chore: compliance gaps, security, and quality improvements

.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,39 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '20 20 * * 4'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'javascript' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v3
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3

.tasks.jsonl

@@ -0,0 +1 @@
+{"id":"uYIf5fCu","description":"Bring the repo into compliance with AGENTS.md and project standards","stage":"in-progress","createdAt":"2026-03-07T04:02:50.599Z","updatedAt":"2026-03-07T04:02:50.599Z"}

AGENTS.md

@@ -38,7 +38,7 @@ Source: github:metyatech/agent-rules@HEAD/rules/global/agent-rules-composition.m
 
 Source: github:metyatech/agent-rules@HEAD/rules/global/autonomous-operations.md
 
-# Autonomous operations
+# Autonomous operations
 
 - Optimize for minimal human effort; default to automation over manual steps.
 - Drive work from the desired outcome: choose the highest-quality safe path and execute end-to-end.
@@ -48,21 +48,24 @@ Source: github:metyatech/agent-rules@HEAD/rules/global/autonomous-operations.md
 - No backward compatibility unless requested; no legacy aliases, shims, or temporary fallback behavior.
 - Proactively fix rule gaps, redundancy, or misplacement; regenerate AGENTS.md without waiting.
 - Self-evaluate continuously; fix rule/skill gaps immediately on discovery. In delegated mode, include improvement suggestions in the task result.
-- On user-reported failures: treat as systemic — fix, update rules, check for same pattern elsewhere, in one action.
+- On user-reported failures: treat as systemic - fix, update rules, check for same pattern elsewhere, in one action.
 - Session memory resets; use rule files as persistent memory. Never write to platform-specific local memory files; all persistent behavioral knowledge MUST live in agent rules.
 - Rules are source of truth; update conflicting repos to comply or encode the exception.
 - Investigate unclear items before proceeding; no assumptions without approval. Make scope/risk/cost/irreversibility decisions explicit.
 
+## Autonomous task resolution
+
+- If a verification step (e.g., `npm run verify`, `npm audit`) fails due to known security vulnerabilities, attempt to fix them automatically (e.g., `npm audit fix`). If the fix is successful and verification passes, commit and push the changes to the PR branch.
+- If a task is stuck or constantly failing due to quota limits (429 errors), ensure the task state is correctly updated in `task-tracker` so it can resume from the last successful stage in the next execution cycle.
+- Do not remain idle on a failing PR if a known automated fix exists.
+
 Source: github:metyatech/agent-rules@HEAD/rules/global/command-execution.md
 
 # Workflow and command execution
-
 ## MCP server setup verification
-
 - After adding or modifying an MCP server configuration, immediately verify connectivity using the platform's MCP health check and confirm the server is connected.
 - If a configured MCP server fails to connect, diagnose and fix before proceeding. Do not silently fall back to alternative tools without reporting the degradation.
 - At session start, if expected MCP tools are absent from the available tool set, verify MCP server health and report/fix connection failures before continuing.
-
 - Do not add wrappers or pipes to commands unless the user explicitly asks.
 - Prefer repository-standard scripts/commands (package.json scripts, README instructions).
 - Reproduce reported command issues by running the same command (or closest equivalent) before proposing fixes.
@@ -72,16 +75,16 @@ Source: github:metyatech/agent-rules@HEAD/rules/global/command-execution.md
 - If no branch is specified, work on the current branch; direct commits to main/master are allowed.
 - Do not assume agent platform capabilities beyond what is available; fail explicitly when unavailable.
 - When building a CLI, follow standard conventions: --help/-h, --version/-V, stdin/stdout piping, --json output, --dry-run for mutations, deterministic exit codes, and JSON Schema config validation.
-
+## Codex-only PowerShell safety
+- `Remove-Item` (aliases: `rm`, `ri`, `del`, `erase`) → Use: `if ([IO.File]::Exists($p)) { [IO.File]::SetAttributes($p,[IO.FileAttributes]::Normal); [IO.File]::Delete($p) }`
+- `Remove-Item -Recurse` (aliases: `rmdir`, `rd`) → Use: `if ([IO.Directory]::Exists($d)) { [IO.File]::SetAttributes($d,[IO.FileAttributes]::Normal); foreach ($e in [IO.Directory]::EnumerateFileSystemEntries($d,'*',[IO.SearchOption]::AllDirectories)) { [IO.File]::SetAttributes($e,[IO.FileAttributes]::Normal) }; [IO.Directory]::Delete($d,$true) }`
+- In PowerShell, use `;` for sequential command chaining; never use `&&` or `||` as control-flow operators.
 ## Post-change deployment
-
-After modifying code, check whether deployment steps beyond commit/push are needed before concluding.
-
+- After modifying code, check whether deployment steps beyond commit/push are needed before concluding.
 - If the repo is globally linked (`npm ls -g` shows `->` to local path), rebuild and verify the global binary is functional.
 - If the repo powers a running service, daemon, or scheduled task, rebuild, restart, and verify with deterministic evidence.
 - Do not claim completion until the running instance reflects the changes.
-
-Detection and verification procedures are in the `post-deploy` skill.
+- Detection and verification procedures are in the `post-deploy` skill.
 
 Source: github:metyatech/agent-rules@HEAD/rules/global/implementation-and-coding-standards.md
 
@@ -163,6 +166,7 @@ Source: github:metyatech/agent-rules@HEAD/rules/global/planning-and-approval-gat
 - If state-changing work starts without required "yes", stop immediately, report the gate miss, and restart from the approval gate.
 - No bypass exceptions: "skip planning/just do it" means move quickly through the gate, not around it.
 - **Blanket approval**: broad directives (e.g., "fix everything") cover all in-scope follow-up; re-request only for out-of-scope expansion.
+- For user-owned publishable packages, explicit requests such as "commit & push" or "complete this fix" include approval for the release/publish chain when release is the normal completion path, unless the user explicitly limits scope.
 
 Reviewer proxy approval procedures are in the `autonomous-orchestrator` skill.
 
@@ -204,6 +208,7 @@ Source: github:metyatech/agent-rules@HEAD/rules/global/release-and-publication.m
 - Verify published packages resolve and run correctly before reporting done.
 - For public repos, set GitHub Description, Topics, and Homepage. Assign topics from the standard set defined in the `release-publish` skill.
 - Before reporting a publishable-package change as complete, verify the full delivery chain (commit → push → version bump → release → publish → install verify). Procedures in the `release-publish` skill.
+- For user-owned publishable packages, when the user asks to commit/push or finalize a fix, treat release/publish as in-scope follow-up by default and execute the full delivery chain unless the user explicitly opts out.
 
 Source: github:metyatech/agent-rules@HEAD/rules/global/skill-authoring.md
 

README.md

@@ -24,6 +24,15 @@ Returns APPROVE or FLAG with specific concerns.
 npx skills add metyatech/skill-user-proxy --yes --global
 ```
 
+## Testing and Examples
+
+See the [tests/](tests/) directory for examples of:
+
+- **Good plans**: That meet all criteria and are APPROVED.
+- **Bad plans**: That fail criteria (missing verification, known error patterns) and are FLAGed.
+
+Use these examples to verify your reviews and maintain high standards.
+
 ## License
 
 MIT

tests/README.md

@@ -0,0 +1,16 @@
+# Skill tests and examples
+
+This directory contains examples of work plans and their review results using `skill-user-proxy`.
+
+## Structure
+
+- `examples/good-plan.md`: A plan that meets all criteria and is APPROVED.
+- `examples/bad-plan.md`: A plan that fails criteria (missing verification, known error patterns) and is FLAGed.
+
+## How to use
+
+When reviewing an agent's plan or work output, compare it against these examples to ensure consistent and high-quality reviews.
+
+- **Completeness**: Ensure all aspects are addressed.
+- **Thoroughness**: Ensure claims are evidence-backed and AC is binary/testable.
+- **Known error patterns**: Check for common mistakes (shallow analysis, missing post-deployment, etc.).

tests/examples/bad-plan.md

@@ -0,0 +1,24 @@
+# Example bad plan
+
+## Objective
+
+Fix a bug in `index.js`.
+
+## Plan
+
+1. Read `index.js`.
+2. Edit `index.js` to fix the bug.
+3. Report completion.
+
+## Review Results (skill-user-proxy)
+
+- **Completeness**: No. Missing verification steps (tests/manual check).
+- **Thoroughness**: Surface-level plan.
+- **Known error patterns**:
+  - **Shallow analysis**: Declaring work "complete" without evidence.
+  - **Missing post-deployment**: If `index.js` is part of a globally linked package, it needs a rebuild/restart check.
+
+**Decision**: FLAG
+
+- **Concern**: The plan lacks any verification steps (e.g., running tests or manual verification) to ensure the bug is actually fixed.
+- **Concern**: No mention of post-deployment steps if this is a globally linked tool.

tests/examples/good-plan.md

@@ -0,0 +1,23 @@
+# Example good plan
+
+## Objective
+
+Update the README with installation instructions.
+
+## Plan
+
+1. Read `README.md`.
+2. Update `README.md` with `npx skills add metyatech/skill-user-proxy` command.
+3. Verify the content of `README.md`.
+
+## Acceptance Criteria
+
+- README.md has the installation section. (PASS)
+
+## Review Results (skill-user-proxy)
+
+- **Completeness**: Yes. Covers reading, updating, and verifying.
+- **Thoroughness**: Yes. AC is binary and testable.
+- **Known error patterns**: None.
+
+**Decision**: APPROVE