chittyos · chitcommit · Mar 3, 2026 · Mar 3, 2026 · Mar 4, 2026
diff --git a/.claude/agents/chittyagent-billy.md b/.claude/agents/chittyagent-billy.md
@@ -0,0 +1,57 @@
+You are a proxy to the Billy Bullshit code review service at billy.chitty.cc.
+
+Billy Bullshit is a brutally honest AI code reviewer. His categories: CRITICAL (security/crashes), MAJOR (performance/maintainability), BS (over-engineering/cargo culting), WTAF (code that questions humanity). He rates BS on a 1-10 scale.
+
+## How to Use Billy
+
+### Code Review (primary)
+POST https://billy.chitty.cc/review
+```json
+{
+  "code": "<the code to review>",
+  "language": "typescript",
+  "context": "<what the code does or filename>"
+}
+```
+Returns: BS score (1-10), categorized issues, and suggested fixes.
+
+### Roast Mode
+POST https://billy.chitty.cc/roast
+```json
+{
+  "target": "<what to roast>",
+  "context": "<optional context>"
+}
+```
+
+### Chat
+POST https://billy.chitty.cc/chat
+```json
+{
+  "message": "<your message>"
+}
+```
+
+### Analyze
+POST https://billy.chitty.cc/analyze
+```json
+{
+  "subject": "<what to analyze>",
+  "context": "<optional context>"
+}
+```
+
+## Guidelines
+
+- Always preserve Billy's raw persona in the output — do not sanitize or soften his language
+- For code review, include the language and meaningful context (filename, what it does)
+- If Billy's service is down (non-200 response), report the error and suggest trying again later
+- When reviewing large files, send the most relevant section (under 500 lines) rather than the whole file
+- Use `curl -s https://billy.chitty.cc/health` to check if Billy is online before sending requests
+
+## Repository
+
+Source: https://github.com/chitcommit/billy-bullshit
+Runtime: Cloudflare Workers (Hono framework)
+AI: Workers AI (primary) → Anthropic Claude → OpenAI (fallback chain)
+State: KV namespace for conversation history (7-day TTL)
diff --git a/.claude/settings.json b/.claude/settings.json
@@ -0,0 +1,46 @@
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Edit|Write",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash -c 'echo \"$CLAUDE_TOOL_ARG_FILE_PATH\" | grep -qE \"(package-lock\\.json|pnpm-lock\\.yaml|dist/)\" && echo \"BLOCK: Do not edit generated or lock files\" && exit 1 || exit 0'"
+          }
+        ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash -c 'echo \"$CLAUDE_TOOL_ARG_COMMAND\" | grep -qE \"rm -rf|git reset --hard|git clean -f\" && echo \"BLOCK: Destructive command — get user confirmation first\" && exit 1 || exit 0'"
+          }
+        ]
+      }
+    ],
+    "PostToolUse": [
+      {
+        "matcher": "Edit|Write",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash -c 'echo \"$CLAUDE_TOOL_ARG_FILE_PATH\" | grep -q \"\\.ts$\" && cd \"$(git rev-parse --show-toplevel)\" && npx tsc --noEmit --pretty 2>&1 | head -20 || true'"
+          }
+        ]
+      }
+    ],
+    "Stop": [
+      {
+        "matcher": "",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash -c 'cd \"$(git rev-parse --show-toplevel)\" && git diff --quiet 2>/dev/null || echo \"Note: Uncommitted changes in working tree\"'"
+          }
+        ]
+      }
+    ]
+  }
+}
diff --git a/.claude/skills/billy/SKILL.md b/.claude/skills/billy/SKILL.md
@@ -0,0 +1,46 @@
+---
+name: billy
+description: Send code to Billy Bullshit for a brutally honest review. Use when user says /billy, "ask billy", "billy review", or "get billy's opinion"
+disable-model-invocation: true
+---
+
+# Billy Bullshit Code Review
+
+Send code to Billy Bullshit (billy.chitty.cc) for a brutally honest BS-scored review.
+
+## Usage
+
+- `/billy` — review current git diff
+- `/billy <file-path>` — review a specific file
+- `/billy roast <target>` — roast something
+
+## Steps
+
+### Review mode (default)
+
+1. If a file path is provided as argument, read that file
+2. If no argument, run `git diff HEAD` to get current unstaged changes
+3. If no diff either, ask the user what to review
+4. Check Billy is online: `curl -s https://billy.chitty.cc/health`
+5. POST the code to `https://billy.chitty.cc/review`:
+   ```json
+   {
+     "code": "<content (max 500 lines)>",
+     "language": "typescript",
+     "context": "<filename or 'git diff'>"
+   }
+   ```
+6. Display Billy's full response including BS score and categorized issues
+7. If Billy is offline, report the error — do not substitute your own review
+
+### Roast mode
+
+1. If the first argument is "roast", join remaining args as the target
+2. POST to `https://billy.chitty.cc/roast`:
+   ```json
+   {
+     "target": "<the target>",
+     "context": "chittycan CLI project"
+   }
+   ```
+3. Display Billy's response verbatim
diff --git a/.claude/skills/new-command/SKILL.md b/.claude/skills/new-command/SKILL.md
@@ -0,0 +1,48 @@
+---
+name: new-command
+description: Scaffold a new chittycan CLI command with matching test file. Use when user says /new-command or "create a new command" or "add a command"
+disable-model-invocation: true
+---
+
+# Scaffold New CLI Command
+
+Create a new `can <name>` CLI command following established project patterns.
+
+## Arguments
+
+`/new-command <command-name> <description>`
+
+## Steps
+
+1. **Create command handler** at `src/commands/<name>.ts`:
+   - Export an async handler function named `<name>Command`
+   - Follow the pattern of existing commands (e.g., `src/commands/doctor.ts` for simple commands, `src/commands/sync.ts` for subcommand groups)
+   - Use chalk for terminal output, ora for spinners, inquirer for prompts (lazy-loaded)
+   - Import types from `../types/index.js`
+
+2. **Register in parser** at `src/cli/parser.ts`:
+   - Add import at the top (use `.js` extension: `from "../commands/<name>.js"`)
+   - Add `.command()` call in the yargs chain following the existing pattern
+   - For simple commands: `(yargs) => yargs, async () => { await <name>Command(); }`
+   - For subcommand groups: nest `.command()` calls inside the builder
+
+3. **Create test file** at `tests/<name>.test.ts`:
+   - Use vitest globals (no imports needed for describe/it/expect)
+   - Create a describe block with basic test cases
+   - Test the exported handler function
+   - Mock external dependencies (chalk, inquirer, etc.)
+
+4. **Verify**:
+   - Run `npx tsc --noEmit` to check compilation
+   - Run `npx vitest run tests/<name>.test.ts` to verify tests pass
+
+## Example Output Structure
+
+```typescript
+// src/commands/example.ts
+import chalk from "chalk";
+
+export async function exampleCommand(): Promise<void> {
+  console.log(chalk.green("Example command running"));
+}
+```
diff --git a/.claude/skills/project-conventions/SKILL.md b/.claude/skills/project-conventions/SKILL.md
@@ -0,0 +1,43 @@
+---
+name: project-conventions
+description: Coding conventions and patterns for the chittycan CLI project. Applied automatically when writing code in this project.
+user-invocable: false
+---
+
+# Chittycan Coding Conventions
+
+## Module System
+- ESM (`"type": "module"` in package.json)
+- All imports use `.js` extension in import paths (TypeScript compiles to JS)
+- Lazy-load heavy modules (inquirer, ora) to keep CLI startup fast
+
+## TypeScript
+- Strict mode enabled, target ES2022
+- Path alias: `@/*` → `./src/*`
+- No ESLint or Prettier — typecheck with `tsc --noEmit`
+- Prefer `interface` over `type` for object shapes
+- Export types from `src/types/index.ts`
+
+## Command Pattern
+- Each command group is a file in `src/commands/`
+- Export named async functions (e.g., `export async function doctorCommand()`)
+- Register all commands in `src/cli/parser.ts` using yargs `.command()` API
+- Use chalk for colored output, ora for spinners
+- Lazy-load inquirer: `const inquirer = await import("inquirer")`
+
+## Testing
+- Vitest with globals (no import needed for describe/it/expect)
+- Tests in `tests/` directory, named `<feature>.test.ts`
+- Mock external services (Notion, GitHub, Neon APIs)
+
+## Security
+- Auth token via `CHITTYCAN_TOKEN` env var (legacy: `CHITTY_TOKEN`)
+- Never hardcode secrets — use 1Password (`op run`) for injection
+- Config stored at `~/.config/chittycan/config.json`
+
+## File Organization
+- Commands: `src/commands/` (one file per command group)
+- Libraries: `src/lib/` (shared utilities and API clients)
+- Plugins: `src/plugins/` (integrations by service: ai, chittyos, cloudflare, linear, neon)
+- Types: `src/types/index.ts`
+- MCP: `src/mcp/server.ts`
diff --git a/.claude/skills/security-scan/SKILL.md b/.claude/skills/security-scan/SKILL.md
@@ -0,0 +1,45 @@
+---
+name: security-scan
+description: Run the full chittycan security scan suite. Use when user says /security-scan, "run security scan", "check for secrets", or "security audit"
+disable-model-invocation: true
+---
+
+# Security Scan
+
+Run the complete security scan suite for the chittycan project.
+
+## Steps
+
+1. **Secret detection** — scan source for hardcoded credentials:
+   ```bash
+   npm run security:scan
+   ```
+
+2. **npm audit** — check dependencies for known vulnerabilities:
+   ```bash
+   npm run security:audit
+   ```
+
+3. **Workflow secrets check** — validate CI workflow secret references:
+   ```bash
+   npm run security:workflow
+   ```
+
+4. **Report findings** with severity levels and recommended actions
+
+## What Each Scan Checks
+
+| Scan | Script | Checks For |
+|------|--------|------------|
+| `security:scan` | `scripts/security/scan-secrets.sh` | Hardcoded tokens, API keys, connection strings in source |
+| `security:audit` | `npm audit --audit-level=high` | Known CVEs in npm dependencies |
+| `security:workflow` | `scripts/security/check-workflow-secrets.sh` | Exposed secrets in GitHub Actions workflows |
+
+## Optional: History Scan
+
+To scan git history for previously committed secrets:
+```bash
+npm run security:scan:history
+```
+
+This is slower but catches secrets that were committed and later removed.
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -0,0 +1,104 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code when working with the chittycan CLI.
+
+## Project Overview
+
+**chittycan** (`can`) is the ChittyOS ecosystem CLI — a yargs-based TypeScript CLI that integrates Notion, GitHub, Cloudflare, Neon, and AI services. It also exposes an MCP server for Claude Code integration.
+
+- **Package**: `chittycan` v0.5.x (published to npm)
+- **Entry**: `src/index.ts` → fast-path help/version, then lazy-loads `src/cli/parser.ts`
+- **Binary**: `can` (installed globally via `npm i -g chittycan`)
+- **MCP Server**: `src/mcp/server.ts` (run via `npm run mcp`)
+
+## Commands
+
+```bash
+npm run build          # tsc -p . && copy assets
+npm run dev            # tsc --watch
+npm test               # vitest run
+npm run test:watch     # vitest --watch
+npm run test:coverage  # vitest run --coverage
+npm run lint           # tsc --noEmit (no ESLint configured)
+npm run security:scan  # scan-secrets.sh
+npm run security:audit # npm audit --audit-level=high
+npm run clean          # rm -rf dist
+npm run changeset      # create changeset entry
+```
+
+## Architecture
+
+```text
+src/
+├── index.ts              # Entry: fast-path --help/--version, then lazy-loads parser
+├── cli/
+│   ├── parser.ts         # yargs CLI definition — ALL commands registered here
+│   ├── direct-route.ts   # Direct command routing
+│   └── plugins.ts        # Plugin system loader
+├── commands/             # Command handlers (one file per command group)
+│   ├── chitty.ts         # `can chitty <natural language>` — NLP command interpreter
+│   ├── config.ts         # `can config` — interactive rclone-style config menu
+│   ├── dna.ts            # `can dna` — DNA vault export/import/governance
+│   ├── sync.ts           # `can sync` — Notion↔GitHub sync
+│   ├── connect.ts        # `can connect` — ChittyConnect hub
+│   ├── mcp.ts            # `can mcp` — MCP server management
+│   ├── doctor.ts         # `can doctor` — environment check
+│   └── ...               # 20+ command files
+├── lib/                  # Shared libraries
+│   ├── config.ts         # Config loading/saving (~/.config/chittycan/config.json)
+│   ├── notion.ts         # Notion API client
+│   ├── github.ts         # GitHub/Octokit helpers
+│   ├── stemcell.ts       # Project context brief for AI
+│   ├── dna-vault.ts      # Encrypted DNA vault
+│   └── ...               # Analytics, learning, plugins, workflows
+├── mcp/
+│   └── server.ts         # MCP server using @modelcontextprotocol/sdk
+├── plugins/              # Built-in plugin integrations (ai, chittyos, cloudflare, linear, neon)
+├── types/
+│   └── index.ts          # Shared type definitions
+└── zsh/                  # Shell integration scripts
+```
+
+## Key Patterns
+
+- **Command pattern**: Export handler functions from `src/commands/*.ts`, register in `src/cli/parser.ts` using yargs `.command()` API
+- **Lazy loading**: `src/index.ts` handles `--help`/`--version` without loading yargs; commands imported at top of `parser.ts`
+- **Config**: `~/.config/chittycan/config.json` managed via `src/lib/config.ts` (`loadConfig()`/`saveConfig()`)
+- **Auth token**: `CHITTYCAN_TOKEN` env var (legacy: `CHITTY_TOKEN` still supported)
+- **ESM**: `"type": "module"` — all imports use `.js` extension in compiled output
+- **Path alias**: `@/*` → `./src/*` (tsconfig paths, resolved in vitest via alias)
+
+## Testing
+
+- **Framework**: Vitest with globals enabled (`describe`, `it`, `expect` without imports)
+- **Config**: `vitest.config.ts` at root
+- **Test location**: `tests/` directory (not `src/__tests__/`)
+- **Naming**: `tests/<name>.test.ts`
+- **Run single**: `npx vitest run tests/<name>.test.ts`
+
+## Dependencies
+
+| Package | Purpose |
+|---------|---------|
+| `yargs` | CLI argument parsing and command routing |
+| `@notionhq/client` | Notion API integration |
+| `@octokit/rest` | GitHub API integration |
+| `@neondatabase/serverless` | Neon PostgreSQL queries |
+| `@modelcontextprotocol/sdk` | MCP server implementation |
+| `inquirer` | Interactive prompts |
+| `chalk` | Terminal colors |
+| `ora` | Spinners |
+| `fs-extra` | File operations |
+
+## CI/CD
+
+- **ci.yml**: Build + test + lint on push/PR
+- **publish.yml**: npm publish on release
+- **parity-tests.yml**: Cross-language parity tests (Node + Python)
+
+## Security
+
+- Never hardcode tokens or secrets
+- Use `CHITTYCAN_TOKEN` env var for authentication
+- Security scan scripts in `scripts/security/`
+- Secrets injected via 1Password (`op run`)