fix: repair main CI validation install

Author: shadowdevcode

.gitignore

@@ -80,6 +80,7 @@ posthog/
 # Secrets (paranoid mode - never commit these)
 *secret*
 *SECRET*
+!scripts/lib/check-secrets.js
 *credentials*
 *CREDENTIALS*
 *.key

README.md

@@ -133,7 +133,7 @@ If Linear is unavailable, the Linear utility command should fail explicitly. The
 3. **Run commands sequentially** — pass the command file from [`commands/`](commands/) to Claude Code (e.g., paste `commands/create-issue.md` content and follow it)
 4. **Read the knowledge base first** — every command in the pipeline reads all files in [`knowledge/`](knowledge/) before generating output to avoid repeating past mistakes
 5. **Track gates, not just progress** — check `project-state.md` after each command; blocked = do not proceed
-6. **Validate repo changes** — run `bun run validate` from the repo root before accepting agent work
+6. **Validate repo changes** — run `bun install` and `bun run validate` from the repo root before accepting agent work
 
 **Default tech stack** (used across all apps):
 
@@ -146,9 +146,9 @@ If Linear is unavailable, the Linear utility command should fail explicitly. The
 **Environment setup per app:**
 
 ```bash
+bun install
 cd apps/[project-name]
 cp .env.local.example .env.local   # fill in your keys
-bun install
 bun run dev
 ```
 

apps/clarity/package.json

@@ -16,6 +16,7 @@
     "@neondatabase/serverless": "^0.10.4",
     "@prisma/adapter-neon": "^6.4.1",
     "@prisma/client": "^6.4.1",
+    "@supabase/supabase-js": "^2.105.1",
     "framer-motion": "^12.35.2",
     "lucide-react": "^0.577.0",
     "next": "16.1.6",

apps/clarity/src/components/TaskBoard.tsx

@@ -111,14 +111,14 @@ export default function TaskBoard() {
     }
   };
 
-  const markDone = async (task: Task) => {
+  const markDone = async (task: Task, completedAtMs: number) => {
     // Optimistic UI
     setTasks((prev) => prev.filter((t) => t.id !== task.id));
 
     posthog?.capture('task_completed', {
       task_id: task.id,
       category: task.category,
-      time_since_creation: Date.now() - new Date(task.created_at).getTime(),
+      time_since_creation: completedAtMs - new Date(task.created_at).getTime(),
     });
 
     try {
@@ -235,7 +235,7 @@ export default function TaskBoard() {
                         >
                           <div className="flex gap-3">
                             <button
-                              onClick={() => markDone(task)}
+                              onClick={() => markDone(task, Date.now())}
                               className="mt-0.5 text-neutral-600 hover:text-emerald-400 transition-colors flex-shrink-0"
                             >
                               <CheckCircle2 className="w-5 h-5" />

bun.lock

@@ -3,6 +3,10 @@
   "version": "1.0.0",
   "private": true,
   "description": "AI Product Operating System — command-driven development framework with specialized AI agents",
+  "workspaces": [
+    "apps/clarity",
+    "apps/research-copilot"
+  ],
   "scripts": {
     "prepare": "husky",
     "lint": "bun run --cwd apps/clarity lint",

package.json

@@ -0,0 +1,116 @@
+#!/usr/bin/env node
+
+/**
+ * Pre-commit hook: Scan staged files for secrets.
+ * Catches API keys, tokens, passwords, and connection strings
+ * that .gitignore might miss (e.g., hardcoded in source files).
+ */
+
+const { execSync } = require('child_process');
+const fs = require('fs');
+const path = require('path');
+
+const CONFIG = {
+  patterns: [
+    // Generic secrets
+    { regex: /(?:api[_-]?key|apikey)\s*[:=]\s*['"][A-Za-z0-9_\-]{20,}['"]/gi, label: 'API key' },
+    { regex: /(?:secret|token)\s*[:=]\s*['"][A-Za-z0-9_\-]{20,}['"]/gi, label: 'Secret/Token' },
+    { regex: /(?:password|passwd|pwd)\s*[:=]\s*['"][^'"]{8,}['"]/gi, label: 'Password' },
+
+    // Supabase
+    { regex: /eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\.[A-Za-z0-9_-]+/g, label: 'Supabase JWT' },
+    { regex: /sbp_[a-f0-9]{40}/g, label: 'Supabase service key' },
+
+    // PostHog
+    { regex: /phc_[A-Za-z0-9]{30,}/g, label: 'PostHog API key' },
+
+    // Google / Gemini
+    { regex: /AIza[A-Za-z0-9_\\-]{35}/g, label: 'Google API key' },
+
+    // Neon DB
+    { regex: /postgresql:\/\/[^:]+:[^@]+@[^/]+/g, label: 'Database connection string' },
+
+    // Private keys
+    { regex: /-----BEGIN (?:RSA |EC |DSA )?PRIVATE KEY-----/g, label: 'Private key' },
+
+    // Generic high-entropy strings (base64, 40+ chars assigned to suspect vars)
+    { regex: /(?:SUPABASE|POSTHOG|NEON|GEMINI|GOOGLE)[_A-Z]*\s*=\s*['"]?[A-Za-z0-9+/=_\-]{30,}['"]?/g, label: 'Environment variable with secret' },
+  ],
+  allowlistPaths: [
+    '.env.example',
+    '.env.local.example',
+    'scripts/lib/check-secrets.js', // This file contains regex patterns, not real secrets
+  ],
+};
+
+function getStagedFiles() {
+  try {
+    const output = execSync('git diff --cached --name-only --diff-filter=ACMR', {
+      encoding: 'utf8',
+    });
+    return output.trim().split('\n').filter(Boolean);
+  } catch {
+    return [];
+  }
+}
+
+function checkFile(filePath) {
+  const violations = [];
+
+  if (CONFIG.allowlistPaths.some((allowed) => filePath.endsWith(allowed))) {
+    return violations;
+  }
+
+  // Skip binary files
+  const ext = path.extname(filePath).toLowerCase();
+  if (['.png', '.jpg', '.jpeg', '.gif', '.ico', '.woff', '.woff2', '.ttf', '.eot'].includes(ext)) {
+    return violations;
+  }
+
+  try {
+    const content = fs.readFileSync(filePath, 'utf8');
+    const lines = content.split('\n');
+
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      for (const pattern of CONFIG.patterns) {
+        if (pattern.regex.test(line)) {
+          violations.push({
+            file: filePath,
+            line: i + 1,
+            label: pattern.label,
+            snippet: line.trim().substring(0, 80),
+          });
+          // Reset regex lastIndex for global patterns
+          pattern.regex.lastIndex = 0;
+        }
+      }
+    }
+  } catch {
+    // Skip unreadable files
+  }
+
+  return violations;
+}
+
+// Main
+const files = getStagedFiles();
+const allViolations = [];
+
+for (const file of files) {
+  allViolations.push(...checkFile(file));
+}
+
+if (allViolations.length > 0) {
+  console.error('\n🔐 SECRET SCANNING FAILED\n');
+  console.error('The following staged files appear to contain secrets:\n');
+  for (const v of allViolations) {
+    console.error(`  ${v.file}:${v.line} — ${v.label}`);
+    console.error(`    ${v.snippet}\n`);
+  }
+  console.error('Remove the secrets and use environment variables instead.');
+  console.error('If this is a false positive, add the file to CONFIG.allowlistPaths in scripts/lib/check-secrets.js\n');
+  process.exit(1);
+}
+
+console.log('✓ Secret scan passed');