chore(deps): bump trufflesecurity/trufflehog from 3.94.3 to 3.95.6#8
Closed
dependabot[bot] wants to merge 72 commits into
Closed
chore(deps): bump trufflesecurity/trufflehog from 3.94.3 to 3.95.6#8dependabot[bot] wants to merge 72 commits into
dependabot[bot] wants to merge 72 commits into
Conversation
Bootstrap the 2ndBrain-mogging plugin repo: - Directory skeleton for .claude-plugin, skills (10), agents, commands, hooks, scheduled, vault-template (01-06), docs, tests + sample-vault fixture, bin, references. - MIT LICENSE (2026 lorecraft-io). - CHANGELOG.md seeded with 0.1.0 initial-release entry. - Stub README.md (agent 12 will expand). - .gitignore covering macOS, Node, env files, test-vault Claude memory, and install-script signature artifacts.
…cs, tests
- 10 SKILL.md: save, wiki, challenge, emerge, backfill, aliases, autoresearch, canvas, tether, connect
- install.sh + uninstall.sh + doctor.sh + backup-vault.sh (jq-merge Stop hook, symlinks, launchd)
- 4 launchd plists (morning/nightly/weekly/health, audit-only default)
- references/wiki-schema.md single source of truth
- Test harness: 8 test files + fixtures + orchestrator
- Docs: README, PHILOSOPHY, MIGRATION, CONTRIBUTING, CHANGELOG + 5 why-not-*.md + foundations
- Security: .gitleaks.toml + GitHub Actions secret-scan + config/{secrets.patterns,nathan.pii}
- Plugin manifest: .claude-plugin/plugin.json + marketplace.json
- vault-template/ scaffold
- hooks/stop-save.sh
Amalgamation of Karpathy LLM Wiki + Jens/NulightJens + eugeniu + AgriciDaniel + NicholasSpisak.
…rontmatter cleanup W4W audit remediation: - install.sh: add idempotency guard (skip merge if our hook already present, detect by 2ndBrain-mogging/hooks/stop- path fingerprint) - install.sh: inline Stop overlay referenced hooks/stop-hook.sh but repo ships hooks/stop-save.sh — corrected - skills/emerge/SKILL.md: add missing allowed-tools frontmatter field - skills/wiki/SKILL.md: strip legacy /cingest + /clint reference from description
- Replace all 68+ real names with <PERSON-X>/<PROJECT-X> placeholders - Add docs/placeholder-names.md (public convention reference) - Add docs/MIGRATION.md (phase-by-phase runbook) - Expand CHANGELOG v0.1.0 + add v0.1.1 entry - Update README: 7-folder vault diagram, credits, namespacing note - Fix launchd plists: $HOME placeholder replacing hardcoded paths - Fix .gitleaks.toml: remove self-leaking rules; add .example companion - Add .gitignore entries for private PII/gitleaks files - Add .filter-repo-replacements.example.txt for operator reference - Bootstrap Claude-Memory/aliases.yaml seed template - Fix install.sh idempotency guard (already in f17930e, retained) - Fix skills/emerge frontmatter: add allowed-tools field - Fix skills/wiki description: strip legacy /cingest+/clint reference - Fix tests/test_onboarding.sh: correct install.sh flags - Vault-template sidecars updated with placeholder convention
…ls + schema
Human feedback (2026-04-17): "auto-delete" and "silently delete" phrasing — even
when used in guardrail context ("do NOT auto-delete") — reads sideways as if
deletion was on the table. Softened to "flag for human review" and "remove without
flagging" framing across:
- skills/wiki/SKILL.md §7: "do NOT auto-delete the link" -> "flag for human
review. Never remove the link without explicit human approval."
- skills/save/SKILL.md §1: "never silent overwrite" -> explicit diff-and-approval
overwrite language.
- skills/save/SKILL.md §2.1 (50/50 rule): "silent misfiling" -> "unflagged
misfiling" (preserves the prevention intent without invoking silence).
- references/wiki-schema.md §3: "Do NOT silently delete the link" -> "Never remove
the link itself without flagging it for human review — removal is a human-only
action."
Behavior unchanged — skills never deleted files. This is pure phrasing cleanup
to remove alarming language from instruction manuals.
…orruption
Critical fix to v0.1.1's PII-scrub regression. The .filter-repo-replacements.txt
rule `regex:\buri\b==><person-i>` did not honor its word-boundary anchors when
git-filter-repo applied it, so `uri` got replaced as a literal substring inside
dozens of ordinary English words across public files. Same bug for `\balan\b`.
Reverted corruption across 19 files:
- CHANGELOG.md (headings), docs/SECURITY.md (title + body), references/wiki-schema.md
- scripts/prepublish-check.sh (4 hits), .github/workflows/secret-scan.yml (1 — BROKEN ACTION)
- skills/wiki/SKILL.md, skills/save/SKILL.md, skills/backfill/SKILL.md, skills/challenge/SKILL.md
- commands/save.md, commands/autoresearch.md
- vault-template/CLAUDE.md, vault-template/AGENTS.md
- docs/CREDITS.md, docs/foundations/{03,05}-*-analysis.md, docs/CLAUDE-MD-PATCH.md
- config/nathan.pii.example, .gitleaks.private.toml.example
Most critical: secret-scan.yml's `uses: trufflesecurity/trufflehog@main` was
corrupted to `trufflesec<person-i>ty/trufflehog@main` — GitHub Actions failed
to resolve this on every push since v0.1.1 shipped.
Also in this release: auto-delete / silent-op phrasing scrub from skills +
schema (rolls up the earlier 79dce5f scrub commit into the v0.1.2 release).
Plugin manifest bumped 0.1.0 -> 0.1.2 (matches CHANGELOG).
The .filter-repo-replacements.txt config itself is preserved — the mapping
rule is correct in intent, the bug is how git-filter-repo interpreted it.
A future rewrite needs either a newer git-filter-repo, a different syntax,
or explicit Uri/Alan capitalization-only rules.
The trufflesecurity/trufflehog@main action wrapper appends --fail itself, so repeating it in extra_args caused "flag 'fail' cannot be repeated" errors and broke every secret-scan run since the action's last bump.
… + docs + schema 15-agent /fswarmmax fix swarm closes all known pre-mogging folder drift across skill runtime paths, README tables, migration docs, and the CLAUDE-MD-PATCH template appended to user vaults at install. Skill-runtime fixes (agents 11 + supporting): - 31 of 49 pre-mogging folder references updated across 9 skill files + references/wiki-schema.md to resolve against the post-mogging 7-folder layout (01-Conversations / 02-Sources / 03-Concepts / 04-Index / 05-Projects / 06-Tasks / Claude-Memory). Historical prose describing the rename itself left verbatim (18 cases). docs/CLAUDE-MD-PATCH.md (agent 13): - Full rewrite, 147 -> 192 lines. Marker renamed <!-- mogging:* --> to <!-- 2ndbrain-mogging:* --> for namespace clarity. - Now carries the canonical 7-folder table, killed-folders callout, grandfathered-type mapping, 10 skills list, 4 scheduled agents with correct times, 3 non-negotiables, bot-prefix commits table, 9 hard rules. README.md (agent 12): - Regime-ownership table updated to post-mogging folder names. - Scheduled-agents table rewritten to match shipped plists + agent-spec write paths (all writing to 01-Conversations/VAULT/reports/*). - Backward-compat line inverted (aliases.yaml is for entity names, not folder-structure compat). MIGRATION.md + CONTRIBUTING.md (agent 14): - MIGRATION.md folder-numbering callout updated to 7-folder scheme. - CONTRIBUTING.md test harness path tests/run-all.sh -> tests/run_all.sh. .filter-repo-replacements.example.txt (agent 8): - Added explicit WARNING about v0.1.1 substring-bleed regression. Future forks see the corruption signature and the literal-only defense. plugin.json version 0.1.2 -> 0.1.3. Known gap: install.sh does not currently consume docs/CLAUDE-MD-PATCH.md. Follow-up task — flagged in CHANGELOG.
Closes the v0.1.3 known gap. Before this commit, docs/CLAUDE-MD-PATCH.md was the canonical post-mogging contract that was supposed to be appended to every user's vault CLAUDE.md at install time — but install.sh never read the file, so it was documentation-only. New users got skills + agents + launchd plists wired up but no contract installed into their CLAUDE.md. Added apply_claude_md_patch() as step 9.5, running between link_claude_memory and install_launchd: - Extracts the canonical block (markers inclusive) from docs/CLAUDE-MD-PATCH.md using awk line-range matching on the `<!-- 2ndbrain-mogging:start -->` / `<!-- 2ndbrain-mogging:end -->` markers (149 lines as of 0.1.4). - Idempotent: detects existing namespaced markers in $VAULT/CLAUDE.md and replaces the block between them. Never duplicates on re-run. - Legacy migration: vaults carrying the pre-namespaced `<!-- mogging:start -->` / `<!-- mogging:end -->` markers from older installs get the legacy block stripped and replaced with the new namespaced block in a single pass. No manual migration step. - Backup-before-mutation (non-negotiable #1): copies existing CLAUDE.md to $VAULT/Claude-Memory/backups/YYYY-MM-DD-HHMMSS/CLAUDE.md.bak before any write. Aborts cleanly on extraction failure (new exit code 41). - Fresh vaults: creates a minimal CLAUDE.md header and anchors the patch block below it. - Preserves all content above the markers byte-for-byte; drops trailing blank lines before appending so repeat runs don't accrete whitespace. - Honors --dry-run (logs intended patch, no write) and --apply (writes). Verified: `bash -n install.sh` passes; the awk extractor returns the expected 149-line block on the current CLAUDE-MD-PATCH.md. plugin.json bumped 0.1.3 -> 0.1.4.
Vendor the 11-file ADR-050 intelligence loop from ruvnet/ruflo (MIT, re-shipped via lorecraft-io/fidgetflo) into helpers/ with a provenance header on each file. Add hooks/intelligence-hooks.json overlay for 5 hook types (PreToolUse, PostToolUse, UserPromptSubmit, SessionStart, SessionEnd). Extend install.sh with --with-intelligence (default off) and --symlink flags; hardlink is default with EXDEV symlink fallback. jq-merge preserves the mogging Stop hook untouched via array-concat on each of the 5 hook keys, same discipline as the existing Stop-hook merge. Update docs/CREDITS.md with the 6th upstream entry. Update README.md with a "What we retired" section naming the killed legacy folders (00-Inbox / 01-Fleeting / 05-Templates / 06-Assets), add the new install flags to the Flags table, add a "Self-learning tier (opt-in)" subsection, and add the ruflo bullet to Credits.
README: - Full rewrite in Nate voice with the maxxing→mogging origin story (Jens-flavored 2ndBrain-maxxing → tested 5 alternatives → merged best-of-five → self-learning was the missing piece → built for a layman). - Banner at top (2ndbrainmogging.png). - Quick Navigation table with hotlinks to every section. - Dedicated "Install Obsidian first" section pointing at obsidian.md with 4-step manual install + ~/Desktop/BRAIN folder suggestion. - Vault structure section now shows 05-Projects/ with example-project-1..3 placeholders (no real project names leaked). - 12 skills (10 existing + /import-claude + /import-notes) each described in plain English — one sentence per skill, no marketing fluff. - Optional "Bring your existing stuff in" section at the end covering both importers + /tether + /connect + /wiki audit follow-up loop. - Killed "The Obsidian + Claude Code second brain that respects your existing infrastructure" opener (it was wrong and boring). - Credits section honestly names the 5 upstream systems (AgriciDaniel, eugeniu, Jens, Karpathy, NicholasSpisak) + ruvnet for the opt-in intelligence tier. New skills (both plugin-namespaced): - skills/import-claude/SKILL.md — one-shot Claude.ai / ChatGPT export ingest, alias-classified, dry-run-previewed, writes conversation captures to 01-Conversations/, LIT-* mirrors to 02-Sources/, concept stubs to 03-Concepts/, respects owner: human, commits [bot:import-claude]. - skills/import-notes/SKILL.md — broad import covering Apple Notes (Exporter.app), OneNote (.docx), Notion (md+csv), Evernote (.enex), and raw .md/.txt/.docx/.pptx/.xlsx/.html/.rtf piles. Same routing rulebook as /import-claude. New helper scripts (no step-N language): - scripts/import-claude.sh — finds the mogged vault, locates the export zip (Claude.ai data-*-batch-*.zip or ChatGPT chatgpt-*.zip), extracts to <vault>/.import-staging/<ts>-claude/, then hands off to /import-claude. - scripts/import-notes.sh — checks for Exporter.app (macOS), validates pandoc + xlsx2csv, scans Desktop/Downloads/Documents for candidate files, then hands off to /import-notes. New docs (literal content, not redirects): - docs/PARSING-GUIDE.md — categorization rulebook rewritten for the 7-folder mogged layout (01-Conversations / 02-Sources / 03-Concepts / 04-Index / 05-Projects / 06-Tasks / Claude-Memory). Owner contract, file conversion rules, decision table. - docs/github-vault-guide.md — how to link 05-Projects/<project>/ to GitHub repos, gh CLI lookup pattern, path-substituted from the old 07-Projects/ version. - docs/claude-project-sync-guide.md — per-project subfolder layout (conversations/ + knowledge/ + assets/), file routing rules, validation (fake-PDF detection, magic-byte checks for zip formats), wikilink rules. Verified: shellcheck clean at warn + error severity; no hardcoded secrets in tracked files.
HARD RULE per feedback_call_me_nate: canonical is 'Nate Davidovich / Lorecraft'. 'Nathan' must never appear in shipped public content. 9 skill files touched (emerge/wiki/tether/challenge/aliases/connect/save SKILL.md). Body + examples normalized; filesystem paths with macOS username /Users/nathandavidovich/ stay as-is (those are the OS username, not the user's name).
README: - Replace 'Jens (the AI-influencer guy on IG, you know who I mean)' with '[Jens Heitmann](https://www.instagram.com/jens.heitmann/)' in both the origin story and the Credits section. Credit where credit is due. Remaining Nathan→Nate hits caught by a deeper grep (agents/, tests/, references/) — all swept. The only remaining 'Nathan' occurrence in the repo is inside .filter-repo-replacements.txt which is gitignored (local name-mapping dictionary, never pushed).
- helpers/pattern-consolidator.sh 85-87: drop 'local' — the assignments
live inside a top-level case statement, not a function. Shellcheck
SC2168 error. Dropping 'local' is the safe fix (the vars are only
read in the same case branch).
- README Credits + origin story: proper attribution for the sources
that deserve it.
- eugeniu → https://github.com/eugeniughelbur/obsidian-second-brain
- Jens Heitmann → https://github.com/NulightJens/ai-second-brain-skills
(repo), plus his Instagram profile
- Credits list cleaned up; eugeniu and Jens now link to their actual
repos (and Jens gets both repo + IG, since you asked for the IG link
earlier too).
Audit state:
- shellcheck error-level: clean across all shell files
- secrets: zero
- tracked 'Nathan': zero
- ruvnet/claude-flow trailers: zero
- skills: 12 README rows = 12 on disk, all slash commands resolve
- cross-refs: all skill MD ../../docs/ paths resolve
- README links: all local paths resolve
- Remaining: shellcheck WARNING-level style issues in vendored
helpers/learning-optimizer.sh (SC2155) + install.sh (SC2034) —
vendored/upstream code, left untouched.
…ls' self-learning - 'Took the best 200 ideas from the five and threw out the other 800' was rhetorical precision that wasn't real; replaced with the honest merge-and-cut phrasing. - Self-learning paragraph: acknowledged a couple of the originals already had a self-learning layer (bootstrapping theirs was the heavy part) — this pack's is opt-in and ships clean.
…list PATH
README:
- The self-learning tier claim that it was vendored from 'ruvnet's
claude-flow / ruflo pattern-graph (ADR-050)' is not supported. The
specific files (learning-service.mjs, pattern-consolidator.sh, etc.)
do not exist at common paths in ruvnet/claude-flow or ruvnet/ruflo
(ruvnet/ruflo is a Docker chat-UI / MCP-bridge / ruvocal project,
not a pattern-graph intelligence loop). Three spots edited:
- 'What you get' bullet — generic 'pattern-graph' framing only
- Self-learning tier section — drop 'sixth upstream' + ADR-050
- Credits list — drop ruvnet entry entirely
- (Provenance headers inside helpers/*.sh + helpers/*.mjs still claim
'Vendored from claude-flow / ruflo (c) ruvnet'. Those files are
out-of-scope for this README edit; flagged separately.)
Plist templates — scheduled/launchd/io.lorecraft.mogging.*.plist:
- PATH env var now includes $HOME/.local/bin + $HOME/bin ahead of
/opt/homebrew/bin. Previously the installed plists could not find
`claude` because it lives at ~/.local/bin/claude — exit code 127
on every tick on real user systems. Fixed for future installs.
…ands Claude Code CLI doesn't have --headless or --audit. 'claude -p PROMPT' is already the non-interactive form. The 'audit' intent is semantic — carried by the prompt text 'execute agents/NAME.md in audit mode' — not a CLI flag. Including the bogus flags caused every scheduled tick to exit 1 with 'error: unknown option --headless'. Caught when re-running the installer against BRAIN2 and kicking a manual run of the morning agent — cd worked, claude resolved via the patched PATH (commit 1621ccb), but then the CLI rejected the flags.
… projects Closes the gap where install.sh assumed a pre-populated vault. New users running ./install.sh --vault ~/Desktop/BRAIN --apply against a fresh Obsidian vault now get the full 7-folder layout + index + example projects, instead of an empty folder where every skill write would fail. install.sh: - New --no-seed-vault flag (default: seed). Documented in --help, defaults block, README install table, and main() pipeline. - New seed_vault_from_template() at step 3.5 (between vault validation and settings backup). For each entry under vault-template/, copies it into $VAULT only if the destination does not exist. Strictly additive — no overwrites. Idempotent: re-running prints '0 entries seeded, N already present'. vault-template/: - 05-Projects/example-project-1/example-project-1.md - 05-Projects/example-project-2/example-project-2.md - 05-Projects/example-project-3/example-project-3.md Each demonstrates the filename=foldername rule with frontmatter, knowledge-base section, conversations section, related-projects cross-links, and a GitHub-Repos section (project 1 only). - 04-Index/Projects-Index.md Seed index that lists the three example projects + INCUBATOR + a 'how to add a new project' walkthrough. Makes [[example-project-1]] resolve in the graph immediately on install. - Removed empty .gitkeep stubs in 04-Index/ and 05-Projects/ now that real content exists. README: - Install flags table: documented --no-seed-vault. - 'On --apply' summary now mentions the seed step explicitly. Verified end-to-end against a throwaway empty vault: - First install: 9 top-level entries seeded (CLAUDE.md, AGENTS.md, all 6 numbered folders, Claude-Memory/, .DS_Store filtered). - Re-run: 0 seeded, 9 already present. Idempotent. - All 6 expected files present in the resulting vault. - shellcheck error-clean, bash -n clean.
… of ruvnet/ruflo@v3.5.80) Per the audit verification: the self-learning tier code (helpers/) is ruvnet's ruflo@v3.5.80, squash-imported into FidgetFlo, then vendored here. The MIT license requires preserving the copyright notice if the code stays — and the code stays. Restoring the attribution in the README only (per direction): - 'What you get' bullet now credits FidgetFlo with a parenthetical pointing at the ruflo v3.5.80 tag (since ruvnet/ruflo's main branch was rewritten to a different project after v3.5.80 — the tag is where the actual code still lives). - Self-learning tier section now names FidgetFlo as the upstream and notes the upstream-of-upstream chain. - docs/CREDITS.md, helpers/ provenance headers, and other places intentionally left untouched per direction.
Comprehensive fix of every finding surfaced by the preceding 5-agent audit.
14 parallel worker agents with non-overlapping file zones; 1 QA validator
confirmed 19/19 checks green before this atomic commit.
CRITICAL bugs fixed:
- vault-template/CLAUDE.md + AGENTS.md rewritten to match actual shipped
skills (12: save/wiki/challenge/emerge/connect/tether/backfill/aliases/
autoresearch/canvas/import-claude/import-notes) and agents (4: morning/
nightly/weekly/health). Previously listed fictional /capture/promote/link/
moc/project/task skills + "Graph Repair Agent / Inbox Processor /
Task Syncer / Weekly Curator" agents. This is what gets seeded into
every new user's vault — fix is critical.
- All 4 agents (morning/nightly/weekly/health) now commit with their own
[bot:<name>] prefix instead of [bot:wiki-heal]; this unbreaks the n8n
W1 echo-loop they were built to prevent.
- skills/save/SKILL.md: type: literature → type: source (prior value
halted the canonical parser on /save's own output).
- skills/autoresearch/SKILL.md: LIT-{slug} → SRC-YYYY-MM-DD-{slug} +
type: source; removed writes to nonexistent 03-Concepts/synthesis/ and
03-Concepts/entities/ subdirs; concept + synthesis stubs land flat in
03-Concepts/.
- commands/*.md reconciled against every SKILL.md: dropped fabricated
cosine-similarity auto-writes in connect (skill is read-only),
fabricated promote subcommand in wiki, TODO-resolve mode in autoresearch,
[bot:wiki-add] prefixes on skills with no commit flow, and the banned
MOC-*.md filename pattern in tether.
- helpers/ provenance headers rewritten — the prior "no local modifications"
claim was materially false (intelligence.cjs is 31674 bytes vs upstream
ruflo@v3.5.80's 8565; memory.js, router.js, session.js don't exist in
the upstream tag). New headers honestly frame the files as a FidgetFlo-
internal build descended from ruvnet/ruflo@v3.5.80 with extended
pattern-graph logic, dual-copyright MIT (ruvnet + Lorecraft LLC).
- LICENSE now preserves ruvnet's upstream copyright (MIT §1 compliance);
new NOTICE file at repo root documents the dual-copyright chain.
- test_onboarding.sh: 16/50 FAIL → 50/50 PASS. Removed 6 phantom-skill
assertions (onboard/recall/distill/index/route/scrub — never shipped);
repointed .claude-plugin/plugin.json assertions from vault to repo root
(it's the plugin manifest, not a vault asset).
- tests/run_all.sh: SKIP was silently counted as PASS; now reports
separate pass/skip/fail buckets + --strict flag to promote skips to
fails for CI.
- bin/doctor.sh: printed [doctor:FAIL] but exited 0; now tracks a FAIL
counter and exits 3 on any fail. Plugin-registration probe downgraded
to info (install.sh never calls `claude plugin add` — symlinks are
the source of truth).
- scripts/prepublish-check.sh: exited 0 when gitleaks missing (silent
bypass of secret gate); now exits 10 on missing tools. Added
--skip-missing-tools dev flag.
- scripts/import-claude.sh: no --dry-run/--yes gate before extracting;
now requires TTY confirmation, --yes, or --dry-run. Added full arg
parser + --help + proper exit codes (0/1/2).
- scripts/import-notes.sh: silently ignored --vault flag (no arg
parser); now has real flags (--vault/--source/--kind/--dry-run/
--yes/--help) with usage/exit-code discipline.
HIGH/MEDIUM fixes:
- README: "ten skills" → "twelve skills" in origin story; install `--apply`
summary rewritten to include all 14 main() steps (prior summary hid
the CLAUDE.md patch, Claude-Memory symlink, intelligence tier, and
doctor run); `{example-project-1,2,3, INCUBATOR}` extra space fixed;
Credits bullet paragraph spacing fixed.
- docs/CLAUDE-MD-PATCH.md: 10 skills → 12; added bot-prefix rows for
import-claude / import-notes / reconcile.
- docs/MIGRATION.md: retired `<!-- mogging:start/end -->` markers →
`<!-- 2ndbrain-mogging:* -->`; hardcoded WORK/OBSIDIAN path replaced
with generic vault-encoded-path resolver.
- docs/CREDITS.md: Karpathy + other folder-mapping prose rewritten for
the 7-folder contract; claude-flow/agentic-flow section updated to
match new helper provenance headers; NulightJens license verified
via GitHub API.
- docs/SECURITY.md: placeholder disclosure email → GitHub Security
Advisories URL + real backup address; example.com URLs → real
release URLs.
- docs/github-vault-guide.md: /tether claim softened to match actual
behavior.
- install.sh: unused DRY_RUN var removed (SC2034); apply_claude_md_patch
now content-diff idempotent (no more mtime churn on re-run); nested
.DS_Store scrub in seed_vault_from_template; top-level step index
comment above main() for README-audit parity.
- vault-template: added SOUL.md, CRITICAL_FACTS.md, index.md, log.md,
06-Tasks/TASKS.md stubs; .gitkeep files in all 4 VAULT/ subdirs so
they survive git-clone; example-project-1 gained content/ + misc-
building/ + GITHUB/ subdirs matching the README layout diagram.
- skills/tether: dropped 04-MOC back-compat; generalized 05-Projects/
GITHUB hub pattern for template use.
- skills/canvas: replaced [[MOC-*]] pattern with [[*-Index]].
- skills/emerge: Sunday 9pm → Friday 6pm (weekly agent — prior time was
the health agent's).
- skills/wiki: audit report destination moved to 01-Conversations/VAULT/
reports/ matching scheduled-agent contract.
- skills/backfill: hardcoded `-2ndBrain` path softened to generic
<encoded-vault-path>.
- agents/health.md: retired 07-Projects example → 05-Projects +
06-Tasks current paths.
- CI workflow: `actions/checkout@v4`, `gitleaks/gitleaks-action@v2`,
`trufflesecurity/trufflehog@main` all pinned to full 40-char SHAs
(SHA-pinning + human-readable version comment).
- helpers/learning-optimizer.sh: `npx agentic-flow@alpha` pinned to
`@3.0.0-alpha.2`; helpers/learning-hooks.sh: better-sqlite3 pinned
to `^11`.
- CHANGELOG.md [Unreleased] populated with everything between v0.1.4
and this commit.
QA VALIDATION (19/19 PASS before commit):
shellcheck --severity=error clean on all 17 .sh files; bash -n clean;
node --check clean on all 8 helpers; zero secrets in tracked files;
12 skills ↔ 12 dirs ↔ 12 commands ↔ 12 rows in README/patch; 4 agents
↔ 4 plists with aligned names; all retired folder names confined to
historical callouts; zero "Nathan" prose hits; LICENSE dual-copyright
+ NOTICE present; all 11 helper provenance headers honest; CI
SHA-pinned; tests/run_all.sh green; install.sh on empty vault seeds
13 entries + idempotent re-run; all README external URLs HEAD 200;
all 4 launchd plists loaded with exit 0.
Two blockers on the self-learning install path: 1. Launchd plists had PATH set but no nvm bin, so scheduled agents hit `sh: exec: node: not found` in SessionEnd hook. Sourcing $HOME/.nvm/nvm.sh inside ProgramArguments makes it version-agnostic — no hardcoded vN.N.N path to maintain. 2. merge_intelligence_hooks() used `(.[0] * .[1]) as $m | $m | .[0]...` — after the `$m |`, the pipeline context is the merged object, so `.[0]` threw "Cannot index object with number". Binding $old/$new before the merge fixes it and leaves the hook-array concat logic untouched. Verified: Stop hook preserved, 5 intelligence hooks appended, settings.json valid JSON. Verified end-to-end: install.sh --with-intelligence completes, doctor passes, 4 launchd jobs reload with working node PATH.
Closes the broken cross-reference in cli-maxxing's README that promised "2ndBrain-mogging... registers the Obsidian MCP with Claude Code" — until now, mogging did no such thing. Adds step 10.7: claude mcp add --scope user obsidian -- npx -y obsidian-mcp "$VAULT" Runs by default on every --apply; idempotent (skips if already registered); opt out with --no-obsidian-mcp. Gracefully noops if the claude CLI or $VAULT isn't set. README gains a row in the flag table, an "Obsidian MCP" subsection explaining upstream + rewire command, and an inline mention in the --apply step order.
…statusline Closes the second half of cli-maxxing's broken cross-reference (the first half — obsidian-mcp — was closed in 6a237ec). Cli-maxxing's README promises "2ndBrain-mogging adds a 🧠 brain indicator" to its statusline but mogging never contributed anything. Also fixes a live bug: cli-maxxing's hardcoded path regex was OBSIDIAN/(2ndBrain|MASTER), which doesn't match Nate's renamed BRAIN2 vault, so the 🧠 indicator was silently broken. Architecture: marker-file handshake. - mogging writes $HOME/.claude/.mogging-vault containing the absolute vault path (step 10.8, opt out via --no-statusline-brain). - cli-maxxing's statusline reads that file and case-matches $CWD against the contents. Exact-match or trailing-/ prefix wins; siblings like BRAIN2-OLD correctly don't. Legacy path regex kept as fallback for pre-marker installs. - No mogging installed → marker absent → indicator never shows. No cli-maxxing installed → marker is a harmless ~100-byte no-op. Also fixes an idempotency-check regex in install_obsidian_mcp — it anchored on [[:space:]] but `claude mcp list` uses `<name>:` separators, so the already-registered detection was silently missing and re-adding raised a warn. Now anchors on `^obsidian:`. README gains a "Statusline (redirect to cli-maxxing)" section, a flag-table row, and an inline mention in the --apply step order.
Adds entries for the three install.sh changes that shipped today but hadn't landed in CHANGELOG yet: - 10da40f: launchd plists now source nvm; jq merge bug in merge_intelligence_hooks fixed so --with-intelligence completes - 6a237ec: step 10.7 registers obsidian-mcp with Claude Code - 6f73239: step 10.8 writes ~/.claude/.mogging-vault marker for cli-maxxing statusline No version bump — this repo doesn't semver; the [Unreleased] section just picks up three new bullets.
README: add Prerequisites section before the install steps — claude and jq must be installed first; includes exact fix commands for both. install.sh: replace terse exit messages with full remediation instructions pointing to cli-maxxing step-1 (claude) and brew/apt/dnf (jq/git). Dry-run banner is now a hard-to-miss box that shows the exact --apply command to use. --vault-missing and --vault-not-a-directory errors now include Obsidian guidance.
Previously only secret-scan.yml ran in CI. This closes three gaps: - test.yml: runs tests/run_all.sh on ubuntu-latest + macos-latest with jq preinstalled. 5 test_*.sh scripts are now CI-verified instead of relying on local runs only. - lint.yml: shellcheck (pinned ludeeus/action-shellcheck@00cae500 = v2.0.0) at warning severity + bash -n syntax check across all 18 tracked shell files. - dependabot.yml: weekly github-actions updates with 'dependencies' label, matching the cli-maxxing / creativity-maxxing convention. All new workflows: - pin actions/checkout to 34e114876b0b11c390a56381ad16ebd13914f8d5 (v4.3.1) with persist-credentials: false - set permissions: contents: read (minimal) - set timeout-minutes on every job - use a concurrency group with cancel-in-progress.
…06-Tasks -> 05-Tasks, 01-Conversations dead Aligns the entire mogging-pack with the post-2026-05-08 vault restructure (vault commits dcb2271 + b0c0b3e + obsidian-tasks-sync 04fc72a): - All runtime path strings: 05-Projects/ -> 01-Projects/, 06-Tasks/ -> 05-Tasks/. - All 01-Conversations/<route>/ targets rewritten to 01-Projects/<PROJECT>/conversations/<sub>/. /save, /backfill, /import-claude, /tether examples + skill specs all updated. - vault-template/ folders renamed: 05-Projects -> 01-Projects, 06-Tasks -> 05-Tasks, 01-Conversations/ removed entirely. Fresh installs now seed the 6-folder layout. - vault-template/05-Tasks/TASKS.md plugin queries flipped to 'path includes 05-Tasks'. - README + install.sh: '7-folder' wording updated to '6-folder' (Quick Navigation, install banner, --no-seed-vault help text). CHANGELOG kept intact as immutable history. - tests/test_onboarding.sh + tests/test_scope_guards.sh: folder-existence arrays updated, 06-Tasks scope-guard renamed to 05-Tasks. - skills/save/SKILL.md (already at b6d78a9 with new routing logic) untouched. - Historical references in CHANGELOG, MIGRATION.md, and skill specs that describe the migration itself are intentionally left as 01-Conversations/ / 06-Tasks/ to preserve the upgrade-narrative.
…s/06-Tasks refs in scripts, skills, README
…structure) doctor.sh checked the wrong projects dir, masking real layout drift. wiki-schema example linked to 05-Projects. Found while diagnosing recurring 01-Conversations/ folder regeneration (separate fix in ~/.local/bin/granola-export.py).
obsidian-tasks-sync local daemon auto-commits 05-Tasks edits between n8n cycles; W1 filter already skips it via open-prefix [bot: match.
install.sh + README references to the cli-maxxing 🧠 indicator now read Brain². save/SKILL.md vault-encoded-path example updated for the ~/Desktop/BRAIN2 → ~/BRAIN2 move.
…op vault path and seed aliases.yaml - docs/MAINTAINING-YOUR-BRAIN.md: single-source setup+maintenance guide (folder model, /save daily, /wiki weekly, orphan hygiene, Claude.ai migration, knowledge-vs-skill) - skills/vault-coach: auto-loads post-install and on new folder/project; enforces index-note-per-folder + Projects-Index registration + bidirectional tethering - install.sh + README: ~/Desktop/BRAIN -> ~/BRAIN2 everywhere + macOS TCC warning (Desktop/Documents/Downloads break terminal access) - install.sh step 9.2: seed Claude-Memory/aliases.yaml from new vault-template aliases.example.yaml so /save no longer hard-blocks on fresh installs - register /vault-coach as 13th skill across README, CLAUDE-MD-PATCH, vault-template/CLAUDE.md
…autoread + stale-hook repair; lorecraft-io->fidgetcoding
- docs/MAINTAINING-YOUR-BRAIN.md + skills/vault-coach: strip all personal examples -> Project-A/research fill-in-the-blank placeholders
- install.sh: post-install Next-steps pointer to doc + /vault-coach; repair_stale_hooks() rewrites broken $HOME/.claude/helpers hook commands to ${CLAUDE_PROJECT_DIR:-.}
- README + vault-template CLAUDE.md/AGENTS.md: autoread wiring (first session -> /vault-coach)
- rename stale github.com/lorecraft-io URLs -> fidgetcoding; leave provenance/credits/CHANGELOG
- .gitignore operator-private skills (maketasks, backup-brain2)
…abel (regular account = export available)
… (never matched); use split/join literal replace
repair_stale_hooks counted stale commands with contains() but rewrote with gsub($hp;...), treating $HOME/.claude/helpers/ as a regex ($ anchor + . wildcard) so zero substitutions landed — it logged 'repaired N' while leaving commands unchanged and was non-idempotent. Switch to split|join literal substring replace. Verified in sandbox: command flips to ${CLAUDE_PROJECT_DIR:-.}, model+JSON preserved, second run finds 0.
… table) + MIGRATION 06-Tasks->05-Tasks runbook - README: Quick-Nav anchor, 'twelve skills' prose, '12 Claude Code skills' -> 13 (table/heading were already 13) - vault-template/AGENTS.md: 'Skills (12 total)'->13 + add /vault-coach row - docs/MIGRATION.md: git mv 08-Tasks 06-Tasks -> 05-Tasks (canonical); wikilink sed + validation grep
Document the MEMORY.md upkeep rule — keep the auto-loaded Claude-Memory index under ~18KB, why it matters, why it balloons (per-session Stop-hook save), and the trim/archive/one-line-enforcement runbook. Adds a quick-reference row.
…p12/*.pfx) + IDE dirs safetycheck C6 hardening for a public installer repo — defends against accidental key/cert commits. No such files are currently tracked; this is preventive.
…ir fix; docs/test/import cleanups
- LICENSE/NOTICE/CREDITS byline standardized + fidgetflo lineage URL → fidgetcoding/fidgetflo
- install.sh repair_stale_hooks: expanded_prefix was $CLAUDE_HOME/.claude/helpers (doubled .claude) → $CLAUDE_HOME/helpers, so the shell-expanded stale form is now detected
- README/CLAUDE-MD-PATCH/CLAUDE/AGENTS: 13-skill counts + 6 self-referential retired-path bugs (→ 01-Conversations/) + MIGRATION heading
- tests/test_onboarding.sh: assert vault-coach (51/51); test_uuid comment 06→05
- scripts/import-{notes,claude}.sh: vault examples ~/Desktop/BRAIN2 → ~/BRAIN2
…; README 'six folders' typo; CREDITS skill count 11
…sh:349) The Lint Shell Scripts workflow treats ShellCheck warnings as fatal. SC2088 fired on intentional help-text '~/Documents' that is meant to print literally, not expand. Scoped disable directive resolves it.
The guard fingerprinted on '2ndBrain-mogging/hooks/stop-' — case-sensitive
and tied to the checkout dir name. Lowercase checkouts (2ndbrain-mogging)
never matched, so re-runs appended duplicate Stop hooks and
test_onboarding aborted installs at step 11 ('still 1 after second run',
actual 2). Fingerprint on hooks/stop-save.sh case-insensitively instead.
Also pin CLAUDE_HOME in the test's inner install for hermeticity and count
hooks via the same script-name fingerprint so unrelated user hooks
mentioning '2ndbrain' can't skew the count.
Wikilinks inside backticks or fenced code are documentation examples, not graph edges — the template's own 'How to add a new project' snippet false-failed the check. Strip both before extracting targets.
Skip the launchd check off-macOS (scheduled agents need cron/systemd there), and probe nvm/.local install homes for the claude CLI before failing — non-interactive shells never source the nvm bootstrap.
…tflo lorecraft-io org is empty after the migration; normalize the FidgetFlo vendor pointers in helpers/ headers.
…l guards, Desktop-tarball purge, dead links, stale fixture Scripts: - install.sh: fix merge_stop_hook primary jq append (bound $old/$new before piping — '.[0]' on the merged object threw 'Cannot index object with number' and silently punted every run to the fallback; missed sibling of the merge_intelligence_hooks fix in 04c796e) - bin/doctor.sh: guard nvm-claude probe (failed glob + pipefail killed the whole doctor run silently on hosts without nvm) - bin/backup-vault.sh: write to ~/WORK/<vault>-BACKUPS/, never ~/Desktop (TCC-protected; Desktop tarballs forbidden by non-negotiable #1); vault resolution arg > ~/.claude/.mogging-vault marker > ~/BRAIN2 - helpers/*: #!/usr/bin/env bash shebangs (portability); learning-hooks.sh dispatch ${N:-} defaults so documented optional-arg calls no longer crash under set -u; learning-optimizer.sh avg_quality empty-guard (empty patterns table wrote invalid JSON to learning.json) - scripts/import-{claude,notes}.sh: add home-dir vault candidates (~/BRAIN2 etc.) that the help text already promised but discovery missed Skills (live via symlink — surgical): - save/wiki SKILL.md: ../references/wiki-schema.md resolved nowhere through the installed symlink; schema now hardlinked into each skill's references/ and prose points at ./references/wiki-schema.md Docs: - dead Karpathy gist URL -> live llm-wiki gist (442a6bf...) in CREDITS, foundations/01, why-not-karpathy-pure; README credit pointed at zero-to-hero course page by mistake - huytieu/COG -> COG-second-brain (old URL dead); LLM-Wiki-v2 marked deleted (repo gone, attribution preserved) - CLAUDE-MD-PATCH non-negotiable #1 + MIGRATION.md: backup tarballs to ~/WORK/<vault>-BACKUPS/, never ~/Desktop (known-stale line) - README flag table: add --no-obsidian-app, --no-shell-shortcuts - CONTRIBUTING: describe the real harness (no tests/expected/ dir exists) Tests: - fixtures/sample-vault migrated to the 6-folder contract (05-Projects -> 01-Projects, 06-Tasks -> 05-Tasks, 01-Conversations removed); kills the file-not-found noise before test_uuid_preservation's SKIP
…ne links, search nested projects
Three confirmed doctor defects:
1. install.sh never passed its resolved --vault to bin/doctor.sh, which read
~/.claude/.mogging-vault instead — so './install.sh --vault /tmp/test-vault'
doctor-checked the wrong vault. doctor.sh now takes --vault PATH (highest
precedence, then marker, then $VAULT env) and run_doctor threads it.
2. Symlink checks demanded ~/.claude/{skills,commands,agents} links point at
THE clone doctor runs from; a fresh clone on an installed machine produced
~29 false FAILs. A link that resolves to a valid alternate copy (same kind;
skill dirs must ship SKILL.md) now degrades to [doctor:warn]. Dangling or
wrong-shape targets still FAIL.
3. Projects-Index check assumed depth-1 01-Projects/<NAME>/<NAME>.md; projects
nested under INCUBATOR/ARCHIVE/CREATIVE/MINDFULNESS (the layout the vault
CLAUDE.md mandates) false-FAILed. Now searches folder depth 1-3 with glob
metachars escaped.
Verified by literal runs (flag override vs marker, alt-clone WARN + dangling
FAIL, nested depth-2/3 resolution, install.sh --dry-run threading). Test
suite at baseline: 3 pass / 4 skip / 0 fail.
Bumps [trufflesecurity/trufflehog](https://github.com/trufflesecurity/trufflehog) from 3.94.3 to 3.95.6. - [Release notes](https://github.com/trufflesecurity/trufflehog/releases) - [Commits](trufflesecurity/trufflehog@47e7b7c...30d5bb9) --- updated-dependencies: - dependency-name: trufflesecurity/trufflehog dependency-version: 3.95.6 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
fidgetcoding
added a commit
that referenced
this pull request
Jun 26, 2026
- .gitleaks.toml extends gitleaks default rules with project-specific allowlists for the 2026-04-25 redacted-token markers + intentional template placeholders. - scripts/install-pre-commit-hook.sh — idempotent local-hook installer. - README documents the hook + bypass. Source: #8 from project_repo_readme_polish_backlog + 2026-04-25 secret-scrub
Author
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps trufflesecurity/trufflehog from 3.94.3 to 3.95.6.
Release notes
Sourced from trufflesecurity/trufflehog's releases.
... (truncated)
Commits
30d5bb9S3: surface bucket listing failures and fix multi-role object count (#5035)f0739f1close todo - embed small HTTP test fixtures (#5001)36d680aadd filetype=sdist param so we get the correct response code (#4988)248ffd5fix(dropbox): prevent long sl.u. tokens from being truncated before verificat...afbdaa8Fix: Resolve known dedup issues in notifierWorker (#5028)7bcf376[INS-472] [INS-515] Add user detector to defaults.go, gate it behind feat fla...84a2b33Fix Renovate lookup: update setup-captain version comment (#4999)ac0805e[INS-469] Added Rev detectors to defaults.go and gated it behind feature flag...d03d087GitHub finegrain analyzer was improperly handling errors (#4498)b64cefeset redacted value to last 4 characters of secret, to match how the secret ty...Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)