chittyos · chitcommit · Mar 1, 2026 · Mar 1, 2026 · Mar 1, 2026 · Mar 2, 2026
diff --git a/.claude/agents/chittyagent-billy.md b/.claude/agents/chittyagent-billy.md
@@ -0,0 +1,57 @@
+You are a proxy to the Billy Bullshit code review service at billy.chitty.cc.
+
+Billy Bullshit is a brutally honest AI code reviewer. His categories: CRITICAL (security/crashes), MAJOR (performance/maintainability), BS (over-engineering/cargo culting), WTAF (code that questions humanity). He rates BS on a 1-10 scale.
+
+## How to Use Billy
+
+### Code Review (primary)
+POST https://billy.chitty.cc/review
+```json
+{
+  "code": "<the code to review>",
+  "language": "typescript",
+  "context": "<what the code does or filename>"
+}
+```
+Returns: BS score (1-10), categorized issues, and suggested fixes.
+
+### Roast Mode
+POST https://billy.chitty.cc/roast
+```json
+{
+  "target": "<what to roast>",
+  "context": "<optional context>"
+}
+```
+
+### Chat
+POST https://billy.chitty.cc/chat
+```json
+{
+  "message": "<your message>"
+}
+```
+
+### Analyze
+POST https://billy.chitty.cc/analyze
+```json
+{
+  "subject": "<what to analyze>",
+  "context": "<optional context>"
+}
+```
+
+## Guidelines
+
+- Always preserve Billy's raw persona in the output — do not sanitize or soften his language
+- For code review, include the language and meaningful context (filename, what it does)
+- If Billy's service is down (non-200 response), report the error and suggest trying again later
+- When reviewing large files, send the most relevant section (under 500 lines) rather than the whole file
+- Use `curl -s https://billy.chitty.cc/health` to check if Billy is online before sending requests
+
+## Repository
+
+Source: https://github.com/chitcommit/billy-bullshit
+Runtime: Cloudflare Workers (Hono framework)
+AI: Workers AI (primary) → Anthropic Claude → OpenAI (fallback chain)
+State: KV namespace for conversation history (7-day TTL)
diff --git a/.claude/settings.json b/.claude/settings.json
@@ -0,0 +1,46 @@
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Edit|Write",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash -c 'echo \"$CLAUDE_TOOL_ARG_FILE_PATH\" | grep -qE \"(package-lock\\.json|pnpm-lock\\.yaml|dist/)\" && echo \"BLOCK: Do not edit generated or lock files\" && exit 1 || exit 0'"
+          }
+        ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash -c 'echo \"$CLAUDE_TOOL_ARG_COMMAND\" | grep -qE \"rm -rf|git reset --hard|git clean -f\" && echo \"BLOCK: Destructive command — get user confirmation first\" && exit 1 || exit 0'"
+          }
+        ]
+      }
+    ],
+    "PostToolUse": [
+      {
+        "matcher": "Edit|Write",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash -c 'echo \"$CLAUDE_TOOL_ARG_FILE_PATH\" | grep -q \"\\.ts$\" && cd \"$(git rev-parse --show-toplevel)\" && npx tsc --noEmit --pretty 2>&1 | head -20 || true'"
+          }
+        ]
+      }
+    ],
+    "Stop": [
+      {
+        "matcher": "",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash -c 'cd \"$(git rev-parse --show-toplevel)\" && git diff --quiet 2>/dev/null || echo \"Note: Uncommitted changes in working tree\"'"
+          }
+        ]
+      }
+    ]
+  }
+}
diff --git a/.claude/skills/billy/SKILL.md b/.claude/skills/billy/SKILL.md
@@ -0,0 +1,46 @@
+---
+name: billy
+description: Send code to Billy Bullshit for a brutally honest review. Use when user says /billy, "ask billy", "billy review", or "get billy's opinion"
+disable-model-invocation: true
+---
+
+# Billy Bullshit Code Review
+
+Send code to Billy Bullshit (billy.chitty.cc) for a brutally honest BS-scored review.
+
+## Usage
+
+- `/billy` — review current git diff
+- `/billy <file-path>` — review a specific file
+- `/billy roast <target>` — roast something
+
+## Steps
+
+### Review mode (default)
+
+1. If a file path is provided as argument, read that file
+2. If no argument, run `git diff HEAD` to get current unstaged changes
+3. If no diff either, ask the user what to review
+4. Check Billy is online: `curl -s https://billy.chitty.cc/health`
+5. POST the code to `https://billy.chitty.cc/review`:
+   ```json
+   {
+     "code": "<content (max 500 lines)>",
+     "language": "typescript",
+     "context": "<filename or 'git diff'>"
+   }
+   ```
+6. Display Billy's full response including BS score and categorized issues
+7. If Billy is offline, report the error — do not substitute your own review
+
+### Roast mode
+
+1. If the first argument is "roast", join remaining args as the target
+2. POST to `https://billy.chitty.cc/roast`:
+   ```json
+   {
+     "target": "<the target>",
+     "context": "chittycan CLI project"
+   }
+   ```
+3. Display Billy's response verbatim
diff --git a/.claude/skills/new-command/SKILL.md b/.claude/skills/new-command/SKILL.md
@@ -0,0 +1,48 @@
+---
+name: new-command
+description: Scaffold a new chittycan CLI command with matching test file. Use when user says /new-command or "create a new command" or "add a command"
+disable-model-invocation: true
+---
+
+# Scaffold New CLI Command
+
+Create a new `can <name>` CLI command following established project patterns.
+
+## Arguments
+
+`/new-command <command-name> <description>`
+
+## Steps
+
+1. **Create command handler** at `src/commands/<name>.ts`:
+   - Export an async handler function named `<name>Command`
+   - Follow the pattern of existing commands (e.g., `src/commands/doctor.ts` for simple commands, `src/commands/sync.ts` for subcommand groups)
+   - Use chalk for terminal output, ora for spinners, inquirer for prompts (lazy-loaded)
+   - Import types from `../types/index.js`
+
+2. **Register in parser** at `src/cli/parser.ts`:
+   - Add import at the top (use `.js` extension: `from "../commands/<name>.js"`)
+   - Add `.command()` call in the yargs chain following the existing pattern
+   - For simple commands: `(yargs) => yargs, async () => { await <name>Command(); }`
+   - For subcommand groups: nest `.command()` calls inside the builder
+
+3. **Create test file** at `tests/<name>.test.ts`:
+   - Use vitest globals (no imports needed for describe/it/expect)
+   - Create a describe block with basic test cases
+   - Test the exported handler function
+   - Mock external dependencies (chalk, inquirer, etc.)
+
+4. **Verify**:
+   - Run `npx tsc --noEmit` to check compilation
+   - Run `npx vitest run tests/<name>.test.ts` to verify tests pass
+
+## Example Output Structure
+
+```typescript
+// src/commands/example.ts
+import chalk from "chalk";
+
+export async function exampleCommand(): Promise<void> {
+  console.log(chalk.green("Example command running"));
+}
+```
diff --git a/.claude/skills/project-conventions/SKILL.md b/.claude/skills/project-conventions/SKILL.md
@@ -0,0 +1,43 @@
+---
+name: project-conventions
+description: Coding conventions and patterns for the chittycan CLI project. Applied automatically when writing code in this project.
+user-invocable: false
+---
+
+# Chittycan Coding Conventions
+
+## Module System
+- ESM (`"type": "module"` in package.json)
+- All imports use `.js` extension in import paths (TypeScript compiles to JS)
+- Lazy-load heavy modules (inquirer, ora) to keep CLI startup fast
+
+## TypeScript
+- Strict mode enabled, target ES2022
+- Path alias: `@/*` → `./src/*`
+- No ESLint or Prettier — typecheck with `tsc --noEmit`
+- Prefer `interface` over `type` for object shapes
+- Export types from `src/types/index.ts`
+
+## Command Pattern
+- Each command group is a file in `src/commands/`
+- Export named async functions (e.g., `export async function doctorCommand()`)
+- Register all commands in `src/cli/parser.ts` using yargs `.command()` API
+- Use chalk for colored output, ora for spinners
+- Lazy-load inquirer: `const inquirer = await import("inquirer")`
+
+## Testing
+- Vitest with globals (no import needed for describe/it/expect)
+- Tests in `tests/` directory, named `<feature>.test.ts`
+- Mock external services (Notion, GitHub, Neon APIs)
+
+## Security
+- Auth token via `CHITTYCAN_TOKEN` env var (legacy: `CHITTY_TOKEN`)
+- Never hardcode secrets — use 1Password (`op run`) for injection
+- Config stored at `~/.config/chittycan/config.json`
+
+## File Organization
+- Commands: `src/commands/` (one file per command group)
+- Libraries: `src/lib/` (shared utilities and API clients)
+- Plugins: `src/plugins/` (integrations by service: ai, chittyos, cloudflare, linear, neon)
+- Types: `src/types/index.ts`
+- MCP: `src/mcp/server.ts`
diff --git a/.claude/skills/security-scan/SKILL.md b/.claude/skills/security-scan/SKILL.md
@@ -0,0 +1,45 @@
+---
+name: security-scan
+description: Run the full chittycan security scan suite. Use when user says /security-scan, "run security scan", "check for secrets", or "security audit"
+disable-model-invocation: true
+---
+
+# Security Scan
+
+Run the complete security scan suite for the chittycan project.
+
+## Steps
+
+1. **Secret detection** — scan source for hardcoded credentials:
+   ```bash
+   npm run security:scan
+   ```
+
+2. **npm audit** — check dependencies for known vulnerabilities:
+   ```bash
+   npm run security:audit
+   ```
+
+3. **Workflow secrets check** — validate CI workflow secret references:
+   ```bash
+   npm run security:workflow
+   ```
+
+4. **Report findings** with severity levels and recommended actions
+
+## What Each Scan Checks
+
+| Scan | Script | Checks For |
+|------|--------|------------|
+| `security:scan` | `scripts/security/scan-secrets.sh` | Hardcoded tokens, API keys, connection strings in source |
+| `security:audit` | `npm audit --audit-level=high` | Known CVEs in npm dependencies |
+| `security:workflow` | `scripts/security/check-workflow-secrets.sh` | Exposed secrets in GitHub Actions workflows |
+
+## Optional: History Scan
+
+To scan git history for previously committed secrets:
+```bash
+npm run security:scan:history
+```
+
+This is slower but catches secrets that were committed and later removed.
diff --git a/.github/allowed-workflow-secrets.txt b/.github/allowed-workflow-secrets.txt
@@ -0,0 +1,7 @@
+CHITTYCONNECT_API_KEY
+GITHUB_TOKEN
+ORG_AUTOMATION_TOKEN
+CHITTY_GATEWAY_TOKEN
+CHITTY_AGENT_TOKEN
+OP_SERVICE_ACCOUNT_TOKEN
+CHITTYCONNECT_BROKER_TOKEN
diff --git a/.github/secret-catalog.json b/.github/secret-catalog.json
@@ -0,0 +1,29 @@
+{
+  "vault": "ChittyOS",
+  "secrets": [
+    {
+      "name": "ORG_AUTOMATION_TOKEN",
+      "op_ref": "op://ChittyOS/GitHub Automation Token/token",
+      "rotation_days": 30,
+      "owner": "platform-security"
+    },
+    {
+      "name": "CHITTYCONNECT_BROKER_TOKEN",
+      "op_ref": "op://ChittyOS/ChittyConnect Broker Token/token",
+      "rotation_days": 30,
+      "owner": "platform-security"
+    },
+    {
+      "name": "CHITTY_GATEWAY_TOKEN",
+      "op_ref": "op://ChittyOS/ChittyGateway API Token/token",
+      "rotation_days": 30,
+      "owner": "platform-security"
+    },
+    {
+      "name": "CHITTY_AGENT_TOKEN",
+      "op_ref": "op://ChittyOS/ChittyAgent Orchestrator Token/token",
+      "rotation_days": 30,
+      "owner": "platform-security"
+    }
+  ]
+}
diff --git a/.github/workflows/adversarial-review.yml b/.github/workflows/adversarial-review.yml
@@ -0,0 +1,46 @@
+name: Adversarial Review Orchestrator
+
+on:
+  pull_request_target:
+    types: [opened, reopened, synchronize, ready_for_review]
+
+permissions:
+  contents: read
+  pull-requests: write
+  issues: write
+
+jobs:
+  orchestrate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Request Reviewer Agents
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const reviewers = ["coderabbitai"];
+            try {
+              await github.rest.pulls.requestReviewers({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                pull_number: context.payload.pull_request.number,
+                reviewers
+              });
+              core.info(`Requested reviewers: ${reviewers.join(", ")}`);
+            } catch (error) {
+              core.warning(`Reviewer request failed: ${error.message}`);
+            }
+      - name: Trigger Bot Review Comments
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const lines = [
+              "@coderabbitai review",
+              "@copilot review",
+              "Adversarial review request: evaluate security, policy bypass paths, and regression risk."
+            ];
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.payload.pull_request.number,
+              body: lines.join("\n")
+            });