
- bin/doctor.sh:214 SC2155 — split `local first="$(basename ...)"` into two
  statements so the basename exit code isn't masked by `local`.
- tests/test_obsidian_mcp.sh:116 SC2034 — FIRST_OUT is intentionally
  captured for debug surfacing on failure; annotated with disable comment
  + a header explaining why.

Tests (test_onboarding 39 fails → 0; test_preflight 8 fails → 0):
- .github/workflows/test.yml — install a fake `claude` shim into
  /usr/local/bin (and /opt/homebrew/bin on ARM macOS) before the test
  step. install.sh's preflight requires `claude` >= 1.4.0 on PATH; the
  runner has no Claude Code install, so EVERY test that exercises the
  full pipeline (test_onboarding + test_preflight cases 3-6) was bailing
  at exit 10 (missing claude). The shim only answers --version and
  exits 0 for everything else; tests that need to assert specific MCP
  wiring still install their own call-logging mock at the front of PATH,
  which wins over this base shim.
- tests/test_onboarding.sh — pass --no-obsidian-app + --no-obsidian-mcp
  + --no-statusline-brain + --no-shell-shortcuts so the macos-latest
  runner does not attempt a real `brew install --cask obsidian` or
  pollute the system MCP registry.
- tests/test_obsidian_mcp.sh — same defensive flag set (the obsidian-mcp
  mock is unchanged; we just stop the SIDE quests).
- tests/test_preflight.sh Case 5 — was asserting exit 21 when --vault
  pointed at a non-existent path; commit 8cbc39e (WAGMI item 5)
  intentionally changed that contract: install.sh now mkdir -p's the
  missing vault and continues. Test rewritten to pin the new contract:
  rc=0, directory exists on disk after, installer logs the auto-create
  line. Path is rooted under TMPROOT so the trap-cleanup still wipes it.

Verified locally:
  - shellcheck -S warning --format=gcc — 0 violations across the repo
  - bash tests/run_all.sh — 3 passed, 4 skipped, 0 failed
    (test_obsidian_mcp 10/10, test_onboarding 52/52, test_preflight 16/16)

Source: WAGMI install-call transcript 2026-04-22 + Apr-26 CI red-status
investigation. Both workflows have been failing since they were first
added on Apr-22; this is the first commit that lands them green.
…arg invocation

Branch 1 (whole conversation) with depth 3, tool-calls ON, artifacts ON
becomes the default behavior of bare /save. Menu still reachable via
/save menu, /save 2/3/4, or /save 1 --ask. Adds auto-commit when the
classification table has zero ambiguity flags (no 50/50 stubs, no
security-scrub redactions, no owner:human blocks, top candidate >=0.60
with runner-up <0.40). Force the y/n/edit prompt regardless via
/save --confirm.

Reason: in practice the menu and Q&A always resolved to 1 / 3yy --
zero-information friction.
3 surgical edits to source-of-truth doc layer that was the regression vector
the swarm researcher flagged — without these, install.sh would silently re-poison
user vaults with the same 3-way claims that were just scrubbed:

- docs/CLAUDE-MD-PATCH.md L115: 'n8n 3-way sync' → 'n8n 2-way sync's loop-prevention'
  (this is the template install.sh writes into user vaults' CLAUDE.md — fixing here
  prevents future installs from re-introducing the stale claim)
- docs/PARSING-GUIDE.md L66: 'live 3-way sync to Notion + Morgen' → 'live 2-way sync to Morgen'
- README.md L199: '3-way Notion + Morgen sync' → '2-way Morgen sync (Notion dropped 2026-05-04)'

Notion was dropped from task-maxxing on 2026-05-04. The W3 (Notion → Obsidian)
worker is a no-op stub; W1 no longer touches the Notion API.
Round 4 commit 0efc383 only got the line-115 callout. Round-5 audit found
5 more pre-cutover claims still living in the patch template body, plus
2 hardlinked SKILL files. Without these the install.sh template would
re-poison vault CLAUDE.md L420/L459/L465 on every fresh apply.

docs/CLAUDE-MD-PATCH.md (5 edits):
- L40: 'Live n8n ↔ Morgen ↔ Notion sync' → '2-way sync (Notion dropped 2026-05-04)'
- L123: 'W1/W2/W3 filters' → 'W1/W2 filters' + W3-deprecation note
- L162: task syntax 🆔 placeholder UUIDv4 → m-XXXXXXXX (W1's actual format)
- L168: 🆔 spec rewritten — m-XXXXXXXX (8 hex), legacy UUIDv4 entries stranded but archived
- L170: 'breaks the n8n W1/W2/W3 sync ... Morgen and Notion' → 'breaks W1/W2 sync ... Morgen'

skills/wiki/SKILL.md (2 edits, hardlinked to ~/.claude/skills/wiki/SKILL.md):
- L34, L331: 'n8n 3-way sync' → 'n8n 2-way sync (Obsidian ↔ Morgen, post-2026-05-04 Notion drop)'

skills/save/SKILL.md (2 edits, hardlinked to ~/.claude/skills/save/SKILL.md):
- L172: same task-syntax fix
- L181: '🆔 <uuid>' + '3-way sync' → '🆔 m-XXXXXXXX' + '2-way sync (post-2026-05-04 Notion drop)'

Net diff: 3 files, 9 insertions (after edits — exact diffstat depends on line wrapping).
…ema and MIGRATION

Three live-state references survived the 2026-05-04 Notion drop in non-CLAUDE-MD-PATCH
docs. Patches:

- references/wiki-schema.md §5: "Obsidian ↔ Morgen ↔ Notion via n8n W1/W2/W3" rewritten
  to "Obsidian ↔ Morgen via n8n W1/W2, orchestrated by W0-Sync-Orchestrator" with a
  parenthetical noting Notion + W3 are archived.
- references/wiki-schema.md §5 UUID rules: "duplicate task in Morgen and Notion" → drop
  Notion from the live failure mode; preserve the historical note.
- docs/MIGRATION.md Phase E1: "reactivating W1/W2/W3" → "reactivating W1/W2" with the
  W3-archived + W0-orchestrator parenthetical.

NOTION_INTEGRATION_TOKEN regex entries in the §6 security-scrub panels (wiki-schema +
skills/save) intentionally retained — leaked Notion tokens from collaborator commits
are still secrets we want to redact, independent of whether we use Notion ourselves.
…s/ (kill 01-Conversations pointer)

Phase 1.5 of the 2026-05-08 conversations-into-projects restructure.

Branch 1 step 4 rewrites the write-path decision:
  - project-tied  -> 05-Projects/<PROJECT>/conversations/[<sub>/]<date>-<slug>.md (sole source)
  - cross-cutting -> 02-Sources/LIT-conversation-<slug>-<date>.md (unchanged)
  - vault-meta    -> 05-Projects/VAULT/conversations/[<sub>/]<date>-<slug>.md (new)
  - meetings      -> <PROJECT>/conversations/meetings/ (optional grouping)

The pre-2026-05-08 dual-write (LIT + 01-Conversations pointer) is retired.
01-Conversations/ was absorbed into projects in vault commit edebd0e and no
longer exists.

Phase 2 will sweep the remaining 24 mogging-repo files that still reference
01-Conversations/ alongside the 05-Projects -> 01-Projects and 06-Tasks ->
05-Tasks renames.
…06-Tasks -> 05-Tasks, 01-Conversations dead

Aligns the entire mogging-pack with the post-2026-05-08 vault restructure
(vault commits dcb2271 + b0c0b3e + obsidian-tasks-sync 04fc72a):
- All runtime path strings: 05-Projects/ -> 01-Projects/, 06-Tasks/ -> 05-Tasks/.
- All 01-Conversations/<route>/ targets rewritten to
  01-Projects/<PROJECT>/conversations/<sub>/. /save, /backfill,
  /import-claude, /tether examples + skill specs all updated.
- vault-template/ folders renamed: 05-Projects -> 01-Projects, 06-Tasks ->
  05-Tasks, 01-Conversations/ removed entirely. Fresh installs now seed the
  6-folder layout.
- vault-template/05-Tasks/TASKS.md plugin queries flipped to
  'path includes 05-Tasks'.
- README + install.sh: '7-folder' wording updated to '6-folder' (Quick
  Navigation, install banner, --no-seed-vault help text). CHANGELOG kept
  intact as immutable history.
- tests/test_onboarding.sh + tests/test_scope_guards.sh: folder-existence
  arrays updated, 06-Tasks scope-guard renamed to 05-Tasks.
- skills/save/SKILL.md (already at b6d78a9 with new routing logic) untouched.
- Historical references in CHANGELOG, MIGRATION.md, and skill specs that
  describe the migration itself are intentionally left as 01-Conversations/
  / 06-Tasks/ to preserve the upgrade-narrative.
…structure)

doctor.sh checked the wrong projects dir, masking real layout drift.
wiki-schema example linked to 05-Projects.

Found while diagnosing recurring 01-Conversations/ folder regeneration
(separate fix in ~/.local/bin/granola-export.py).
obsidian-tasks-sync local daemon auto-commits 05-Tasks edits between
n8n cycles; W1 filter already skips it via open-prefix [bot: match.
install.sh + README references to the cli-maxxing 🧠 indicator now read
Brain². save/SKILL.md vault-encoded-path example updated for the
~/Desktop/BRAIN2 → ~/BRAIN2 move.
…op vault path and seed aliases.yaml

- docs/MAINTAINING-YOUR-BRAIN.md: single-source setup+maintenance guide (folder model, /save daily, /wiki weekly, orphan hygiene, Claude.ai migration, knowledge-vs-skill)
- skills/vault-coach: auto-loads post-install and on new folder/project; enforces index-note-per-folder + Projects-Index registration + bidirectional tethering
- install.sh + README: ~/Desktop/BRAIN -> ~/BRAIN2 everywhere + macOS TCC warning (Desktop/Documents/Downloads break terminal access)
- install.sh step 9.2: seed Claude-Memory/aliases.yaml from new vault-template aliases.example.yaml so /save no longer hard-blocks on fresh installs
- register /vault-coach as 13th skill across README, CLAUDE-MD-PATCH, vault-template/CLAUDE.md
…autoread + stale-hook repair; lorecraft-io->fidgetcoding

- docs/MAINTAINING-YOUR-BRAIN.md + skills/vault-coach: strip all personal examples -> Project-A/research fill-in-the-blank placeholders
- install.sh: post-install Next-steps pointer to doc + /vault-coach; repair_stale_hooks() rewrites broken $HOME/.claude/helpers hook commands to ${CLAUDE_PROJECT_DIR:-.}
- README + vault-template CLAUDE.md/AGENTS.md: autoread wiring (first session -> /vault-coach)
- rename stale github.com/lorecraft-io URLs -> fidgetcoding; leave provenance/credits/CHANGELOG
- .gitignore operator-private skills (maketasks, backup-brain2)
… (never matched); use split/join literal replace

repair_stale_hooks counted stale commands with contains() but rewrote with gsub($hp;...), treating $HOME/.claude/helpers/ as a regex ($ anchor + . wildcard) so zero substitutions landed — it logged 'repaired N' while leaving commands unchanged and was non-idempotent. Switch to split|join literal substring replace. Verified in sandbox: command flips to ${CLAUDE_PROJECT_DIR:-.}, model+JSON preserved, second run finds 0.
… table) + MIGRATION 06-Tasks->05-Tasks runbook

- README: Quick-Nav anchor, 'twelve skills' prose, '12 Claude Code skills' -> 13 (table/heading were already 13)
- vault-template/AGENTS.md: 'Skills (12 total)'->13 + add /vault-coach row
- docs/MIGRATION.md: git mv 08-Tasks 06-Tasks -> 05-Tasks (canonical); wikilink sed + validation grep
Document the MEMORY.md upkeep rule — keep the auto-loaded Claude-Memory index
under ~18KB, why it matters, why it balloons (per-session Stop-hook save), and
the trim/archive/one-line-enforcement runbook. Adds a quick-reference row.
…p12/*.pfx) + IDE dirs

safetycheck C6 hardening for a public installer repo — defends against accidental key/cert commits. No such files are currently tracked; this is preventive.
…ir fix; docs/test/import cleanups

- LICENSE/NOTICE/CREDITS byline standardized + fidgetflo lineage URL → fidgetcoding/fidgetflo
- install.sh repair_stale_hooks: expanded_prefix was $CLAUDE_HOME/.claude/helpers (doubled .claude) → $CLAUDE_HOME/helpers, so the shell-expanded stale form is now detected
- README/CLAUDE-MD-PATCH/CLAUDE/AGENTS: 13-skill counts + 6 self-referential retired-path bugs (→ 01-Conversations/) + MIGRATION heading
- tests/test_onboarding.sh: assert vault-coach (51/51); test_uuid comment 06→05
- scripts/import-{notes,claude}.sh: vault examples ~/Desktop/BRAIN2 → ~/BRAIN2
…; README 'six folders' typo; CREDITS skill count 11
…sh:349)

The Lint Shell Scripts workflow treats ShellCheck warnings as fatal.
SC2088 fired on intentional help-text '~/Documents' that is meant to
print literally, not expand. Scoped disable directive resolves it.
Bumps [gitleaks/gitleaks-action](https://github.com/gitleaks/gitleaks-action) from 2.3.9 to 3.0.0.
- [Release notes](https://github.com/gitleaks/gitleaks-action/releases)
- [Commits](gitleaks/gitleaks-action@ff98106...e0c47f4)

---
updated-dependencies:
- dependency-name: gitleaks/gitleaks-action
  dependency-version: 3.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github Jun 4, 2026

Copy link
Copy Markdown
Author

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot @github

dependabot Bot commented on behalf of github Jun 26, 2026

Copy link
Copy Markdown
Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/github_actions/gitleaks/gitleaks-action-3.0.0 branch June 26, 2026 20:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant